The French "three strikes" policy was put on hold last week after the private company tasked with collecting piracy data, TMG, was hacked and found to be insecure. The hack has allowed the company's data-collecting software to be examined. It turns out that servers weren't the only thing that TMG failed to properly secure; their anti-piracy software is riddled with flaws, too.

TMG's server was running a custom-written administration program coded in Delphi. It had the unusual security feature of not requiring any authentication at all, allowing anyone connecting to port 8500 to send commands to the server. The commands it supports are limited—shutdown or reboot the computer, stop or start a peer-to-peer client, and update the software on the server—but due to their shoddy design these commands are sufficient to allow hackers to do whatever they want. The update command connects to an FTP server, retrieves a file, and then executes it—all without authentication—and rather than connecting to a specific FTP server, it allows the server to be specified when the update command is given.

This allows an attacker to set up their own FTP server, put their malicious program onto the server, and then tell the TMG system to update from the hacker-controlled server. In this way, they can make the TMG server run whatever software they want. If all of TMG's anti-piracy servers are running the same administrative program, then they are all susceptible to being attacked in this same, trivial way.

This could in turn allow the private networks used by TMG for sharing IP address information with the French authorities to be attacked and possibly compromised—a risk that led to the temporary cessation of data collection last week.

TMG's data collection is instrumental to the French "three strikes" anti-piracy laws that will see persistent pirates disconnected from the Internet. The HADOPI agency, responsible for enforcing the law, has authorized only one company, TMG, to collect the IP address data needed to take action under the law. The earlier hack already raised doubts over TMG's ability to safely collect this information—those doubts will only grow in the light of the software flaws, and the discovery shows the need for greater transparency and scrutiny of TMG's entire operation.