BT reserves, and makes use of, the right to remotely detect all devices connected to LANs owned by its broadband customers – for their own good, of course. BT Broadband customers can expect to have their network checked any time the operator feels it needs to take a peek to help it provide the service, or when the safety of the …
Don't have IP Addresses? Don't they, by George?
I've installed a few high speed Devolo powerline kits and the adapters most certainly DID get IP addresses, indeed you could manage them via web browser, if you felt an overpowering urge to do so. I assume the boxes in question under discussion here are thos Comtrend kits that were supplied by BT a while back; I have no direct knowledge of whether these are IP addressable or not, but certainly some manufacturers' PLT kit is.
Yeah they do
The Comtrend ones also grab an IP for the benefit of the Web Interface.
I also found they are incredibly easy to DDoS without using any real bandwidth yourself (3-8 min downtime from 1 request). Generally a crappy bit of kit, but definitely IP addressable
@Don't they, by George?
I think the specific point would be that they don't have public IP addresses and have no presence on the internet, so could only be addressed via asking the BT router to do it.
It's time we had an open-source coop ISP
It's time we had an open-source coop ISP whose policy forbids such practices.
That we haven't already probably means that there's too many vested interests to let it happen. It seems that every entity--from various spook agencies, governments, government departments to advertising companies all want a piece of the action.
That's probably why we've never had one--a single closed proprietary company is not only easier to deal with but also it's easier to secretly coerce.
I herd you like security, so I put an firewall-enable-router behind your firewall-enabled-router so you can hide from teh internets while you hide from your ISP
memebase is over there ----->
if that's what the author meant, that's what the author should have said?
Actually, this is exactly what I did.
"we don't believe that consent is necessary where the testing is necessary to the service that we are providing" - you think they might of learned?, no!, well I was never holding my breath.
There were no consequences to them for Phorm - so they certainly did learn the lesson.
In April 2011 the CPS decided not to prosecute as this would not be in the public interest, as neither Phorm or BT had acted in bad faith and any penalty imposed would be nominal.
"we don't believe that consent is necessary"
Welcome to the new corporate excuse.
I hope a judge sets them right quickly.
Not a new excuse.
Juicy new attack vector?
And by admitting that the facility exists to scan networks behind "the firewall" (which everyone has carefully setup - right?) in one's router, you can bet that there are several blackhats now actively searching for a method to exploit it.
Will people never learn?
Consider the possibility that the black hats have known all along and now the knowledge is not confined to just the black hats.
BT's behavior differs from Apples, exactly how?
"BT's behavior differs from Apples, exactly how?"
The answer is simple: recording customer identifying information
Apple sharpen their database of cell tower and Wi-Fi hotspots through crowd sourcing location data and have confirmed they retain no customer identifying data (such as IMEI or any other unique to the person data). They contend they have not ever and never will use the report back mechanism to keep or retrieve a log where the costumer has been traveling. Plus the data sent back is publicly broadcast data and so cannot be said to compromise privacy (though the cache of data stored on the phone for the purpose of allowing rapid triangulation of the users current location was a problem for anyone who's phone fell into malicious hands - and Apple have said they have fixed this weakness now). BT, on the other hand, are proving they have taken data about their customer's network kit and must be storing it against the customer record for at least as long as it has taken them to get the letters out (though as some commenters have pointed out their examination and reporting on your network may go no further than checking if the questionable power line kit has made a DHCP request of the Home Hub router). So there is a clear difference and an important line BT have crossed. Personally my concerns about Apple pale into insignificance when compared with the personally identifying data all ISP's and the mobile carriers retain. For ISP's a log of every network request (e.g. Including the actual http URL requests you make) and for mobile carriers, the same plus a detailed log of everywhere you have travelled, which can be cross referenced with the http requests made whilst on the move. And all that regardless of which checkboxes you may have ticked. Scary stuff.
Title? We don' need no steenkin' title...
"PLT devices don't have IP addresses..."
You sure about this? I'm pretty sure my (BT supplied) Commtrend units have a web configuration interface accessed via an IP address...
Next up of course will be the targetted advertising for life insurance cover, courtesy of Phorm PLC.
