Feeds

back to article BT cheerfully admits snooping on customer LANs

BT reserves, and makes use of, the right to remotely detect all devices connected to LANs owned by its broadband customers – for their own good, of course. BT Broadband customers can expect to have their network checked any time the operator feels it needs to take a peek to help it provide the service, or when the safety of the …

COMMENTS

This topic is closed for new posts.

Page:

Stop

Don't have IP Addresses? Don't they, by George?

I've installed a few high speed Devolo powerline kits and the adapters most certainly DID get IP addresses, indeed you could manage them via web browser, if you felt an overpowering urge to do so. I assume the boxes in question under discussion here are thos Comtrend kits that were supplied by BT a while back; I have no direct knowledge of whether these are IP addressable or not, but certainly some manufacturers' PLT kit is.

0
0

Yeah they do

The Comtrend ones also grab an IP for the benefit of the Web Interface.

I also found they are incredibly easy to DDoS without using any real bandwidth yourself (3-8 min downtime from 1 request). Generally a crappy bit of kit, but definitely IP addressable

0
1

@Don't they, by George?

I think the specific point would be that they don't have public IP addresses and have no presence on the internet, so could only be addressed via asking the BT router to do it.

19
0
Flame

It's time we had an open-source coop ISP

It's time we had an open-source coop ISP whose policy forbids such practices.

That we haven't already probably means that there's too many vested interests to let it happen. It seems that every entity--from various spook agencies, governments, government departments to advertising companies all want a piece of the action.

That's probably why we've never had one--a single closed proprietary company is not only easier to deal with but also it's easier to secretly coerce.

5
0
Happy

Yo dawg

I herd you like security, so I put an firewall-enable-router behind your firewall-enabled-router so you can hide from teh internets while you hide from your ISP

6
2

me titles

memebase is over there ----->

2
2
Happy

Upvoted, but

if that's what the author meant, that's what the author should have said?

0
0

the same

Actually, this is exactly what I did.

0
0
FAIL

Phorm.

"we don't believe that consent is necessary where the testing is necessary to the service that we are providing" - you think they might of learned?, no!, well I was never holding my breath.

25
1

Consequences

There were no consequences to them for Phorm - so they certainly did learn the lesson.

In April 2011 the CPS decided not to prosecute as this would not be in the public interest, as neither Phorm or BT had acted in bad faith and any penalty imposed would be nominal.

0
0
Silver badge

"we don't believe that consent is necessary"

Welcome to the new corporate excuse.

I hope a judge sets them right quickly.

35
0

Not a new excuse.

Remember Phorm?

12
0
Flame

Juicy new attack vector?

And by admitting that the facility exists to scan networks behind "the firewall" (which everyone has carefully setup - right?) in one's router, you can bet that there are several blackhats now actively searching for a method to exploit it.

Will people never learn?

22
0
Grenade

OR

Consider the possibility that the black hats have known all along and now the knowledge is not confined to just the black hats.

5
0
Boffin

BT's behavior

BT's behavior differs from Apples, exactly how?

12
4
Silver badge
Joke

Sir

"BT's behavior differs from Apples, exactly how?"

Oranges.

15
3
Silver badge

The answer is simple: recording customer identifying information

Apple sharpen their database of cell tower and Wi-Fi hotspots through crowd sourcing location data and have confirmed they retain no customer identifying data (such as IMEI or any other unique to the person data). They contend they have not ever and never will use the report back mechanism to keep or retrieve a log where the costumer has been traveling. Plus the data sent back is publicly broadcast data and so cannot be said to compromise privacy (though the cache of data stored on the phone for the purpose of allowing rapid triangulation of the users current location was a problem for anyone who's phone fell into malicious hands - and Apple have said they have fixed this weakness now). BT, on the other hand, are proving they have taken data about their customer's network kit and must be storing it against the customer record for at least as long as it has taken them to get the letters out (though as some commenters have pointed out their examination and reporting on your network may go no further than checking if the questionable power line kit has made a DHCP request of the Home Hub router). So there is a clear difference and an important line BT have crossed. Personally my concerns about Apple pale into insignificance when compared with the personally identifying data all ISP's and the mobile carriers retain. For ISP's a log of every network request (e.g. Including the actual http URL requests you make) and for mobile carriers, the same plus a detailed log of everywhere you have travelled, which can be cross referenced with the http requests made whilst on the move. And all that regardless of which checkboxes you may have ticked. Scary stuff.

7
0
Boffin

Title? We don' need no steenkin' title...

