Page 1 of 2 12 LastLast
Results 1 to 16 of 20

Thread: Did anyone get the Be email about the router issue?

  1. #1
    Registered+
    Join Date
    Aug 2009
    Posts
    90
    Thanks
    5
    Thanked
    8 times in 8 posts

    Did anyone get the Be email about the router issue?

    Hi Members -

    We've realised that you may not have received this email that we sent out last week, if not, we're really sorry. If you did receive it, we're sorry you're getting it again, it's not another issue we promise!

    We want to let you know that we've recently been informed of a security problem that could affect the BE Box, among other routers.

    Essentially, the problem could allow somebody to change your router settings, and nobody wants that.

    For you tech savvies, we've included more details at the bottom of this email.

    Here's what we're doing:

    We want everyone to be protected - even the people who don't read this email, so, we've decided to automatically update the password for everyone.

    It will be unique to each user: we have run a script to change the password to the individual serial number on your BE Box (found on the bottom of the router). If you want to change it after that, go here for a guide: https://www.bethere.co.uk/web/beportal/beboxpassword

    Just to be clear, we haven't changed the wireless key - it's the password to the administrator web interface. That's the only change we will.or would.make.

    All the best -


    Everyone @BE


    The Techie Stuff


    The BE Box is vulnerable to an XSS (cross-site scripting) combined with a CRSF (cross-site request forgery) that allows a remote attacker to perform actions on the Web UI (user interface), via the use of JavaScript - and without the user's knowledge or consent.

    In the short term, in order to stop this from occurring we have set the password on everyone's BE Box.

    Now that we've done this, if someone tries to attack your router, you will be prompted to enter your Administrator Password. Don't do it, otherwise the attack will be successful. . (We'd like to think that most people wouldn't enter their username and password for a random unexpected login prompt)

    In the long run we're working with Thomson to improve the firmware's resilience to such attacks.

    Did any Be members get this first email? Me suspects that it wasn't sent at all, and I'd appreciate some feedback from you guys before I write this angry complaint to them about their unauthorised dicking about with my gear and shtting me up something rotten that Id been hacked.

  2. #2
    mutantbass head Lee H's Avatar
    Join Date
    Dec 2003
    Location
    M28, Manchester
    Posts
    14,204
    Thanks
    337
    Thanked
    671 times in 580 posts
    • Lee H's system
      • Motherboard:
      • MSI Z370 Carbon Gaming
      • CPU:
      • Intel i7 8700K Unlocked CPU
      • Memory:
      • 16 GB Corsair Vengeance 3200 LPX
      • Storage:
      • 250GB 960 EVO + a few more drives
      • Graphics card(s):
      • 6GB Palit GTX 1060 Dual
      • PSU:
      • Antec Truepower 750W Modular Blue
      • Case:
      • Corsair 600T White Edition
      • Operating System:
      • Windows 10 PRO
      • Monitor(s):
      • 27" Asus MX279H & 24" Acer 3D GD245HQ + the 3D glasses
      • Internet:
      • Virgin Media

    Re: Did anyone get the Be email about the router issue?

    Quote Originally Posted by blackbirds View Post
    Did any Be members get this first email? Me suspects that it wasn't sent at all, and I'd appreciate some feedback from you guys before I write this angry complaint to them about their unauthorised dicking about with my gear and shtting me up something rotten that Id been hacked.
    I wouldn't even bother writing them an email.

    At the end of the day there was a security issue, which they have tried to 'temporary' fix while they liase with the router manufacturer to fix the problem 100% correctly.

    I bet you would have been more annoyed if your router was hacked etc than some remote fiddling that BE have done.

  3. #3
    Splash
    Guest

    Re: Did anyone get the Be email about the router issue?

    I did, about a week or 2 back. But I don't use my bebox, it's on top of the telly in case they need it for anything, but...meh.