And we're supposed to believe that BT won't use this capability to gather commercial statistics from their customer base?
After all, they do have previous phorm in this area...
@"After all, they do have previous phorm in this area"
This kind of phorm spying is definitely increasing and its not just BT. I was shocked by the recent super injunction Barbra Streisand effect story, when one company stated that 12% of viewers of Twitter were new to viewing Twitter. So how did they do that, (were they helped by ISPs), but however they did it, it means they know who has viewed twitter (and what story) and that is more of this Phorm style spying.
Simples: at any one time roughly 12% of the population are twats...
...and therefore at some point there is a very good chance that they will begin to use Twitter.
Not that *THEY* aren't watching you...
Assuming at least some of these customers have changed their admin password - this kind of implies that they have a back-door in to the BT homehubs, yes? If that's the case then anyone using a BT homehub on another providers network is also vulnerable.
I'd like to know for sure exactly how they obtained access to the local device in order to scan the LAN. I don't see how they would be able to do this if the customer had an adsl router/modem from another provider, but lack of detailed information doesn't mean they can't - those boys at Martlesham shouldn't be underestimated.
I used to work BT Subsiduary Cellnet and had the joy of heading to Martlesham Heath, It is a fantastic place and the boffins there are certinly worthy of much, much praise.
I do recal, back in the late 90's they were working on a working prototype of some 3D glasses, mounted to a Ericsson [now Sony Ericsson] branded Psion 5MX to remote diagnostics in tunnels. Hands free engineering down holes. And that was only what they would she the 'grunts' like me!!
Provided ADSL kit
I have an ADSL router provided by my ADSL provider (non UK). I changed the Admin password pretty quickly too (user: Admin, Pass:Admin !!) as well as setting up DDNS. Unfotunately it lasted less than a week, when the Admin password was reset and DDNS turned off.
There is a setting in the router to disable the operator back-door, but obviously that option is greyed out....
Personally I'd prefer to use my own, but since they won't tell you any settings for it, you can't get it to connect to their network.
BT Home Hub
I feel that this latest revelation confirms I was right to refrain from using the BT Home Hub they sent me a few years ago. I simply didn't trust BT. Even back then there was the worrying "feature" of the Home Hubs being automatically, remotely updateable by BT.
I wouldn't be surprised if the next version of the BT Home Hub comes with a free telescreen.
Come to think of it, is that what BT Vision is intended for? All they've got to do is include a free webcam for an exciting new videophone service...
There's a setting for Remote Access buried within the hub. Not at home to check whether activating it is a one-time thing or if it times out, but may be related to that.
I'll certainly be setting a port scan running later (long as the neighbours let me use their wireless!)
I'm in a wind-up mood today so I've emailed BT to ask whether they mind me trying to access their Vision on Demand for free as it's 'necessary testing' to decide whether I want to pay for a film or not. Hoping the guy on the other end has a sense of humour or I'll be getting a knock on the door
So put your own router in between their router and your network - problem solved.
No it doesn't
PLT devices have discovery protocols (by what looks like a periodic broadcast) so they can see each other. Chances are they also use uPNP and are probably visible to the HomeHub. That's the beauty^H^H^H^H^H^H danger of uPNP.
Even if they do not use uPNP, BT can probably make a reasonable guess about whether such devices are on the net by sampling the packets on the net, and looking at the first six octets of the MAC address that identified the vendor of the device.
My PLTs are Intellon based, and come with a (Windows) utility that allows you to set the encryption key. Not only does the utility find the devices, but also can tell you how fast they are operating, so there must also be some other magic under the covers. I have a Linux utility in source, so I'll have a look at how it works.
Still, I have a Linux based firewall (really, separate from any of the comms kit - Smoothwall as you ask) between my ADSL router and the rest of my network (yes, yes, I know that there is a risk that the PLT escapes onto the wider electricity network, but that's why I set my own key), but it means that my ISP cannot probe my network.
"by sampling the packets on the net, and looking at the first six octets of the MAC address"
The MAC address doesn't leave the local link, so it* won't be visible in packets leaving the router towards the ISP**
*They _will_ see the MAC address of the routers external interface of course, but not anything on the inside of the router.
