Bugtraq mailing list archives
Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems
From: dredd () MEGACITY ORG (Derek J. Balling)
Date: Fri, 8 Oct 1999 14:11:47 -0700
Other cable ISPs, such as ones which I have worked for in the past, brought the problem to Hybrid's attention almost TWO YEARS ago. Hybrid gear is heavily insecure both in the field (their modems) and in the headend (their headend hardware is EXTREMELY insecure and susceptible to hacks, using r* commands all over the place to communicate back and forth among the boxen). There are exploit possibilities with Hybrid gear which allow you to reprogram your UUID in your modem to be the same as someone else's. If you contact the cable provider and social engineer them into deactivating and reactivating the UUID (a common solution employed for solving connectivity issues with Hybrid gear), then your modem will accept the NOS download as well as all of the victim's configuration settings, allowing the altered modem to completely impersonate the victim's modem. At that point, they will be completely identical. As I said, this was brought to their attention two years ago, give or take, and Hybrid claimed that such a scenario "would never happen". They made no effort to secure the modems, and a minimal effort to secure the boxes. (Attempts to convert the r* commands to at least use s* commands failed miserably, and Hybrid insisted that 'using r* was absolutely necessary for their architecture'). D
As the author of the above program, I'd like to mention -- in case Hybrid tries to play innocent -- that I brought this to RCN's attention back in April of this year. The RCN folks spoke to the Hybrid folks, but as far as I can tell nothing came of it. I'm not sure they took the warning all that seriously. (RCN is a cable/cable modem/telephone provider out in here in MA [and elsewhere in the northeast].) After speaking with RCN about the problem, I was told that due to the configuration of their network, the were unable to implement a block that would be effective against machines on the same cable segment. In this case, port blocking offers only limited security -- even with HSMP blocked at the organization level, it may still be possible to exploit other security issues and gain access to a machine on your favorite local segment and work from there. In any case, I'm glad that someone has found my code to be...err, useful. Be nice. -- Lars -- Lars Kellogg-Stedman * lars () bu edu * (617)353-5228 Department of Computer Science, Boston University
Current thread:
- KSR[T] Advisories #012: Hybrid Network's Cable Modems KSR[T] Contact Account (Oct 06)
- Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Lars Kellogg-Stedman (Oct 07)
- Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Derek J. Balling (Oct 08)
- Administrivia Elias Levy (Oct 11)
- Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Jon Paul, Nollmann (Oct 12)
- Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Derek Balling (Oct 12)
- Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Joe Shaw (Oct 13)
- Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Lars Kellogg-Stedman (Oct 07)