  4. #4
    HEXUS webmaster Steve's Avatar
    Join Date
    Nov 2003
    Posts
    14,276
    Thanks
    292
    Thanked
    837 times in 473 posts

    Re: Did anyone get the Be email about the router issue?

    My router has Internet side admin turned off and is not routable from my LAN by virtue of it being in bridged mode into my Draytek's WAN port. So I'd say I'm safe.

    Then again I'm not sure my Be router is a "Be Box" per se. In any case, they can GTFO my router, I don't like people changing my passwords.

    There's a better way around the problem that doesn't involved changing the config of somebody's modem for them. You detect the fault, and serve up a page with a warning.
    PHP Code:
    $s = new signature();
    $s->sarcasm()->intellect()->font('Courier New')->display(); 

  5. #5
    Registered+
    Join Date
    Aug 2009
    Posts
    90
    Thanks
    5
    Thanked
    8 times in 8 posts

    Re: Did anyone get the Be email about the router issue?

    Quote Originally Posted by Lee @ SCAN View Post
    I wouldn't even bother writing them an email.

    At the end of the day there was a security issue, which they have tried to 'temporary' fix while they liase with the router manufacturer to fix the problem 100% correctly.

    I bet you would have been more annoyed if your router was hacked etc than some remote fiddling that BE have done.
    Indeedie, and that's why I'm only planning on writing them a complaint, and not kicking up more of a fuss. I appreciate that they had good intentions, but that doesn't excuse them accessing gear that's got nothing to do with them and making unauthorised changes that send me off in an angry and highly paranoid panic. I had to phone my credit card company in the morning to get a new card sent out, fearing that the old one's details could've been comprimised. Had to reset my router, and reconfigure all the settings I have with it. Had to scan through logs looking for anything relevant, had to inspect all of my systems for any changes that might've been made, and had to knock offline whilst I did it all. All because Be hacked a router they had no right to touch. Good intentions are nice, but it's not as if they couldn't have contacted me in a myriad of ways to let me know that it was them who'd been messing with my network, and not to worry. Instead, I got this email nearly a week later, using the highly suspicious "We did send an email, maybe you didn't get it" cop-out. Maybe you wouldn't be bothered, but that's you, and you didn't have to go through the panic I went through last week.

  6. #6
    Senior Member
    Join Date
    Aug 2007
    Posts
    1,094
    Thanks
    11
    Thanked
    77 times in 75 posts
    • LuckyNV's system
      • Motherboard:
      • MSI GD65
      • CPU:
      • i5 750 w/ Thermalright Ultra120X
      • Memory:
      • 2x2GB DDR3-1600 Cas7
      • Storage:
      • 640GB.AAKS, 2xSamsung F1 1TB, 2xSamsung 64GB SLC SSD
      • Graphics card(s):
      • Sapphire HD6870 1GB
      • PSU:
      • Corsair HX620W
      • Case:
      • Coolermaster HAF-932
      • Operating System:
      • Windows 7 Pro 64bit
      • Monitor(s):
      • LG W2286L
      • Internet:
      • Be* Unlimited@21Mbps w/ Draytek 2710n

    Re: Did anyone get the Be email about the router issue?

    The email is referring the the SUPPLIED Be Box router, if you use a 3rd party router then it is not relevant and you can ignore.

  7. #7
    Senior Member
    Join Date
    Sep 2005
    Posts
    587
    Thanks
    7
    Thanked
    7 times in 7 posts

    Re: Did anyone get the Be email about the router issue?

    I wonder if it says in their TOS that they have a backdoor account in their BE Box, and can make changes. I don't have BE, but I'd imagine the Be Box is a rental, so they have some rights over it.

  8. #8
    Senior[ish] Member Singh400's Avatar
    Join Date
    Jun 2008
    Posts
    2,933
    Thanks
    136
    Thanked
    310 times in 247 posts

    Re: Did anyone get the Be email about the router issue?

    Yeah I got it a couple of weeks ago, I'm using the Be Box. Didn't bother to wait for them to do it. Did it myself. Created a 2nd user, with no edit rights and set that as the default user Sorted!

