In response to the country’s “3 strikes” Hadopi legislation, last week a French ISP began offering a service to block file-sharing on customer connections for ‘just’ 2 euros per month. It didn’t take long for awful vulnerabilities in the system to be found which breached not only the privacy of subscribers, but exposed them to new security threats.
France’s big, bad, scary Hadopi legislation and the systematic tracing, monitoring, reporting and disconnecting of file-sharers is all but here, so it seems there’s no better time for other companies to start making money from it.
Last week saw French ISP Orange take the opportunity to start providing a service which, at least on the surface, is designed to put the minds of subscribers at rest. For a 2 euro per month payment, Orange is offering a service which “allows you to control the activity of computers connected to your internet line, from downloading ‘illegally’ using peer-to-peer networks. You can protect up to three computers connected to the same internet line.”
The software, which is Windows-only, runs in the background and utilizes a blacklist maintained and updated by Orange. Precisely what is on that blacklist remains a secret.
“Our solution is intended primarily for parents who want to make sure their children do nothing illegal on P2P networks,” the company said in a statement to French media last week while adding that just because the software is running, it doesn’t mean that users are fully protected against legal action under Hadopi.
History tells us that whenever a company gets involved in anti-piracy action, they leave themselves open to being probed. Several anti-piracy companies and groups have seen their systems examined and even hacked over the years, and Orange is no different.
Bluetouff has documented his findings on the Orange system and they are pretty surprising.
Using WireShark to sniff the output of the software on his location network, Bluetouff was able to identify an IP address used by the software to obtain its updates.
“The software communicates with a remote server, a Java servlet actually located on the ip 220.127.116.11,” he explains.
Nothing too out of the ordinary there – except that all information is not only being transmitted in the clear but all information on that server is public (via
http://18.104.22.168/status), meaning that every user had their IP addresses exposed to the public. But it doesn’t stop there.
Whoever set up the security on the server admin panel didn’t do a very good job. The username was set to ‘admin’ and the password set to ‘admin’ too. This morning that gaping hole was still open.
We are informed that people have accessed the server and have discovered that it’s possible to send malware to anyone using the software which makes a bit of a joke out of Orange when it claims: “The software runs in the background to ensure your safety without disrupting the important tasks that you perform”
“People don’t know whether to laugh or cry,” Astrid Girardeau from TheInternets.fr told us. “Because it is a new Hadopi fail. And because, Christine Albanel, the ex-Minister of Culture, is now the executive of communication, for… Orange.”