Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems

[dredd () MEGACITY ORG (Derek Balling)]

If you can get them to solve the problem, GOOD LUCK!

The company I used to work for was, arguably, one of Hybrid's largest
customers. When we reported the problem to them two years ago, and
indicated that it was completely unacceptable and that it had to be
corrected or we would go elsewhere (a complete bluff because Hybrid pretty
much has the wireless telco-return market all to itself) they basically
told us to pound sand, that it wasn't a bug, it wasn't a problem, and they
weren't in the least bit concerned.

Despite the fact that their headend hardware depends on source-address
security for allowing r* commands back and forth between the CMGR and the
CMDs and/or CMU's.

There really are two separate security concerns when dealing with Hybrid.
The first is the already-mentioned and discussed lack of security in their
CPE. The other is the lack of security in their head-end equipment.

This can be verified by any ISP who has deployed Hybrid headend hardware
simply by letting some security consultants loose on it. Trust me. It is a
painful thing to watch someone compromise a network -- even when you're
paying them to do it -- because of a box that you CANNOT disable r*
commands on or it ceases to function.

Companies with a business model predicated around Hybrid hardware should
treat them as being compromised already, place them behind a firewall
allowing no external connectivity directly to them. They literally should
have a firewall between them and any other network that needs to get data
to and from the cable modem subscriber.

That's my experience "from the field" of spending a year going round and
round with Hybrid trying to convince them to clean up their act. I don't
expect it to change any time soon.

D

At 12:29 AM 10/12/99 -0700, Jon Paul, Nollmann wrote:
> Sorry, but I missed the first post.
>
> I tried out all three clients, and they all work against Hybrid radio
> networking modems.  These are used by a number of radio network
> providers, who provide long-haul (20km+) high speed (1Mbps) radio
> service.  The specific one I'm using is the CCM-231 (if you read the
> case) or the CCM-311 (if you use the "version" HSMP command).  NOS
> version 70471.
>
> At this point, I'd assume that the exploit applies to all of Hybrid's
> product line.
>
> My provider spoke with Hybrid this morning, and apparently Hybrid has
> a patch for the problem that fixes it in some unspecified way.  According
> to my provider, Hybrid merely said that "only people you allow will be
> able to configure the modems" but that they made clear that remote
> configuration was still enabled.  Maybe they'll use a password (easily
> sniffable).  I think it's more likely at this point that Hybrid will
> merely check the source address (!) of the packets, and compare those
> addresses with a table configured by the provider.
>
> I'd like to believe that Hybrid will fix this in a sane way, but since
> they're remaining hush-hush about the fix, I think the chances of that
> are very slim.
>
> --
> Jon Paul Nollmann ne' Darren Senn                      sinster () balltech net
> Unsolicited commercial email will be archived at $1/byte/day.
> Dis.Org's propensity for casual violence is little different from that of
> any street gang.                                             Carolyn Meinel
>
>
> --
> Jon Paul Nollmann ne' Darren Senn                      sinster () balltech net
> Unsolicited commercial email will be archived at $1/byte/day.
> "Tis better to remain silent and be thought a fool, than to speak up and
> remove all doubt."                                        Benjamin Franklin