Phorm, how do I hack thee? UPDATE: Blogosphere’s “Mr Serious” In Disastrous Brainfart

Let me count the ways.

If you think Phorm – the evil advert-spooking system practically all the UK’s eyeball ISPs want to force on you – isn’t so bad, I’ve got news for you. First of all, let’s have a look at this Grauniad Tech article.

BT’s 2006 trials certainly involved some sort of interception, because the data streams had extra Javascript inserted into them – which puzzled a number of people at the time. Two examples can be seen at the forums of raisingkids.co.uk and progarchives.com. In both, the Javascript and other tags inserted by the 121Media system are clearly visible, with one showing the referring page and possibly “interests” of the member. Both contain links to sysip.net – the 121Media-owned site through which BT sent browser requests during the 2006 trials and later ones in summer 2007.

OK. So not only were they snooping, but Phorm actually injects not just data – like a cookie – but code into your URL requests, so their customer websites react differently as a result. It’s especially worrying that what they are adding is JavaScript; it’s not just data, it’s program logic. It does things. And, as any user of modern Web 2.0 services should realise, you can do all kinds of things with it – for example, you can call other web servers from within a web page without reloading. There is no way for you – the person whose BT, Virgin or Carphone Warehouse billing record stands behind the IP address that stands behind the identifier Phorm assigned – to know what such code does until after the fact.

Now, consider this; the good people of F-Secure unpicking the latest trend in security threats, the iFrame injection. It works like this – a lot of websites catch the search requests they receive and cache them, either to speed up the search process or to provide suggestions with the search results. This means that the search string…appears in a web page on their servers. So, if you fire enough popular search terms (which you can get from their website…) in, and append your attack code, there’s a chance it’ll get cached. And then, a visitor who uses the same search terms will get a page that contains the attack code; JavaScript is executed in the client side – i.e on the visitor’s computer – so you’re in.

So, let’s put them together; if you’re a Phorm customer, you can get the interests and web habits (and billing data?) of everyone in the UK delivered to your dodgy website in real time, and then you can reload anything you damn well like in their browser based on that information. Suddenly – let’s back off here. It’ll be someone unpopular. At first. So bnp.co.uk or alghuraabah.co.uk sends you to http://www.sweeticklekiddiesandtentacles.203vggngh65t7.biz.cn; and there’s fuck all you can do about it, except try to explain the concepts of “deep packet inspection”, “iFRAME SEO injection”, and the like to a court of law.

Paranoia, right? Not so much.

You think that’s scary? Here’s some more F-Secure for you. There is at least one exploit out there, which could be delivered through the lines we just discussed, that writes dubious code to the BIOS – the low-level insect brain of a computer, the bit that lights up the screen, spins up the hard drive, and explains how to read the boot sector and start the operating system. The only fix there, I think, would be to format the fucking lot and install something completely different – or throw the damn thing in the sea.

But here’s where it gets bad; the thing nicks your online banking passwords. And then what does it do? It puts money into your bank account. Feel free to speculate.

Update: Now that’s what I call an April Fool from F-Secure. A cracker. This is of course without prejudice to the rest of the post, but I should have realised there would be no way they’d have included a live link to the exploit if it was real. If you were brave enough to follow it, well…you’d get the joke.


  1. 1 You Say Virgin, We Say Die! « Alternate Seat of TYR

    […] action, censorship, computer, dayjob, geekage, networks, politics, protest So, after the Phorm evilhood, and the weird brokenness detailed here, and the 30-odd hour no-notice outage they dropped […]




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s



%d bloggers like this: