> After a thoughtful analysis, the marketing committee advised w00tsec members to write a Keygen. In order to write a Keygen, we need a leet ascii art and a cool chiptune.
Something old, something new. Of course exploits and chiptunes have always gone together like bread and butter. But now exploits need marketing committees too.
You know what really grinds my gears? The fact that on my newish surfboard modem, when I looked around for a new firmware version, low and behold, apparently Arris/Motorola refuse to release the firmware to the consumer/owner of the device, and say that it is the ISP's responsibility to update firmware!
No it's not, it's my hardware! I understand the docsis 3.0 spec says otherwise, but I disagree with it. So I call my ISP (Suddenlink), and lo and behold, they say it's not supported and therefore won't update my firmware.
Now I find out it's probably backdoored!
You know, when the NSA and everyone else start talking about cybersecurity, I don't fucking beleive a word of it anymore, because if they were really concerned about security, they would be pushing for open source firmware modems, and would be letting these companies know about the vulns and pushing them to close them. Instead they sit on the 0-days like a treasure trove of new weapons.
It's not any different than wireless companies and cell phones - they will use the reason of not controlling the firmware causing connection issues with their proprietary networks
Does this affect their Surboard line? Specifically the SB6141? Its probably the most popular modem for people who don't wanna rent one from their provider.
I like the idea of search metasploit and I'll be making use of it, but the models mentioned in the article aren't in metasploit's database yet either. So while it is a good step, it is not very conclusive.
Doesnt look like it. Likely part of the reasoning is that the 6580 has a full router built in and the 6141 is just a cable modem. I believe they both run different firmwares as well. Also, that 600k number would be in the millions if it effected the 6141- Its standard issue for many ISP's with the higher bandwidth packages now if you dont buy voip.
I bought mine from Target 3 months ago and it still looks like it is running Motorola firmware even though it has an Arris logo stamped on the front of the device.
I discovered a few months ago Comcast is able to push firmware updates to customer owned modems without permission. So even if the backdoor is not present now there is no way to trust it will never be pushed to the devices.
Wow that sounds like an awesome way for the NSA or anyone else to take over your home network. Splice into your home cable from outside, send down some nasty modem firmware, then patch the connection back up and you'll never know the difference.
If you can figure out how to flash your CM on your own, it will still be overwritten with the firmware that gets pushed from your provider
Not if you also figure out how to disable the firmware update feature, which I'd guess - I've never done anything with CMs other than plugging them in - is also code in the firmware itself. As long as the firmware running on the CM has full control of the hardware, it can be "configured" to refuse such updates, and maybe even spoof the fact that it was updated successfully.
(Unless there's also some remote-attestation type stuff happening too. I'm not sure, I don't work in this area.)
Cable modems are based on a pre-Carterphone philosophy that the modem is an extension of the ISP and is completely owned (and 0wned), configured, updated, etc. by the ISP. They let you buy your own, but that doesn't change the protocol.
Makes sense. If they were to update something in their auth protocol or need to patch a security issue most people wouldn't have the tech chops to update firmware.
How does this change anything? You can accept the update, or just let it will stop working with their network. And how is the new update any different in terms of trust than the initial carrier-specific update the modem gets when you activate?
Do you develop firmware for modems? And, just a shot in the dark, would you happen to know how to get a shell on a sb6180 for debugging purposes? I feel like a lot of people would be more trusting of DOCSIS modems if it wasn't such an untouchable black box.
I returned my Arris TG862 because you can't really shut off the WiFi. Even though Comcast assured me that the public hotspot was disabled, I could see (with my SDR receiver) that it was still transmitting on channel 1.
"transmitting" as in actually sending data, or just the radio left on, set by default to the lowest channel, and transmitting an otherwise useless carrier wave?
Transmitting with a blank SSID apparently. It just adds to the congestion on 2.4 GHz for no reason. For myself, it interferes with my wireless development activities. See this thread on the Comcast forum where folks are seeing all sorts of bad behavior.
What kind of access should a cable company have to your cable modem? Should it at all?
