Phorm.
"we don't believe that consent is necessary where the testing is necessary to the service that we are providing" - you think they might of learned?, no!, well I was never holding my breath.
BT reserves, and makes use of, the right to remotely detect all devices connected to LANs owned by its broadband customers – for their own good, of course. BT Broadband customers can expect to have their network checked any time the operator feels it needs to take a peek to help it provide the service, or when the safety of …
I've installed a few high speed Devolo powerline kits and the adapters most certainly DID get IP addresses, indeed you could manage them via web browser, if you felt an overpowering urge to do so. I assume the boxes in question under discussion here are thos Comtrend kits that were supplied by BT a while back; I have no direct knowledge of whether these are IP addressable or not, but certainly some manufacturers' PLT kit is.
It's time we had an open-source coop ISP whose policy forbids such practices.
That we haven't already probably means that there's too many vested interests to let it happen. It seems that every entity--from various spook agencies, governments, government departments to advertising companies all want a piece of the action.
That's probably why we've never had one--a single closed proprietary company is not only easier to deal with but also it's easier to secretly coerce.
Apple sharpen their database of cell tower and Wi-Fi hotspots through crowd sourcing location data and have confirmed they retain no customer identifying data (such as IMEI or any other unique to the person data). They contend they have not ever and never will use the report back mechanism to keep or retrieve a log where the costumer has been traveling. Plus the data sent back is publicly broadcast data and so cannot be said to compromise privacy (though the cache of data stored on the phone for the purpose of allowing rapid triangulation of the users current location was a problem for anyone who's phone fell into malicious hands - and Apple have said they have fixed this weakness now). BT, on the other hand, are proving they have taken data about their customer's network kit and must be storing it against the customer record for at least as long as it has taken them to get the letters out (though as some commenters have pointed out their examination and reporting on your network may go no further than checking if the questionable power line kit has made a DHCP request of the Home Hub router). So there is a clear difference and an important line BT have crossed. Personally my concerns about Apple pale into insignificance when compared with the personally identifying data all ISP's and the mobile carriers retain. For ISP's a log of every network request (e.g. Including the actual http URL requests you make) and for mobile carriers, the same plus a detailed log of everywhere you have travelled, which can be cross referenced with the http requests made whilst on the move. And all that regardless of which checkboxes you may have ticked. Scary stuff.
This kind of phorm spying is definitely increasing and its not just BT. I was shocked by the recent super injunction Barbra Streisand effect story, when one company stated that 12% of viewers of Twitter were new to viewing Twitter. So how did they do that, (were they helped by ISPs), but however they did it, it means they know who has viewed twitter (and what story) and that is more of this Phorm style spying.
Assuming at least some of these customers have changed their admin password - this kind of implies that they have a back-door in to the BT homehubs, yes? If that's the case then anyone using a BT homehub on another providers network is also vulnerable.
I'd like to know for sure exactly how they obtained access to the local device in order to scan the LAN. I don't see how they would be able to do this if the customer had an adsl router/modem from another provider, but lack of detailed information doesn't mean they can't - those boys at Martlesham shouldn't be underestimated.
I feel that this latest revelation confirms I was right to refrain from using the BT Home Hub they sent me a few years ago. I simply didn't trust BT. Even back then there was the worrying "feature" of the Home Hubs being automatically, remotely updateable by BT.
I wouldn't be surprised if the next version of the BT Home Hub comes with a free telescreen.
Come to think of it, is that what BT Vision is intended for? All they've got to do is include a free webcam for an exciting new videophone service...
I have an ADSL router provided by my ADSL provider (non UK). I changed the Admin password pretty quickly too (user: Admin, Pass:Admin !!) as well as setting up DDNS. Unfotunately it lasted less than a week, when the Admin password was reset and DDNS turned off.
There is a setting in the router to disable the operator back-door, but obviously that option is greyed out....
Personally I'd prefer to use my own, but since they won't tell you any settings for it, you can't get it to connect to their network.
"So put your own router in between their router and your network - problem solved."
Unfortunately not. My problem isn't that they might snoop on me. My problem is that I have incoming services, and when they reset the router, it removes the settings for port forwarding (& DDNS which is needed for each time they change the IP address).
