Cable Modem Hacking Tricks Uncapped Online

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/175201.html

By Brian McWilliams, Newsbytes
INVERGROVE HEIGHTS, MINNESOTA, U.S.A.,
13 Mar 2002, 10:38 PM CST
 
When his cable modem service seemed to slow almost to a crawl last 
spring, Matthew Hallacy did like most people and complained to 
technical support at his Internet service provider, AT&T Broadband. 

But after the sluggish performance persisted for weeks, Hallacy, a 
Minnesota-based software engineer and networking expert, decided to 
take matters into his own hands: he hacked his cable modem. 
 
"Tech support told me it wasn't their fault and the service was going
as fast as it could. So I downloaded the specs for the modem off the
Web and started poking around to see if that was true," said Hallacy.

It wasn't long before Hallacy, 21, devised a trick for modifying an
obscure configuration file used by the service to control the settings
in his 3Com cable modem.

A few tweaks later, Hallacy's $50-per-month service, which had been
downloading data at a poky 75 kilobits per second (Kbps), was sweetly
humming along at much brisker speeds in both directions.

According to Hallacy, he hacked the modem just to prove that AT&T's
network management, and not his modem, was the performance bottleneck,
and he immediately changed the settings back.

But after successfully testing his technique for friends on other
cable modem services - and studying further the specifications for
DOCSIS, the standard interface used by most cable modem manufacturers
- Hallacy decided he had uncovered a bona fide security vulnerability.

This week, Hallacy submitted a description of his technique to two
e-mail discussion lists run by SecurityFocus.com that are read by
thousands of computer security aficionados.

Hallacy's message detailed how to trick a DOCSIS-compliant cable modem
into divulging its secret configuration file, and how to edit the
file's binary data using a free, open-source software program.

According to cable experts, Hallacy's trick is not new, and similar
techniques involving what are called TFTP servers have previously been
anonymously published on the Web.

But the description by Hallacy may be the most specific ever posted to
such a public forum. And experts said his claim that not only AT&T but
also some Comcast and Time Warner cable systems are vulnerable, may
spur operators to make changes to their networks - or risk similar
poking and prodding by other networking gurus.

AT&T Broadband spokesperson Andrew Johnson said the company takes
potential security issues seriously but was still investigating
Hallacy's report and had no immediate comment on his claims.

In an interview today, Hallacy claimed that changes to the
configuration file could do more than just remove the bandwidth caps
put in place by cable operators to manage their precious resources.

According to Hallacy, a savvy network programmer could change his
configuration file to intercept all data from other users on the
attacker's local area or "node".

"I or somebody like me could sit down in front a cable modem on AT&T's
network and have something like that running in less than half an
hour, and AT&T probably would never notice it," he claimed.

In some instances, the technique could potentially be exploited even
to take control of a cable ISP's gateway computers, alter their
network routing, and shift large amounts of traffic to a specified
destination, Hallacy claimed.

Officials from CableLabs, the nonprofit industry consortium that
developed DOCSIS, said the modem standard includes several mechanisms,
including something called "shared secret keys," that enable cable
operators to prevent users from making the sorts of modifications
claimed by Hallacy.

"The problem is real, but it's not because of a flaw in the
specification," said Rouzbeh Yassini, a senior CableLabs executive.

"When it's raining, some people decide to walk in the rain without an
umbrella," Yassini added, referring to cable operators who may have
neglected to configure their networks properly.

According to 3Com spokesperson Kim Sullivan, the big network equipment
maker discontinued its consumer cable modem business last summer.

"We currently do not have a product that is affected by the threat"  
described by Hallacy, she said.

A Motorola representative noted that a forthcoming engineering change
from CableLabs will require cable modem vendors to implement a
technique for preventing subscribers from changing the modem's config
file, and that Motorola intends to implement the change.

Dave Ahmad, moderator of the Bugtraq security mailing list, said he
did not immediately approve Hallacy's submission because it described
"how to evade (cable operators') service restrictions" and because he
was "not sure what the benefit was to the community. Who is at risk if
the information is not made public?"

Ahmad posted his comments, along with Hallacy's advisory, in a message
Tuesday to the Vuln-Dev list, which published a pared back version of
Hallacy's report on Monday.

Hallacy said he debated the morality of publishing his hacking
instructions, but finally decided to do so as "a little bit of a smack
in cable companies' direction. People are exploiting this. It's one of
the reasons there's not enough bandwidth on some nodes, and they need
to fix it."

Hallacy's original submission to Bugtraq is at
http://online.securityfocus.com/archive/82/261454

CableLab's DOCSIS specs are online at
http://www.cablemodem.com/specifications.html



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.