I mean, your ISP does not need any access to your edge router if the ISP gives you a standard Ethernet socket. How standardized are cable interfaces? What kind of custom setup may they legitimately need to work in a particular cable network?
It makes a little more sense once you look at the infrastructure that it's running on. You and ~500 of your neighbors are all on one local node that shares bandwidth between everyone. The way it works for upload is that your cable modem sends a request for an upload timeslot on a shared upload channel, then the CMTS which serves thousands upon thousands of people sends back your time slot when your modem is clear to use the upload channel. If anything goes screwy on your node such as significant interference or if your cable modem somehow hung up and was constantly sending on the upload channel outside of its time slot this means that absolutely everyone on the same node looses service. Not only can it affect a ton of customers all at once, your ISP doesn't have a good way of tracking down interference at a finer granularity than the node level which isn't a lot to go off of. They literally have to do a binary search by disconnecting sections of the local node and seeing what segment the interference is coming from. I've heard horror stories about interference coming from things like washing machines, treadmills, etc and being very intermittent and nearly impossible to find because of it. For the treadmill story, a whole node of customers would loose service for 15 minutes every couple of nights and whenever the ISP would get a technician out to start trying to isolate it, they'd already be off the treadmill and the problem would be over. Supposedly it took a while of having a tech in the area around when it normally started to track down which house it was coming from.
So yeah, it's your modem, but they won't let you use their network unless you're using one of their approved modems that they know are reliable and that they can manage updates on because just one person can unknowingly screw it over for a large chunk of people.
The cable modem is telco infrastructure that happens to be in your house. The boundary between telco and customer networks (called the "demarc") is between the cable modem and your router. It's entirely theirs to administrator, same as the vault down the street.
It's not quite that simple. In some cases it's telco infrastructure that's owned by the customer. In that case I'd say the demarc is like to be somewhere inside the modem, which is sort of nonsensical.
When you own the modem, you're free to disconnect it from the cable company's network and do something else with it, but administrative access is still a condition of service from your ISP as long as you continue to contract with them for internet access on it.
In the case of cable internet service (not fiber), you'll almost never get a standard Ethernet socket. Chances are, you'll get a coaxial connection that requires a device to bridge the connectors and perform a handshake with your upstream provider.
Of course, most consumers go with whatever hardware their provider gives them (usually a gateway to provide Wifi). This presents it's own problem: in the US, cable companies are trying to set up mesh networks/guest access, and so those gateways may be running a second semi-public as a node on the mesh.
We just got new tenants in our (commercial) building.
I'm honestly a bit upset as there are now _four_ new access points for a single tenant.
"TWC WiFi", and "CableWifi", both unsecured (!!!), and then "TWC WiFi Passpoint" (which requires a TWC subscription to use.)
I sure wish people wouldn't blindly trust the cable technician to configure their wireless network properly. Now there's just tons of RF noise, and people can leech bandwidth off our building. -- I frankly find it ridiculous, given the premium we pay for commercial internet (which is slower than my residential subscription), that we are expected to share it with their "mesh network."
Aren't those SSIDs all on the same WiFi channel? Having split guest/internal networks broadcast from the same radio on the same channel really doesn't hurt things enough to care about. And it's almost certainly using separate DOCSIS channels or not counting toward the traffic shaping limit on your traffic, and it's prioritized lower than your business-class traffic when it's further upstream in TWC's network, so you don't need to worry about it affecting your WAN connection performance either.
The fact that the telco/cableco broadcasts a public or subscriber wifi off an installed business class service line is more WTF than potentially misconfigured broadcast channels. This is partially why I bought a SB6141 for my home. It has no radio. Maybe I need to go shave my neck, but I'd rather have a device that does one thing well than one thing that tries to do everything adequately.
Given that the business is merely renting the modem/router/AP device from the ISP, the only theoretical downside to the business is the extra electricity used by that functionality. And for quite a few businesses, the zero-effort zero-liability hotspot for customers is a pretty big upside.
