Insecure Cable networks ?

Sat Feb 6 06:00:50 UTC 2010

There are knobs on most models to restrict access to the GUI to:
- the LAN interface
- certain mgmt subnets.

Sounds like the MSO doesn't have things set up correctly.

Frank

-----Original Message-----
From: Jorge Amodio [mailto:jmamodio at gmail.com] 
Sent: Friday, February 05, 2010 8:43 PM
To: NANOG
Subject: Insecure Cable networks ?

Is it a common practice on cable network providers to leave access
to the cable modem/router management web UI wide open ?

Here is the scoop. I heard about it but didn't experienced it hands on
or seen myself until recently when I was testing one of the embedded
TCP/IP boards I produce which as many other IP gadgets has a mini
HTTP server which I access just typing the IP address of the thing.

In my home lab an IPv4 address on 10/8, not very uncommon I
screwed up and made a typo on the IP address and ended on a
different device web UI, an Ambit cable modem

Hmmm my modem is from Toshiba, I tried the default factory
password, it worked !!, not only that, this thing is several cities
hundreds of miles away from here .. ehhh ?

fired nmap, tried several 10/24 networks and just playing by hand
found hundreds of devices and every single one I tried default password
it worked, not only modems, also modem/routers and some with
integrated VoIP where if I wanted I would have been able to change
provisioning configuration, channel scanning, browse through the call
manager logs and see who's calling or being called, etc.

Isn't this a huge security hole ?

It wont take much for a kiddie to write a very simple script to drive
crazy the noc guys taking down pieces of the network here and there ...

If a grownup from TWC/RR wants to get more specifics feel free to
contact me.

Regards