RE: ISP reconfiguring cable modem?

[Tony Kava <securityfocus () pottcounty com>]

On 3 June 2004, Joshua M. Jones wrote:

> Let me throw this scenario at you folks. What if you owned your own
> cable modem and the ISP DID modify your modem such as flashing the
> firmware? I have a good example of that. The Motorola has a way of
> uncapping or editing your config file as you will. What legal rights
> does the ISP have upgrading a personal modem that bought from 
> an online store? That would be another interesting topic to discuss 
> as I am sure many ISP's are implementing their own ways to prevent 
> abusers stealing more bandwidth.

This is an important topic.  While the ISP does not have to update your
modem's firmware to change its restrictions, some modems have shipped with
bugs that allowed the user to mess with their configuration.  I recall (and
was able to duplicate) an issue with older Com21 modems wherein the modem
would attempt to boot from the ethernet port.  If you could get it to
successfully boot from the ethernet port you would have complete control of
the modem.

The ISP I worked at only allowed its own modems on the network so that made
this a non-issue.  It is my understanding that ISPs do update firmware of
modems that have been purchased elsewhere.  I can understand their desire to
protect their network, but I am a fan of informing the customer.  Their TOS
probably covers this somewhere, but most customers will not read their TOS
or at most only skim over it.

A couple years ago I was able to use SNMP tools to gather statistical data
about my cable modem.  Cox had allowed read-only access to my modem using
the 'public' community name.  One day my graphs stopped working.  Cox had
disabled SNMP access to a modem that I owned (it was not provided by them).
Better yet, when I e-mailed or called Cox no one would admit that anything
was changed.  Instead I was usually told that was I was trying to do was
against the rules.

The problem I had with this is that they removed access to my own piece of
equipment.  They have the argument that it is on their network, but I was
not notified of a change nor would they admit to the change when I initially
spoke with their tech support representatives.  Eventually they told me that
the change was to prevent people from stealing service.  Although SNMP
access does provide you with some important configuration information (TFTP
server, frequencies), all of this information is available by the web
interface on most newer modems including mine.

If you are still reading after your rambling, I can tell you that there are
at least a few easy ways to tell if your customers are messing around with
their modems.  I had scripts that ran multiple times each day.  The scripts
would enumerate our modems from the CMTS, check the bandwidth limits on the
modem using SNMP, and generate a log of modems that did not match the
service for which they were paying.  Of course, if someone uncaps their
modem they will probably disable SNMP access to hide this fact.  That's why
I also logged modems that did not respond to SNMP.  The other time-tested
method is to meter the bandwidth usage of your modems (all or maybe a
suspicious subset).  When you measure usage that exceeds their bandwidth
limitations you investigate.

I apologize for being so long-winded in my reply.  The points I wanted to
make are that 1. ISPs do have methods of detecting abuse without being
invasive and 2. I personally dislike ISPs that are not upfront with
customers or quietly make changes to customer-owned equipment.

--
Tony Kava
Senior Network Administrator
Pottawattamie County, Iowa
 


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------