I'm waiting for the Hylas broadband sat to become operational and see what my costs of SAT broadband would be...
BristolBatchelor - "There is a setting in the router to disable the operator back-door, but obviously that option is greyed out...."
Depends how stupid the firmware writer has been. If they are particularly bad (and it's rather common) just use a half decent browser or a proxy that lets you modify inbound and outbound requests on the fly. Enable the option, submit it :)
same sort thing goes on over here in blighty.
I am on Be broadband, (in my opinion the best broadband provider I have ever had the pleasure to do business with) and with there own supplied router (a Thompson speedtouch,) it has its own back door enabled for the customer services team to access the router. they don't say they will scan your internal LAN or ask for your agreement too. but as the router remains their property I suppose they have the right to access it remotely. For the novice user I can see how this can be a really helpful feature when customer services can remotely re-configure the router to get them on line again but for me it was an unacceptable security risk.
I plugged in my own router, and had a few problems configuring it, it took a little bit of goggling to find the required settings but it didn't take too long to get up and running for snooping ISP free surfing.
the only problems are that if I have any connectivity issues until I plug in the speedtouch they will not go any further. that said, In the three years i have been with them now, I have not had one minute of loss of service, never had any problems with speed drops.. I run a web/email server myself, the missus and the daughter all use the connection and never have a problem over heavy use !!
'....and with their own supplied router [...] has its own back door enabled for the customer services team to access the router.'
Just to fill in a/c's blanks:
* Be tell you it is there.
* Be give you detailed instructions on how to turn it off.
That said, you should probably use you own router anyway. Not for security concerns; it is just that the speedtouch is a humongous pile of shite.....
In the UK, this would be illegal -- and it may also be illegal where you live. It comes under the heading of "criminal damage".
Fortunately, you *can* repair it. Get the firmware for the "generic" version of your router from the manufacturer's website. Backup the configuration first (both ways -- save it and print out the web-based configurator pages), re-flash the firmware, restore the configuration you saved earlier and then disable all remote management now the option is there.
"Get the firmware for the "generic" version of your router from the manufacturer's website."
The problem with this is that when the ISP source the routers and have the custom firmware installed at the factory, they tend to give the router a different version number that is unique to the ISP. When you try to install the generic firmware it fails the version check.
I spent a week or so trying to "jailbreak" the BE supplied router (just for giggles) and decided it was not worth the hassle and carried on using my own toys.
I used to work BT Subsiduary Cellnet and had the joy of heading to Martlesham Heath, It is a fantastic place and the boffins there are certinly worthy of much, much praise.
I do recal, back in the late 90's they were working on a working prototype of some 3D glasses, mounted to a Ericsson [now Sony Ericsson] branded Psion 5MX to remote diagnostics in tunnels. Hands free engineering down holes. And that was only what they would she the 'grunts' like me!!
There's a setting for Remote Access buried within the hub. Not at home to check whether activating it is a one-time thing or if it times out, but may be related to that.
I'll certainly be setting a port scan running later (long as the neighbours let me use their wireless!)
I'm in a wind-up mood today so I've emailed BT to ask whether they mind me trying to access their Vision on Demand for free as it's 'necessary testing' to decide whether I want to pay for a film or not. Hoping the guy on the other end has a sense of humour or I'll be getting a knock on the door
PLT devices have discovery protocols (by what looks like a periodic broadcast) so they can see each other. Chances are they also use uPNP and are probably visible to the HomeHub. That's the beauty^H^H^H^H^H^H danger of uPNP.
Even if they do not use uPNP, BT can probably make a reasonable guess about whether such devices are on the net by sampling the packets on the net, and looking at the first six octets of the MAC address that identified the vendor of the device.
My PLTs are Intellon based, and come with a (Windows) utility that allows you to set the encryption key. Not only does the utility find the devices, but also can tell you how fast they are operating, so there must also be some other magic under the covers. I have a Linux utility in source, so I'll have a look at how it works.