"PLT devices don't have IP addresses..."

You sure about this? I'm pretty sure my (BT supplied) Commtrend units have a web configuration interface accessed via an IP address...

--

JG

1
5
Flame

Advertising

Next up of course will be the targetted advertising for life insurance cover, courtesy of Phorm PLC.

5
0
Unhappy

Title..........

And we're supposed to believe that BT won't use this capability to gather commercial statistics from their customer base?

After all, they do have previous phorm in this area...

20
1
Big Brother

@"After all, they do have previous phorm in this area"

This kind of phorm spying is definitely increasing and its not just BT. I was shocked by the recent super injunction Barbra Streisand effect story, when one company stated that 12% of viewers of Twitter were new to viewing Twitter. So how did they do that, (were they helped by ISPs), but however they did it, it means they know who has viewed twitter (and what story) and that is more of this Phorm style spying.

3
1
Headmaster

Simples: at any one time roughly 12% of the population are twats...

...and therefore at some point there is a very good chance that they will begin to use Twitter.

Not that *THEY* aren't watching you...

<evil_laughter>

1
0
Silver badge

Sir

Assuming at least some of these customers have changed their admin password - this kind of implies that they have a back-door in to the BT homehubs, yes? If that's the case then anyone using a BT homehub on another providers network is also vulnerable.

I'd like to know for sure exactly how they obtained access to the local device in order to scan the LAN. I don't see how they would be able to do this if the customer had an adsl router/modem from another provider, but lack of detailed information doesn't mean they can't - those boys at Martlesham shouldn't be underestimated.

12
0
Pint

Martlesham.....

I used to work BT Subsiduary Cellnet and had the joy of heading to Martlesham Heath, It is a fantastic place and the boffins there are certinly worthy of much, much praise.

I do recal, back in the late 90's they were working on a working prototype of some 3D glasses, mounted to a Ericsson [now Sony Ericsson] branded Psion 5MX to remote diagnostics in tunnels. Hands free engineering down holes. And that was only what they would she the 'grunts' like me!!

0
0
Gold badge
Unhappy

Provided ADSL kit

I have an ADSL router provided by my ADSL provider (non UK). I changed the Admin password pretty quickly too (user: Admin, Pass:Admin !!) as well as setting up DDNS. Unfotunately it lasted less than a week, when the Admin password was reset and DDNS turned off.

There is a setting in the router to disable the operator back-door, but obviously that option is greyed out....

Personally I'd prefer to use my own, but since they won't tell you any settings for it, you can't get it to connect to their network.

5
0
Big Brother

BT Home Hub

I feel that this latest revelation confirms I was right to refrain from using the BT Home Hub they sent me a few years ago. I simply didn't trust BT. Even back then there was the worrying "feature" of the Home Hubs being automatically, remotely updateable by BT.

I wouldn't be surprised if the next version of the BT Home Hub comes with a free telescreen.

Come to think of it, is that what BT Vision is intended for? All they've got to do is include a free webcam for an exciting new videophone service...

11
0
Anonymous Coward

A guess

There's a setting for Remote Access buried within the hub. Not at home to check whether activating it is a one-time thing or if it times out, but may be related to that.

I'll certainly be setting a port scan running later (long as the neighbours let me use their wireless!)

I'm in a wind-up mood today so I've emailed BT to ask whether they mind me trying to access their Vision on Demand for free as it's 'necessary testing' to decide whether I want to pay for a film or not. Hoping the guy on the other end has a sense of humour or I'll be getting a knock on the door

6
0
Bronze badge
Boffin

@BristolBachelor

So put your own router in between their router and your network - problem solved.

3
0
Silver badge

No it doesn't

PLT devices have discovery protocols (by what looks like a periodic broadcast) so they can see each other. Chances are they also use uPNP and are probably visible to the HomeHub. That's the beauty^H^H^H^H^H^H danger of uPNP.

Even if they do not use uPNP, BT can probably make a reasonable guess about whether such devices are on the net by sampling the packets on the net, and looking at the first six octets of the MAC address that identified the vendor of the device.

My PLTs are Intellon based, and come with a (Windows) utility that allows you to set the encryption key. Not only does the utility find the devices, but also can tell you how fast they are operating, so there must also be some other magic under the covers. I have a Linux utility in source, so I'll have a look at how it works.

Still, I have a Linux based firewall (really, separate from any of the comms kit - Smoothwall as you ask) between my ADSL router and the rest of my network (yes, yes, I know that there is a risk that the PLT escapes onto the wider electricity network, but that's why I set my own key), but it means that my ISP cannot probe my network.