**unless you are running IPv6 and the MAC addresses is incorporated into the IPv6 address - and this still isn't the MAC address, it's an IPv6 address.
MAC addresses are only visible within the broadcast domain it sits in (unless someone is has set up a transparent bridge or snooping interface)
Re: Provided ADSL kit
BristolBatchelor - "There is a setting in the router to disable the operator back-door, but obviously that option is greyed out...."
Depends how stupid the firmware writer has been. If they are particularly bad (and it's rather common) just use a half decent browser or a proxy that lets you modify inbound and outbound requests on the fly. Enable the option, submit it :)
I used to work there
What's the difference between BT Martlesham Heath and Jurassic Park?
One is a futuristic theme park filled with dinosaurs and the other one is a film.
@The First Dave
"So put your own router in between their router and your network - problem solved."
Unfortunately not. My problem isn't that they might snoop on me. My problem is that I have incoming services, and when they reset the router, it removes the settings for port forwarding (& DDNS which is needed for each time they change the IP address).
I'm waiting for the Hylas broadband sat to become operational and see what my costs of SAT broadband would be...
same thing goes on
same sort thing goes on over here in blighty.
I am on Be broadband, (in my opinion the best broadband provider I have ever had the pleasure to do business with) and with there own supplied router (a Thompson speedtouch,) it has its own back door enabled for the customer services team to access the router. they don't say they will scan your internal LAN or ask for your agreement too. but as the router remains their property I suppose they have the right to access it remotely. For the novice user I can see how this can be a really helpful feature when customer services can remotely re-configure the router to get them on line again but for me it was an unacceptable security risk.
I plugged in my own router, and had a few problems configuring it, it took a little bit of goggling to find the required settings but it didn't take too long to get up and running for snooping ISP free surfing.
the only problems are that if I have any connectivity issues until I plug in the speedtouch they will not go any further. that said, In the three years i have been with them now, I have not had one minute of loss of service, never had any problems with speed drops.. I run a web/email server myself, the missus and the daughter all use the connection and never have a problem over heavy use !!
'....and with their own supplied router [...] has its own back door enabled for the customer services team to access the router.'
Just to fill in a/c's blanks:
* Be tell you it is there.
* Be give you detailed instructions on how to turn it off.
That said, you should probably use you own router anyway. Not for security concerns; it is just that the speedtouch is a humongous pile of shite.....
In the UK, this would be illegal -- and it may also be illegal where you live. It comes under the heading of "criminal damage".
Fortunately, you *can* repair it. Get the firmware for the "generic" version of your router from the manufacturer's website. Backup the configuration first (both ways -- save it and print out the web-based configurator pages), re-flash the firmware, restore the configuration you saved earlier and then disable all remote management now the option is there.
"Get the firmware for the "generic" version of your router from the manufacturer's website."
The problem with this is that when the ISP source the routers and have the custom firmware installed at the factory, they tend to give the router a different version number that is unique to the ISP. When you try to install the generic firmware it fails the version check.
I spent a week or so trying to "jailbreak" the BE supplied router (just for giggles) and decided it was not worth the hassle and carried on using my own toys.
@Sir Runcible Spoon
But the BT HomeHub router is on the local network, and so a judicious bit of logging code in the router allows such things to be captured. Remember, a router may do much more than routing, especially if you (or in this case BT) has control of the firmware. I'm sorry for the icon, but I'm not the one being stupid here.
Had the letter as well
The new adaptors had already been sold as well after waiting a month.
BT Vision box is on a ethernet lead to the hub
Which is why
It's best to bring your own toys to the party - most of the ISP supplied hardware is shit, restricted, or both.
BT - They're watching.....
We ditched our BT Hub as, despite having the wireless switched off, was still offering itself to the ether for BT wireless customers.
Then, to just remind us of their omni-presence, they injected a message into our system to appear on any browsers, reminding us that there was an outstanding bill that needed paying on our account.
Thanks BT - anything else you need to tell us?
If you can read this then it got through their filtering / censorship systems !!
steaming great elephant ....
Would this be the 'Pay us by direct debit or we bugger up your connection every three months' screen?
The one they serve up ONCE to any device trying to get to the net (and in my case has been served to non computing devices)
The one where they have helpfully blocked ALLL the options to get rid of bar a button that has been known to take hours to work?