Still, I have a Linux based firewall (really, separate from any of the comms kit - Smoothwall as you ask) between my ADSL router and the rest of my network (yes, yes, I know that there is a risk that the PLT escapes onto the wider electricity network, but that's why I set my own key), but it means that my ISP cannot probe my network.
"by sampling the packets on the net, and looking at the first six octets of the MAC address"
The MAC address doesn't leave the local link, so it* won't be visible in packets leaving the router towards the ISP**
*They _will_ see the MAC address of the routers external interface of course, but not anything on the inside of the router.
**unless you are running IPv6 and the MAC addresses is incorporated into the IPv6 address - and this still isn't the MAC address, it's an IPv6 address.
MAC addresses are only visible within the broadcast domain it sits in (unless someone is has set up a transparent bridge or snooping interface)
But the BT HomeHub router is on the local network, and so a judicious bit of logging code in the router allows such things to be captured. Remember, a router may do much more than routing, especially if you (or in this case BT) has control of the firmware. I'm sorry for the icon, but I'm not the one being stupid here.
We ditched our BT Hub as, despite having the wireless switched off, was still offering itself to the ether for BT wireless customers.
Then, to just remind us of their omni-presence, they injected a message into our system to appear on any browsers, reminding us that there was an outstanding bill that needed paying on our account.
Thanks BT - anything else you need to tell us?
If you can read this then it got through their filtering / censorship systems !!
Would this be the 'Pay us by direct debit or we bugger up your connection every three months' screen?
The one they serve up ONCE to any device trying to get to the net (and in my case has been served to non computing devices)
The one where they have helpfully blocked ALLL the options to get rid of bar a button that has been known to take hours to work?
The one BT business deny exists?
BT take action to ensure customers are ok.
BT send out replacement kit (nice move).
BT check to see if new kit is used.
BT write to some customers urging them to use new kit (I know this as I got a letter).
El Reg posts speculative/negative story.
Given that the Hubs have a remote management control system to deal with firmware updates etc - then BT would have a list of customers to check. It wouldn't make sense to scour the entire customer base - just those in the BT Vision customer base which at the time they sent out the old adapters was around the 200-300k level.
I dare say if BT wanted to make checks they could but if it got out that they were snooping then the PR would be very bad. I think they learned their lesson after the hit they took for Phorm.
When I read this I just thought it smacked of an easy target rather than someone investigating what was sent/what BT's policy is.
Agreed. And now expect the flood of downvotes from the tinfoil hat brigade...
Lets not credit BT with too much ability here. I have a BT Hub, and I am using the new Powerline adapters, and yet I got the letter saying I'm not! So their amazing snooping system doesn't actually work, if it exists at all.
To my surprise after upgrading to the 100mb service and having a few initial problems, they did a remote scan of my network. They told me the speed of the lan port of my pc and the speed of the wireless connection. I had just changed the router password so assumed it was secure from probing. I was so surprised I let this go at the time. Maybe I'll follow this up with them now.
...I was trying to send an email to somneone on an Australian ISP. The AU ISP unfortunately had signed up to some spam-prevention measure that had blocked Blue Yonder (now Virgin Media) because of the prevalence of open SMTP proxies on their network. So, I sent an email to Blue Yonder rather cheekily asking "so do I get a support ticket for this?"
Oh hell yes I did. Priority one. Over 500,000 customers affected apparently. BY then set a machine to constantly scan everyone on popular SMTP proxy ports, with the upshot being that if you were running an open SMTP or web proxy you got booted off until you phoned them up and begged them to have your connection back. I would guess this is an ehanced form of the same thing?
AC because I don't want to be besieged by irate geeks.
Enhanced form? Hell no, I wish more ISPs would do what Blue Yonder did, and I've no problem with someone remote port scanning my home network - black hats do it all the time.
This one is different however - it's not a remote port scan (initiable by anyone) but somehow they've hopped over the router and scanned the internal network. That implies a back door, and *that* is a bad thing.
If you upgrade above 10MB you have to take their nasty little new locked box of tricks, modem cum router. I am happy with their modem at the front and my kit from there on in, two hacked Linksys routers running DD-WRT firmware. I know what's coming and going from my pipe thank you VM.