4
1
Silver badge

Sir

"by sampling the packets on the net, and looking at the first six octets of the MAC address"

The MAC address doesn't leave the local link, so it* won't be visible in packets leaving the router towards the ISP**

*They _will_ see the MAC address of the routers external interface of course, but not anything on the inside of the router.

**unless you are running IPv6 and the MAC addresses is incorporated into the IPv6 address - and this still isn't the MAC address, it's an IPv6 address.

MAC addresses are only visible within the broadcast domain it sits in (unless someone is has set up a transparent bridge or snooping interface)

2
1

Re: Provided ADSL kit

BristolBatchelor - "There is a setting in the router to disable the operator back-door, but obviously that option is greyed out...."

Depends how stupid the firmware writer has been. If they are particularly bad (and it's rather common) just use a half decent browser or a proxy that lets you modify inbound and outbound requests on the fly. Enable the option, submit it :)

1
1
Joke

I used to work there

What's the difference between BT Martlesham Heath and Jurassic Park?

One is a futuristic theme park filled with dinosaurs and the other one is a film.

5
0
Gold badge
Unhappy

@The First Dave

"So put your own router in between their router and your network - problem solved."

Unfortunately not. My problem isn't that they might snoop on me. My problem is that I have incoming services, and when they reset the router, it removes the settings for port forwarding (& DDNS which is needed for each time they change the IP address).

I'm waiting for the Hylas broadband sat to become operational and see what my costs of SAT broadband would be...

0
0
Alert

same thing goes on

same sort thing goes on over here in blighty.

I am on Be broadband, (in my opinion the best broadband provider I have ever had the pleasure to do business with) and with there own supplied router (a Thompson speedtouch,) it has its own back door enabled for the customer services team to access the router. they don't say they will scan your internal LAN or ask for your agreement too. but as the router remains their property I suppose they have the right to access it remotely. For the novice user I can see how this can be a really helpful feature when customer services can remotely re-configure the router to get them on line again but for me it was an unacceptable security risk.

I plugged in my own router, and had a few problems configuring it, it took a little bit of goggling to find the required settings but it didn't take too long to get up and running for snooping ISP free surfing.

the only problems are that if I have any connectivity issues until I plug in the speedtouch they will not go any further. that said, In the three years i have been with them now, I have not had one minute of loss of service, never had any problems with speed drops.. I run a web/email server myself, the missus and the daughter all use the connection and never have a problem over heavy use !!

1
1
Thumb Up

Be

'....and with their own supplied router [...] has its own back door enabled for the customer services team to access the router.'

Just to fill in a/c's blanks:

* Be tell you it is there.

* Be give you detailed instructions on how to turn it off.

That said, you should probably use you own router anyway. Not for security concerns; it is just that the speedtouch is a humongous pile of shite.....

1
0
Silver badge
Alert

Shocking

In the UK, this would be illegal -- and it may also be illegal where you live. It comes under the heading of "criminal damage".

Fortunately, you *can* repair it. Get the firmware for the "generic" version of your router from the manufacturer's website. Backup the configuration first (both ways -- save it and print out the web-based configurator pages), re-flash the firmware, restore the configuration you saved earlier and then disable all remote management now the option is there.

0
1
Pint

bE box....

"Get the firmware for the "generic" version of your router from the manufacturer's website."

The problem with this is that when the ISP source the routers and have the custom firmware installed at the factory, they tend to give the router a different version number that is unique to the ISP. When you try to install the generic firmware it fails the version check.

I spent a week or so trying to "jailbreak" the BE supplied router (just for giggles) and decided it was not worth the hassle and carried on using my own toys.

0
0
Silver badge
FAIL

@Sir Runcible Spoon

But the BT HomeHub router is on the local network, and so a judicious bit of logging code in the router allows such things to be captured. Remember, a router may do much more than routing, especially if you (or in this case BT) has control of the firmware. I'm sorry for the icon, but I'm not the one being stupid here.

0
0
MJI
Silver badge

Had the letter as well

The new adaptors had already been sold as well after waiting a month.

BT Vision box is on a ethernet lead to the hub

0
0
Silver badge

Which is why

It's best to bring your own toys to the party - most of the ISP supplied hardware is shit, restricted, or both.

12
0
Black Helicopters

BT - They're watching.....

We ditched our BT Hub as, despite having the wireless switched off, was still offering itself to the ether for BT wireless customers.