The one BT business deny exists?
Virgin Media too!
To my surprise after upgrading to the 100mb service and having a few initial problems, they did a remote scan of my network. They told me the speed of the lan port of my pc and the speed of the wireless connection. I had just changed the router password so assumed it was secure from probing. I was so surprised I let this go at the time. Maybe I'll follow this up with them now.
A long while ago...
...I was trying to send an email to somneone on an Australian ISP. The AU ISP unfortunately had signed up to some spam-prevention measure that had blocked Blue Yonder (now Virgin Media) because of the prevalence of open SMTP proxies on their network. So, I sent an email to Blue Yonder rather cheekily asking "so do I get a support ticket for this?"
Oh hell yes I did. Priority one. Over 500,000 customers affected apparently. BY then set a machine to constantly scan everyone on popular SMTP proxy ports, with the upshot being that if you were running an open SMTP or web proxy you got booted off until you phoned them up and begged them to have your connection back. I would guess this is an ehanced form of the same thing?
AC because I don't want to be besieged by irate geeks.
One reason I will not upgrade from the 10MB on VM
If you upgrade above 10MB you have to take their nasty little new locked box of tricks, modem cum router. I am happy with their modem at the front and my kit from there on in, two hacked Linksys routers running DD-WRT firmware. I know what's coming and going from my pipe thank you VM.
Enhanced form? Hell no, I wish more ISPs would do what Blue Yonder did, and I've no problem with someone remote port scanning my home network - black hats do it all the time.
This one is different however - it's not a remote port scan (initiable by anyone) but somehow they've hopped over the router and scanned the internal network. That implies a back door, and *that* is a bad thing.
"BT describes the process as being similar to that offered by Microsoft with Windows Update"
Not very similar at all. Windows update is a recommended but *optional* facility. Microsoft cannot (or at least, does not) check or update windows components unless the user has *asked* for the service.
...Except for WGA, which as I understand it has been snuck onto people's computers under the guise of a "security update" at least once.
Working somewhere that uses BT Business Broadband, I don't think we're at risk. The BT router went into "long-term storage" the second it arrived, for offering crap like free wifi to anyone who walks past, free pass to the BT engineers, etc. and yet no capability to simply forward all packets including DHCP.
We had replacement modems on order before the boxes even arrived. Like to see them sniff past the modem that connects only to a Linux gateway that does actually, proper, firewalling, NAT and filtering.
But this is just yet-another-reason not to trust BT equipment. What next? They team up with software companies to snoop your hard drive to see if you're infringing their licenses - all totally "legit" of course. Even speaking as someone whose job involves licensing compliance, that's just totally out of scope of the supply of a broadband line. My MAC addresses are personal, private information and uniquely identify particular items of kit that you have no business knowing. Try that on my networks and see how the lawsuit from my workplace reassures you. You forget that for every user that HAD the device, a thousand users who DIDN'T still had their networks snooped for it. That's not on, no matter how passive or well-intentioned the attempt was.
Purely speculation and quite poor journalism.
BT take action to ensure customers are ok.
BT send out replacement kit (nice move).
BT check to see if new kit is used.
BT write to some customers urging them to use new kit (I know this as I got a letter).
El Reg posts speculative/negative story.
Given that the Hubs have a remote management control system to deal with firmware updates etc - then BT would have a list of customers to check. It wouldn't make sense to scour the entire customer base - just those in the BT Vision customer base which at the time they sent out the old adapters was around the 200-300k level.
I dare say if BT wanted to make checks they could but if it got out that they were snooping then the PR would be very bad. I think they learned their lesson after the hit they took for Phorm.
When I read this I just thought it smacked of an easy target rather than someone investigating what was sent/what BT's policy is.
- Vid Hubble 'scope snaps 200,000-ton chunky crumble conundrum
- Bugger the jetpack, where's my 21st-century Psion?
- Google offers up its own Googlers in cloud channel chumship trawl
- Windows 8.1 Update 1 spewed online a MONTH early – by Microsoft
- Interview Global Warming IS REAL, argues sceptic mathematician - it just isn't THERMAGEDDON