On Sat, 28 Apr 2001, Rajkumar S. wrote: | Any one with any experience with this OS. Some bugs are bound to occur. The Surfboard OS is VxWorks, it seems to be used in many smaller devices that need an IP stack. The web server on the Motorola (formerly General Instruments) Surfboard (2000?)/3000/4000 series give plenty of information about the internal IP address scheme for the provider's Hybrid Fiber-Coax network, as well as the features of the modem. One interesting piece of information is the TFTP server which the modem grabs its configuration file from and that file name. All DOCSIS cable modems seem to grab a configuration file that is around 120 bytes in size, and although I have not studied the DOCSIS specification closely, I believe this at least tells the modem what uplink and downlink speeds to operate at. It must also tell the modem other parameters to use on the cable network. Most providers appear to use a generic configuration file for many customers. Further, DOCSIS cable providers use an internal IP address scheme strictly for addressing Hybrid Fiber-Coax connected devices like the cable modems and bridges. If you can figure out what this network is, for instance from the information provided from the web server on your Surfboard, you can talk to any cable modem on your network. This in itself is an interesting security hole from the idea that you can do extensive information gathering, not from other modems' web servers, but from SNMP. Install ucd-snmp and try snmpwalk 192.168.100.1 public ! You can get most, if not all, of the information that the Surfboard's web server will give you, plus a lot more. I've only used the web server on the Surfboard. Other modems, like the ever popular Toshiba, still give out extensive information via SNMP. It must be hard (read: impractical) for cable vendors and providers to secure SNMP over a wide deployment, so this doesn't seem all that unusual. But, keep in mind, providers use SNMP for a wide variety of tasks to manage the modem, and they use information from the modem to manage the network. For anyone who wants to play with their Motorola Surfboard, just add an IP alias on your system as 192.168.100.xx (except .1) and connect to 192.168.100.1 to check out the modem. You don't even have to add the alias, the Surfboard seems to intercept outgoing connections to 192.168.100.1 regardless of the MAC address they are intended for. But, I don't know how reliable this is. It is of course possible that the Surfboard or other cable modems may be vulnerable to some kind of problems where an intruder could change settings or even load up new firmware. I think it is likely that they are vulnerable to some DoS attacks, I am thinking along the lines of nuke, teardrop, etc. Because of the wide open nature of SNMP on these cable modems (e.g. you most likely can talk to any cable modem in your area with SNMP if you are on one), I do not think very highly of the general security here. Actually, that would be understating my opinion. On the positive side, the Surfboard in particular does not respond to IP connections coming in to its hybrid fiber-coax IP on the web server port, but it does respond to SNMP. I think this is specified in DOCSIS. Motorola's security policy to handle this area is the same (FAILED) policy it used with its cell phones. Only make modem management information available to 'registered users', the cable companies. Motorola has a web site which you can download detailed manuals for the Surfboard, but you have to sign up and match a registered customer. This policy failed with the cell phones, because the information on how to access the internal/debugging features of their cell phones was leaked, and that was only in between the times when 'unregistered' users were getting the information directly from Motorola, after paying lip service to Motorola on their status or intended usage. I have only glanced at the (freely available online at cablelabs.com) specifications for DOCSIS. I don't know how it works in terms of security or encryption. I wonder how much is left up to the user (cable modem) versus the head end. I imagine that, with more information from Motorola on how to access the modem, you could manipulate the speeds that your modem runs at, and possibly gain control of the cable network in other ways that are clearly not intended for the end user. Cable looks like a can of worms, just like cell phones, and the vendors should be held responsible. Stop-gap measures like limiting access to the manuals are poor bandaids to more serious problems. If you are going to play with your modem, look at the information from it carefully, and keep in mind that your modem has its own MAC address which identifies to the cable system who you are (matching back from their database with the MAC) and what config file you get from the TFTP server. --- Rev. Chris Cappuccio http://www.dqc.org/~chris/
This archive was generated by hypermail 2b30 : Sun Apr 29 2001 - 10:59:05 PDT