Insecure Cable networks ?
jmamodio at gmail.com
Sat Feb 6 16:27:09 CST 2010
> Yes this is a huge security hole. Management networks should always be
> restricted to some extent and the fact that default passwords allow you into
> VoIP gateways provides an avenue for call fraud. At a very minimum the
> devices should restrict which addresses can talk to them (ie. management
> servers in the MSO) and passwords should be non-default.
If I were them or involved in the operation of their network I should
start with an audit.
Obviously I didn't change or tried to change anything, the few cases I
tried to gain
access to some randomly selected devices/locations were just to
confirm that imho
there is a big exposure here.
For example, I found devices such as an integrated modem and wireless router
where if I wanted I would have been able to enable WiFi guest access or change
the existing WiFi configuration such as SSID, keys, etc.
Some modems don't seem to provide access via port 80, I didn't scan for any
other potential ports or back doors (such as SNMP ports,etc), they simple
show the message "Access to this web page is currently unavailable.".
The most popular/used device, just for the number of times I've got the same
interface for the few (less than a 100) IP I tried seems to be the Ambit modem,
the main page shows sort of general modem information, something like:
Cable Modem Information
Cable Modem : DOCSIS 1.0/1.1/2.0 Compliant
MAC Address : 00:1F:XX:XX:XX:XX
Serial Number : REMOVED
Boot Code Version : 2.1.6d
Software Version : 2.105.1008
Hardware Version : 1.20
CA Key : Installed
Gaining access to the modem is quite simple, on the left there is a frame that
has a Login link and says "Factory default username/password is"user" ", which
actually worked on all the ones I found and tried, on the right hand corner
there are two links one that says Modem and other that says Tools, if I
click on Tools I see at least two options, one that takes me to a form page to
change the password, and the other one to change the Frequency Scanning Plan.
Again I didn't try to change anything to confirm that it is actually
possible but I've
the hunch that it is possible.
Another case could be integrated modem/router with VoIP features such as
Motorola's SurfBoard, the standard management interface without even
login in to the thing provides plenty of information, don't know how useful but,
there is a link that says "Advanced" which requires you to enter a password,
don't waste much of your brain, the password is simply "motorola", with that
you get access to more information including MGCP Logs, I didn't analyze
the logs in detail but it didn't take much effort to find out that a guy was
being called by a collection department of Wells Fargo Bank from an
Oregon (503) number.
In another case I saw a log entry that could be interpreted as a dialed out
In summary, I don't believe that any customer should have access to any
other customer device in such a way that you can alter the provisioning of
a service or snoop and see how the service is being used, this raises not
only security but privacy concerns.
I didn't use any scripts or tried any heavy tools or hacking, mine is a very
minuscule sample of what seems to be a widespread bad practice or
mismanaged network configuration.
Ryan thanks for your message, I checked and saw that you work for TWC
in the Albany area, but no offense, I've no problems to share more details
and cooperate, only if being contacted by a "grownup" honcho in charge
I promise, I won't break anything ...
More information about the NANOG