[ISN] Cable Modem Hacking Tricks Uncapped Online

From: InfoSec News (isnat_private)
Date: Fri Mar 15 2002 - 04:32:55 PST

  • Next message: InfoSec News: "[ISN] AFCEA Courses"

    By Brian McWilliams, Newsbytes
    13 Mar 2002, 10:38 PM CST
    When his cable modem service seemed to slow almost to a crawl last 
    spring, Matthew Hallacy did like most people and complained to 
    technical support at his Internet service provider, AT&T Broadband. 
    But after the sluggish performance persisted for weeks, Hallacy, a 
    Minnesota-based software engineer and networking expert, decided to 
    take matters into his own hands: he hacked his cable modem. 
    "Tech support told me it wasn't their fault and the service was going
    as fast as it could. So I downloaded the specs for the modem off the
    Web and started poking around to see if that was true," said Hallacy.
    It wasn't long before Hallacy, 21, devised a trick for modifying an
    obscure configuration file used by the service to control the settings
    in his 3Com cable modem.
    A few tweaks later, Hallacy's $50-per-month service, which had been
    downloading data at a poky 75 kilobits per second (Kbps), was sweetly
    humming along at much brisker speeds in both directions.
    According to Hallacy, he hacked the modem just to prove that AT&T's
    network management, and not his modem, was the performance bottleneck,
    and he immediately changed the settings back.
    But after successfully testing his technique for friends on other
    cable modem services - and studying further the specifications for
    DOCSIS, the standard interface used by most cable modem manufacturers
    - Hallacy decided he had uncovered a bona fide security vulnerability.
    This week, Hallacy submitted a description of his technique to two
    e-mail discussion lists run by SecurityFocus.com that are read by
    thousands of computer security aficionados.
    Hallacy's message detailed how to trick a DOCSIS-compliant cable modem
    into divulging its secret configuration file, and how to edit the
    file's binary data using a free, open-source software program.
    According to cable experts, Hallacy's trick is not new, and similar
    techniques involving what are called TFTP servers have previously been
    anonymously published on the Web.
    But the description by Hallacy may be the most specific ever posted to
    such a public forum. And experts said his claim that not only AT&T but
    also some Comcast and Time Warner cable systems are vulnerable, may
    spur operators to make changes to their networks - or risk similar
    poking and prodding by other networking gurus.
    AT&T Broadband spokesperson Andrew Johnson said the company takes
    potential security issues seriously but was still investigating
    Hallacy's report and had no immediate comment on his claims.
    In an interview today, Hallacy claimed that changes to the
    configuration file could do more than just remove the bandwidth caps
    put in place by cable operators to manage their precious resources.
    According to Hallacy, a savvy network programmer could change his
    configuration file to intercept all data from other users on the
    attacker's local area or "node".
    "I or somebody like me could sit down in front a cable modem on AT&T's
    network and have something like that running in less than half an
    hour, and AT&T probably would never notice it," he claimed.
    In some instances, the technique could potentially be exploited even
    to take control of a cable ISP's gateway computers, alter their
    network routing, and shift large amounts of traffic to a specified
    destination, Hallacy claimed.
    Officials from CableLabs, the nonprofit industry consortium that
    developed DOCSIS, said the modem standard includes several mechanisms,
    including something called "shared secret keys," that enable cable
    operators to prevent users from making the sorts of modifications
    claimed by Hallacy.
    "The problem is real, but it's not because of a flaw in the
    specification," said Rouzbeh Yassini, a senior CableLabs executive.
    "When it's raining, some people decide to walk in the rain without an
    umbrella," Yassini added, referring to cable operators who may have
    neglected to configure their networks properly.
    According to 3Com spokesperson Kim Sullivan, the big network equipment
    maker discontinued its consumer cable modem business last summer.
    "We currently do not have a product that is affected by the threat"  
    described by Hallacy, she said.
    A Motorola representative noted that a forthcoming engineering change
    from CableLabs will require cable modem vendors to implement a
    technique for preventing subscribers from changing the modem's config
    file, and that Motorola intends to implement the change.
    Dave Ahmad, moderator of the Bugtraq security mailing list, said he
    did not immediately approve Hallacy's submission because it described
    "how to evade (cable operators') service restrictions" and because he
    was "not sure what the benefit was to the community. Who is at risk if
    the information is not made public?"
    Ahmad posted his comments, along with Hallacy's advisory, in a message
    Tuesday to the Vuln-Dev list, which published a pared back version of
    Hallacy's report on Monday.
    Hallacy said he debated the morality of publishing his hacking
    instructions, but finally decided to do so as "a little bit of a smack
    in cable companies' direction. People are exploiting this. It's one of
    the reasons there's not enough bandwidth on some nodes, and they need
    to fix it."
    Hallacy's original submission to Bugtraq is at
    CableLab's DOCSIS specs are online at
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 15 2002 - 09:02:25 PST