Re: DOCSIS vulnerability

["Matthew S. Hallacy" <poptix () techmonkeys org>]

On Tue, Mar 12, 2002 at 06:59:36PM -0500, Rob Koliha wrote:
> This is quite an old issue.. There are half written documents on how to do it everywhere ;)
> In most of the howtos I've seen a step or two is missing.. It won't work on a lot of the modems out there, I know it 
> will work with motorola but it doesn't work on most toshiba and com21's.
> Basically since the ethernet interface comes up before the rf interface, when you ping it your exploiting an arp 
> table bug and fooling the modem into thinking that the tftp server lies on the wrong interface. This can be 
> circumvented a few different ways.. Doing it with a packetshaper would be pretty expensive since you could possibly 
> need thousands of flows (and you only get so many flows with each model) and packetshapers are not cheep. The best 
> way to get around it is setting up the shared password stuff on the cmts (results in a little higher load, but 
> prevents theft of service). A plaintext password or key is encoded into the .bin file that is downloaded and the cmts 
> checks the key that the modem has before allowing it to go online. I know for a fact the docsis config 
> decoder/encoder won't really decode the passphrase.. There may be other apps out there (or in the works) that will. 
> More and more cable isp's will enable this as time goes on and hopefully the hardware manuf!
> acturers have fixes in place or in the works.. Firmware upgrades are done from the provider side, meaning it would be 
> quite easy for affected modems to be fixed with a new release. It would be a little bit of a pain to prevent your 
> modem from being patched. There are also QoS (quality of service) tables on each router (uBR) which your isp 
> monitors.. If you push your modem higher than a speed level that your isp sells you stick out like a sore thumb. Once 
> they find that you've hacked it you will either get one warning or they will disconnect you and refuse to serve you. 
> If you have no other broadband alternatives it could really suck. It would also be bad if you enjoy vod and other 2 
> way cable services (as they could just as easily refuse data and tv both and cut/put a trap on your lines). 
> Performing the hack could also probably land you in just as much hot water as the theft of tv services.

I wanted to reply to a few points:

I haven't exactly tested it on a wide variety, as for Toshiba I know the PCX1100U is vulnerable

Preventing the firmware upgrade, or downgrading the firmware, is trivial (docsDevSwAdminStatus -> 
ignoreProvisioningUpgrade)

ISP's go through the trouble of QoS tables, yet they can't figure out BGP? 


The incompetence amazes me.

> Rob Koliha
> Charter Communications / Charter Pipeline
> Hickory, NC