Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems

From: Derek J. Balling (dreddat_private)
Date: Fri Oct 08 1999 - 14:11:47 PDT

Next message: Gyorgy Camaszotisz, Novell DevNet SysOp 13: "Re: Win95/98 and Novell client DoS"

Previous message: Richard Reiner: "Re: Win95/98 and Novell client DoS"
Maybe in reply to: KSR[T] Contact Account: "KSR[T] Advisories #012: Hybrid Network's Cable Modems"
Next in thread: Jon Paul, Nollmann: "Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Other cable ISPs, such as ones which I have worked for in the past, brought
the problem to Hybrid's attention almost TWO YEARS ago.

Hybrid gear is heavily insecure both in the field (their modems) and in the
headend (their headend hardware is EXTREMELY insecure and susceptible to
hacks, using r* commands all over the place to communicate back and forth
among the boxen).

There are exploit possibilities with Hybrid gear which allow you to
reprogram your UUID in your modem to be the same as someone else's. If you
contact the cable provider and social engineer them into deactivating and
reactivating the UUID (a common solution employed for solving connectivity
issues with Hybrid gear), then your modem will accept the NOS download as
well as all of the victim's configuration settings, allowing the altered
modem to completely impersonate the victim's modem. At that point, they
will be completely identical.

As I said, this was brought to their attention two years ago, give or take,
and Hybrid claimed that such a scenario "would never happen". They made no
effort to secure the modems, and a minimal effort to secure the boxes.
(Attempts to convert the r* commands to at least use s* commands failed
miserably, and Hybrid insisted that 'using r* was absolutely necessary for
their architecture').

D



 >As the author of the above program, I'd like to mention -- in case Hybrid
>tries to play innocent -- that I brought this to RCN's attention back in
>April of this year.  The RCN folks spoke to the Hybrid folks, but as far
>as I can tell nothing came of it.  I'm not sure they took the warning all
>that seriously.
>
>(RCN is a cable/cable modem/telephone provider out in here in MA [and
>elsewhere in the northeast].)
>
>After speaking with RCN about the problem, I was told that due to the
>configuration of their network, the were unable to implement a block that
>would be effective against machines on the same cable segment.  In this
>case, port blocking offers only limited security -- even with HSMP blocked
>at the organization level, it may still be possible to exploit other
>security issues and gain access to a machine on your favorite local
>segment and work from there.
>
>In any case, I'm glad that someone has found my code to be...err, useful.
>Be nice.
>
>-- Lars
>
>--
>Lars Kellogg-Stedman * larsat_private * (617)353-5228
>Department of Computer Science, Boston University

Next message: Gyorgy Camaszotisz, Novell DevNet SysOp 13: "Re: Win95/98 and Novell client DoS"
Previous message: Richard Reiner: "Re: Win95/98 and Novell client DoS"
Maybe in reply to: KSR[T] Contact Account: "KSR[T] Advisories #012: Hybrid Network's Cable Modems"
Next in thread: Jon Paul, Nollmann: "Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:05 PDT