Last week, plans to implement a three strikes policy in France that could lead to the disconnection of file sharers caught sharing illegal files were put on hold after it was revealed the company tasked with tracking activity had been hacked.
TMG's server software could then be examined by hackers to understand how it works. The result shows that the software is very insecure, and should cause concerns about TMG's involvement in the three strikes policy.
TMG servers were running a custom administrative program written in Delphi, which didn't require any authentication at all. Basically, anyone could connect to port 8500 and start sending commands directly to the server.
While the commands supported were limited to shutting down, rebooting, start/stop P2P client, software updates and others, they were sufficient to allow hackers to do whatever they wanted with the servers.
For example, the update command connects to an FTP server, retrieves a file and then automatically executes it. Remarkably, it does not have a pre-set FTP server and literally allows for any FTP server to be specified as part of the update command.
This means hackers could more or less get the TMG server to run whatever software they wanted it to. TMG is the only company that has been authorized to collect the IP address data needed to take action against alleged Internet pirates.
Written by: James Delahunty @ 26 May 2011 17:08
