3Com cable modems / Mediaone

[security () CABOVISAO PT (Luis Henriques)]

Hi, before I answer the security question regarding the 3COM cable modem, I
would like to make something clear...the basic rule for security issues
with cable modems used to be "all cable modems were not born equal" ,
meaning every manufacturer (i.e. 3com, com21, nortel, motorola, terayon,
etc) had their own propriatary standards and what was true for one cable
modem was hardly ever true on another.  Quite recently (last year or so)
standards for these devices have been developing (this is a good thing for
consumers). First under the name "MCNS" and recently under the name
"DOCSIS" (Data-Over-Cable Service Interface Specification). (More info
about that at www.cablelabs.com & www.cablemodem.com  and even more at
www.cablemodeminfo.com ).

At present most cable modem manufacturers are at version 1.0 of this
standard (and we all know what this means). Anyways, what we're getting at
here is that now what may affect a 3COM modem may very well affect a slew
of other manufacturers. This however; is not to say cable modems are full
of security issues. In fact I  would argue that DOCSIS cable modems are
very likely one of the most secure methods of accessing the internet, since
data between your modem and the CMTS (Cable modem Termination System) in
your cable provider's head end (equipment room) is first of all encrypted
and secondly modulated in (QAM or QPSK) Radio Frequency which to most
people will look like a bunch of noise.  Thirdly, most if not all cable
providers assign DOCSIS cable modems private IP addresses for management
purposes via the standard BOOTP process. Needless to say, that's alot more
security than any dial-up connection I'm aware of.  Now, because the
modem's IPs are private, this usually means they are not reachable from the
internet so it is somewhat safe from external intruders. The BOOTP process
itself is carried out from the RF (coaxial) interface on your modem and not
from the ethernet side, so this will be a little hard for you to manage
this process without owning your own CMTS.

Now here's the interesting part... The BOOTP process is a process similar
to DHCP which not only assigns your modem an IP address but also uploads a
configuration file (most of which are binary or md5 files) via TFTP. The
content of these configuration files are things such as what frequencies
your modem should talk at over the RF network, the IP of the upgrade
server, any protocol filters implemented (such as NetBUIE  equivalent
blocking so you can't see all your  neighbours in your windows network
neighbourhood icon) and last but not least the speed at which your modem
should function for uploads and downloads.  So, even if you somehow managed
to miraculously modify your cable modem's config file, keep in mind that
everytime your modem powers up it initiates that BOOTP process via the RF
side and your Cable Provider would upload you a fresh config file that
would override anything you had preset.

Now to answer your question....3COM has plenty of info about their cable
modems on their site http://www.3com.com/products/cablemodem/  , in fact,
they even have the manuals http://consumer.3com.com/cable/manual/index.html
 .   This so called "firmware" is uploaded to your cable modem by your
Cable provider with the intent to provide you the latest features or bug
patches.  This procedure is usually done via SNMP. Hope that's enough to
chew on for a while ;-)

Luis Henriques

-----------------------------------
Date:    Sat, 27 Nov 1999 14:09:44 -0600
From:    Signal 11 <signal11 () MEDIAONE NET>
Subject: 3Com cable modems / Mediaone
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

I'm not certain this is the appropriate forum to discuss this,
however I've been unable to locate any documentation about this
on 3Com's website nor has technical support been helpful in
enlightening me (I have called their 800 number).

The 3Com external cablemodem (CMX) allows the upstream provider
to download firmware updates into your cablemodem.  This can
(and I suspect usually is) done without the user's knowledge,
and it took some digging to uncover this "feature".  The cable-
modem can also be reprogrammed via a serial port in back,
although my attempts to access it have proven futile.
I am also very curious to find out how to telnet into this thing,
as there are references to it being "password protected"
to prevent intruders.  Somehow I rather doubt mine was
given a password (and thus open to the whole world).

I'm very much concerned about using a device, which has
little/no technical specifications, with my system.
Can firmware be uploaded by anyone?  How does the modem
authenticate the head-end system?  Does anyone have any
information on how to reprogram this modem?