  9. #9
    Senior Member
    Join Date
    Aug 2007
    Posts
    1,094
    Thanks
    11
    Thanked
    77 times in 75 posts
    • LuckyNV's system
      • Motherboard:
      • MSI GD65
      • CPU:
      • i5 750 w/ Thermalright Ultra120X
      • Memory:
      • 2x2GB DDR3-1600 Cas7
      • Storage:
      • 640GB.AAKS, 2xSamsung F1 1TB, 2xSamsung 64GB SLC SSD
      • Graphics card(s):
      • Sapphire HD6870 1GB
      • PSU:
      • Corsair HX620W
      • Case:
      • Coolermaster HAF-932
      • Operating System:
      • Windows 7 Pro 64bit
      • Monitor(s):
      • LG W2286L
      • Internet:
      • Be* Unlimited@21Mbps w/ Draytek 2710n

    Re: Did anyone get the Be email about the router issue?

    Quote Originally Posted by latrosicarius View Post
    I wonder if it says in their TOS that they have a backdoor account in their BE Box, and can make changes. I don't have BE, but I'd imagine the Be Box is a rental, so they have some rights over it.
    Yes you are correct, the router is supplied free, however you must give it back if you leave Be or pay £100 (even though its worth much less)

    There are features that allow Be to look at your router statistics, mostly to help users if there are problems, Be can even remotely access your router if you allow them.

  10. #10
    Registered+
    Join Date
    Aug 2009
    Posts
    90
    Thanks
    5
    Thanked
    8 times in 8 posts

    Re: Did anyone get the Be email about the router issue?

    Quote Originally Posted by latrosicarius View Post
    I wonder if it says in their TOS that they have a backdoor account in their BE Box, and can make changes. I don't have BE, but I'd imagine the Be Box is a rental, so they have some rights over it.
    Be do issue routers on a rental basis, and they probably do have the backdoor rights written into the T&Cs, but they're irrelevant to me anyway since I don't use a Be router, and haven't been a Be customer since December.

  11. #11
    Senior Member
    Join Date
    Sep 2008
    Location
    UK
    Posts
    302
    Thanks
    3
    Thanked
    18 times in 18 posts
    • synaesthesia's system
      • Motherboard:
      • MSI Z77MA-G45
      • CPU:
      • Intel Core i5 3570K
      • Memory:
      • GSkill RipjawX 2133Mhz 8GB
      • Storage:
      • 128GB Samsung 830/2 x 2TB WD Black
      • Graphics card(s):
      • AMD Radeon 6870
      • PSU:
      • Silverstone 750w Modular
      • Case:
      • Corsair Carbide 200R
      • Operating System:
      • Windows 7 RC1
      • Monitor(s):
      • Samsung 245B 24" TFT
      • Internet:
      • 16Mbit DSL

    Re: Did anyone get the Be email about the router issue?

    Be like O2 do indeed say they retain ownership of the router (if you use theirs) and that they reserve the right to access the router, but nothing beyond, in order to update it. So, a bit of grey area about going in to change passwords but in their defence, a majority of their users are not going to be particularly savvy.

    Plus, should you be a little lazy like me and need to contact them for a problem like dropouts or otherwise unreliable connections, they are able to change the necessary settings to your local router as well as in their kit.

    Personally I'm not a fan of that idea, almost as much as I'm a fan of Be's new web****e so flashed the router anyway
    Moo.

  12. #12
    Senior Member watercooled's Avatar
    Join Date
    Jan 2009
    Posts
    11,459
    Thanks
    1,539
    Thanked
    1,024 times in 868 posts

    Re: Did anyone get the Be email about the router issue?

