Do you know what Phorm is? If you think it’s just a particularly bad misspelling of prom, you’re not alone; this is one of those stories that has largely remained hidden in geek circles. What Phorm does is enable your ISP to serve you adverts without your consent by hacking your internet traffic. Everytime you do anything on the internet you need to sent a traffic request through your ISP’s servers, at which time it stores the request in some database, which Phorm uses to built up a profile of you and your interests. This information is then used by subscribing websites to put up adverts which are targeted at those interests. It works a bit like Google adwords, but Google adapts its ads to the website they appear on, but not to its visitors. Google assume that if you visit a knitting website, you’ll like ads about knitting. Phorm reckons that if you visit a knitting website, but spent most of last week looking at AffordableKittens.com that you would like to see ads about affordable kittens.
Sounds benign? Not quite, as all your internet traffic is stored and analysed which Phorm says is done anonymously, but we all know that doesn’t work that way in real life. Especially since it depends on your ISP to work, because only by installing the Phorm server there can they capture all your internet traffic –including e-mail. And of course, your ISP knows what IP address you use, who are, where you live, etc. The temptation to use all that juicy data to bring you offers you can’t refuse to your doorstep –well, do you trust advertisers to resist it? If you don’t, you might want to avoid BT, Virgin or Talk-Talk as your internet provider… Luckily this “service” is only being used in the UK so far.
All of this is bad enough, but then Alex discovered something much more alarming about Phorm: it doesn’t just snoop, it adds its own little snippets of code to your URL requests, which means bad guys can use it to hijack your browsing and, well, let Alex explain it to you:
OK. So not only were they snooping, but Phorm actually injects not just data – like a cookie – but code into your URL requests, so their customer websites react differently as a result. It’s especially worrying that what they are adding is JavaScript; it’s not just data, it’s program logic. It does things. And, as any user of modern Web 2.0 services should realise, you can do all kinds of things with it – for example, you can call other web servers from within a web page without reloading. There is no way for you – the person whose BT, Virgin or Carphone Warehouse billing record stands behind the IP address that stands behind the identifier Phorm assigned – to know what such code does until after the fact.
Now, consider this; the good people of F-Secure unpicking the latest trend in security threats, the iFrame injection. It works like this – a lot of websites catch the search requests they receive and cache them, either to speed up the search process or to provide suggestions with the search results. This means that the search string…appears in a web page on their servers. So, if you fire enough popular search terms (which you can get from their website…) in, and append your attack code, there’s a chance it’ll get cached. And then, a visitor who uses the same search terms will get a page that contains the attack code; JavaScript is executed in the client side – i.e on the visitor’s computer – so you’re in.
So, let’s put them together; if you’re a Phorm customer, you can get the interests and web habits (and billing data?) of everyone in the UK delivered to your dodgy website in real time, and then you can reload anything you damn well like in their browser based on that information. Suddenly – let’s back off here. It’ll be someone unpopular. At first. So bnp.co.uk or alghuraabah.co.uk sends you to www.sweeticklekiddiesandtentacles.203vggngh65t7.biz.cn; and there’s fuck all you can do about it, except try to explain the concepts of “deep packet inspection”, “iFRAME SEO injection”, and the like to a court of law.
Oops.