Other cable ISPs, such as ones which I have worked for in the past, brought the problem to Hybrid's attention almost TWO YEARS ago. Hybrid gear is heavily insecure both in the field (their modems) and in the headend (their headend hardware is EXTREMELY insecure and susceptible to hacks, using r* commands all over the place to communicate back and forth among the boxen). There are exploit possibilities with Hybrid gear which allow you to reprogram your UUID in your modem to be the same as someone else's. If you contact the cable provider and social engineer them into deactivating and reactivating the UUID (a common solution employed for solving connectivity issues with Hybrid gear), then your modem will accept the NOS download as well as all of the victim's configuration settings, allowing the altered modem to completely impersonate the victim's modem. At that point, they will be completely identical. As I said, this was brought to their attention two years ago, give or take, and Hybrid claimed that such a scenario "would never happen". They made no effort to secure the modems, and a minimal effort to secure the boxes. (Attempts to convert the r* commands to at least use s* commands failed miserably, and Hybrid insisted that 'using r* was absolutely necessary for their architecture'). D >As the author of the above program, I'd like to mention -- in case Hybrid >tries to play innocent -- that I brought this to RCN's attention back in >April of this year. The RCN folks spoke to the Hybrid folks, but as far >as I can tell nothing came of it. I'm not sure they took the warning all >that seriously. > >(RCN is a cable/cable modem/telephone provider out in here in MA [and >elsewhere in the northeast].) > >After speaking with RCN about the problem, I was told that due to the >configuration of their network, the were unable to implement a block that >would be effective against machines on the same cable segment. In this >case, port blocking offers only limited security -- even with HSMP blocked >at the organization level, it may still be possible to exploit other >security issues and gain access to a machine on your favorite local >segment and work from there. > >In any case, I'm glad that someone has found my code to be...err, useful. >Be nice. > >-- Lars > >-- >Lars Kellogg-Stedman * larsat_private * (617)353-5228 >Department of Computer Science, Boston University
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:05 PDT