    Wow, another Javascript flaw - what a surprise!! I'm assuming this works if a user accesses a specially-crafted malicious website which would run the JS in your browser. Another way to avoid attacks like this is to run the NoScript add-on for Firefox and only allow websites you trust. There are just so many JS-based attacks it's best to have it off where it's not needed. I'd also guess that having a good password for your router in the first place would prevent such an attack as it would try the default - default passwords are bad - never use them!!!
    About Be accessing it - if it's in the small print then you've agreed to it and I think it's a very good move on their behalf. Look at it this way - if they just sent an email telling everyone to change their passwords because "The BE Box is vulnerable to an XSS (cross-site scripting) combined with a CRSF (cross-site request forgery) that allows a remote attacker to perform actions on the Web UI (user interface), via the use of JavaScript - and without the user's knowledge or consent." how many people actually would? Non-tech-savvy people wouldn't have a clue what any of that meant and probably wouldn't even know how to change the password so they'd either ignore it, panic and all phone tech support and overload it or find out how to log into the router and change something that shouldn't be changed which could cause more problems. Tech-savvy users are a minority really and might be using their own router in which case it doesn't matter. If you're using Be's router then like I said it's theirs, you agreed to that and they're trying to help improve security which IMO is easily the right thing to do. If you're so paranoid about them hacking it go buy another router. You call it hacking but what about the other changes that are made on a regular basis including sync speed etc? Either way they did have the right to touch it because it's theirs - if you didn't read the T+Cs that's your problem. Yeah, it would have annoyed me and I'd probably be concerned about and they should have done more to inform you of what they were doing closer to when they did it - an automated phone call for example.
    Last edited by watercooled; 19-09-2009 at 02:40 PM.

  13. Received thanks from:

    blackbirds (21-09-2009)

  14. #13
    fold fold fold!
    Join Date
    Nov 2008
    Posts
    511
    Thanks
    25
    Thanked
    32 times in 25 posts
    • shbris's system
      • CPU:
      • 1600x
      • Memory:
      • 16GB
      • Storage:
      • various ssd's
      • Graphics card(s):
      • gtx 1060 6gb
      • Case:
      • mini itx
      • Operating System:
      • Windows 10
      • Internet:
      • 100/10

    Re: Did anyone get the Be email about the router issue?

    didn't get that email. but got a really nice email from my bank the other day asking to confirm all my account details and date of birth for security reasons, which seamed really nice of them.

  15. #14
    Registered+
    Join Date
    Oct 2005
    Location
    London
    Posts
    48
    Thanks
    0
    Thanked
    1 time in 1 post

    Re: Did anyone get the Be email about the router issue?

    Still no email, but opted out and still have the same password on my router.

  16. #15
    Senior Member watercooled's Avatar
    Join Date
    Jan 2009
    Posts
    11,459
    Thanks
    1,539
    Thanked
    1,024 times in 868 posts

    Re: Did anyone get the Be email about the router issue?

    Opted out?

  17. #16
    Registered+
    Join Date
    Oct 2005
    Location
    London
    Posts
    48
    Thanks
    0
    Thanked
    1 time in 1 post

    Re: Did anyone get the Be email about the router issue?

    Quote Originally Posted by watercooled View Post
    Opted out?
    http://www.beusergroup.co.uk/technot...cure_The_Bebox

  18. Received thanks from:

    watercooled (19-09-2009)

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Stupid forum email restrictions?
    By stroberaver in forum Software
    Replies: 8
    Last Post: 24-03-2008, 03:16 PM
  2. Can one wireless router talk to another wireless router?
    By pmanington in forum Networking and Broadband
    Replies: 11
    Last Post: 30-01-2008, 12:39 PM
  3. Advice on a router.
    By ACiDuS in forum Networking and Broadband
    Replies: 6
    Last Post: 27-11-2007, 06:06 PM
  4. Just installed new Router and now getting email probs!
    By wannabgeek in forum Help! Quick Relief From Tech Headaches
    Replies: 6
    Last Post: 22-10-2005, 01:54 AM
  5. [HELP] how to boost up the signal of my wireless router?
    By zhenboy in forum Networking and Broadband
    Replies: 8
    Last Post: 15-10-2004, 12:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •