nanog mailing list archives
Re: Insecure Cable networks ?
From: Truman Boyes <truman () suspicious org>
Date: Sat, 6 Feb 2010 17:58:30 +1100
On 6/02/2010, at 1:43 PM, Jorge Amodio wrote: <snip>
fired nmap, tried several 10/24 networks and just playing by hand found hundreds of devices and every single one I tried default password it worked, not only modems, also modem/routers and some with integrated VoIP where if I wanted I would have been able to change provisioning configuration, channel scanning, browse through the call manager logs and see who's calling or being called, etc. Isn't this a huge security hole ? It wont take much for a kiddie to write a very simple script to drive crazy the noc guys taking down pieces of the network here and there ... If a grownup from TWC/RR wants to get more specifics feel free to contact me. Regards
Yes this is a huge security hole. Management networks should always be restricted to some extent and the fact that default passwords allow you into VoIP gateways provides an avenue for call fraud. At a very minimum the devices should restrict which addresses can talk to them (ie. management servers in the MSO) and passwords should be non-default. Maybe you can consult with the local MSO? Kind regards, Truman
Current thread:
- Insecure Cable networks ? Jorge Amodio (Feb 05)
- Re: Insecure Cable networks ? Steven Schecter (Feb 05)
- RE: Insecure Cable networks ? Frank Bulk (Feb 05)
- Re: Insecure Cable networks ? Truman Boyes (Feb 05)
- Re: Insecure Cable networks ? Jorge Amodio (Feb 06)