Then, to just remind us of their omni-presence, they injected a message into our system to appear on any browsers, reminding us that there was an outstanding bill that needed paying on our account.

Thanks BT - anything else you need to tell us?

If you can read this then it got through their filtering / censorship systems !!

10
0
Flame

steaming great elephant ....

Would this be the 'Pay us by direct debit or we bugger up your connection every three months' screen?

The one they serve up ONCE to any device trying to get to the net (and in my case has been served to non computing devices)

The one where they have helpfully blocked ALLL the options to get rid of bar a button that has been known to take hours to work?

The one BT business deny exists?

1
0

Virgin Media too!

To my surprise after upgrading to the 100mb service and having a few initial problems, they did a remote scan of my network. They told me the speed of the lan port of my pc and the speed of the wireless connection. I had just changed the router password so assumed it was secure from probing. I was so surprised I let this go at the time. Maybe I'll follow this up with them now.

2
0
Anonymous Coward

A long while ago...

...I was trying to send an email to somneone on an Australian ISP. The AU ISP unfortunately had signed up to some spam-prevention measure that had blocked Blue Yonder (now Virgin Media) because of the prevalence of open SMTP proxies on their network. So, I sent an email to Blue Yonder rather cheekily asking "so do I get a support ticket for this?"

Oh hell yes I did. Priority one. Over 500,000 customers affected apparently. BY then set a machine to constantly scan everyone on popular SMTP proxy ports, with the upshot being that if you were running an open SMTP or web proxy you got booted off until you phoned them up and begged them to have your connection back. I would guess this is an ehanced form of the same thing?

AC because I don't want to be besieged by irate geeks.

1
0
Bronze badge
Pint

One reason I will not upgrade from the 10MB on VM

If you upgrade above 10MB you have to take their nasty little new locked box of tricks, modem cum router. I am happy with their modem at the front and my kit from there on in, two hacked Linksys routers running DD-WRT firmware. I know what's coming and going from my pipe thank you VM.

2
0

Fantastic

Enhanced form? Hell no, I wish more ISPs would do what Blue Yonder did, and I've no problem with someone remote port scanning my home network - black hats do it all the time.

This one is different however - it's not a remote port scan (initiable by anyone) but somehow they've hopped over the router and scanned the internal network. That implies a back door, and *that* is a bad thing.

2
0

Windows Update

"BT describes the process as being similar to that offered by Microsoft with Windows Update"

Not very similar at all. Windows update is a recommended but *optional* facility. Microsoft cannot (or at least, does not) check or update windows components unless the user has *asked* for the service.

7
0
Silver badge

Well.

...Except for WGA, which as I understand it has been snuck onto people's computers under the guise of a "security update" at least once.

1
1
Bronze badge
WTF?

Well

Working somewhere that uses BT Business Broadband, I don't think we're at risk. The BT router went into "long-term storage" the second it arrived, for offering crap like free wifi to anyone who walks past, free pass to the BT engineers, etc. and yet no capability to simply forward all packets including DHCP.

We had replacement modems on order before the boxes even arrived. Like to see them sniff past the modem that connects only to a Linux gateway that does actually, proper, firewalling, NAT and filtering.

But this is just yet-another-reason not to trust BT equipment. What next? They team up with software companies to snoop your hard drive to see if you're infringing their licenses - all totally "legit" of course. Even speaking as someone whose job involves licensing compliance, that's just totally out of scope of the supply of a broadband line. My MAC addresses are personal, private information and uniquely identify particular items of kit that you have no business knowing. Try that on my networks and see how the lawsuit from my workplace reassures you. You forget that for every user that HAD the device, a thousand users who DIDN'T still had their networks snooped for it. That's not on, no matter how passive or well-intentioned the attempt was.

19
0
Grenade

Purely speculation and quite poor journalism.

BT take action to ensure customers are ok.

BT send out replacement kit (nice move).

BT check to see if new kit is used.

BT write to some customers urging them to use new kit (I know this as I got a letter).

El Reg posts speculative/negative story.

Given that the Hubs have a remote management control system to deal with firmware updates etc - then BT would have a list of customers to check. It wouldn't make sense to scour the entire customer base - just those in the BT Vision customer base which at the time they sent out the old adapters was around the 200-300k level.

I dare say if BT wanted to make checks they could but if it got out that they were snooping then the PR would be very bad. I think they learned their lesson after the hit they took for Phorm.

When I read this I just thought it smacked of an easy target rather than someone investigating what was sent/what BT's policy is.

3
34

Page:

This topic is closed for new posts.