If you want thorough control over your network, then of course you won't rent a modem from the ISP and you'll install a separate router of your choice and decide for yourself whether to operate a hotspot. But for the majority of customers, none of that is worth thinking about and the ISPs are actually providing sensible defaults.
Reminds me of the inane SNL sketch, whose catchphrase was: "New Shimmer is both a floor wax and a dessert topping!"
My Arris (nee Motorola) SB6141 is a bridge and a router. It's actually very nicely done.
When the modem can't access the cable infrastructure, it turns itself into a DHCP server and hands out IP addresses in the range 192.168.100.xx. This is useful for people at home whose configurations are such that their home networks won't work properly without some sort of DHCP server provided by the ISP.
Once the modem can talk to the ISP, it turns itself into a bridge. The IP addresses the modem previously issued were valid for 30 seconds, so there will shortly be a new DHCPREQUEST which the modem bridges out to the ISP. From then on, the modem is transparent to IP traffic (but see below).
My definition of cable modem doesn't include an IP address.
This is highly useful. Once the modem has switched to being a bridge, it still responds to 192.168.100.1. There's all sorts of useful information there. E.g. DOCSIS status, Channel IDs, received Signal to Noise ratio, transmit Power Level, etc. There's even a nice (but short) log of the modem's interaction with the cable infrastructure.
The modem is outside my firewall, so I don't really worry about it much. It's like anything else on the Internet as far as my home network is concerned.
However, I do currently allow access to 192.168.100.1 (normally I block outbound RFC 1918 addresses). That is a potential problem should some rogue program on my network attempt to exploit a modem vulnerability. Maybe I'll just block all those addresses and only enable them in the firewall when I want to check the modem status.
> Maybe I'll just block all those addresses and only enable them in the firewall when I want to check the modem status.
For the business networks I manage I actually go out of my way to make sure that 192.168.100.1 is blocked. With no authentication anyone can reset a Motorola modem to factory defaults which takes like 15 minutes to come back up. An attacker can just jump on a guest network and basically DoS you until you figure out what's going on and good luck with that because most people are going to assume that their modem constantly rebooting means that they need a new one, or it's the ISPs fault.
I'm assuming LAN traffic still works in this case.
>That is a potential problem should some rogue program on my network attempt to exploit a modem vulnerability. Maybe I'll just block all those addresses and only enable them in the firewall when I want to check the modem status.
I've been looking at scraping my modem interface for info and then blocking all but one PC from accessing the admin interface
> I'm assuming LAN traffic still works in this case.
Blocking outbound RFC 1918 addresses is a fairly common firewall configuration to prevent any LAN traffic from leaking out into the internet due to weird or misconfigured NAT rules, etc. It doesn't prevent that traffic from traversing the LAN, just if it might try and escape the WAN.
I have WOW internet, and their provided modem was an Arris modem. It was a piece of garbage, so I bought a Netgear modem, sent the Arris back, and got $10 savings on my internet bill (for renting the crap modem). I'm even happier about that choice now. And yes, my new modem is DOCSIS 3.
The TM822 has been pretty good to me. It maxes out at my ISP's reported speeds (30/5), no packet loss, low single digit latency and since it's hooked up to a UPS it hasn't been power cycled or rebooted in almost a year.
Darn, it's been more than half a year, so I don't remember the model name. It just recall it was Arris and the webpage manager thing had similar graphics and look to the one in the article (although they probably all have that).
Nonetheless, regardless if it is the same model as they tested, this demonstrates that I really shouldn't trust anything from Arris now.
At least it appears to be based on the serial number. Only using the last 5 is still pretty bad though but plenty of cable modems treat the serial number as privileged information. It's already a password essentially for SNMP access provided that your ISP hasn't blocked access to it.
It is exactly as privileged as going to the website http://192.168.100.1 and clicking HW/FW versions, which proudly displays the complete serial for you. There is no authentication of any sort and it is not encrypted at any point.
Since you need a DOCSIS modem box and a router, I would suggest people put a router box you fully control behind your ISP's DOCSIS brick, and just assume the latter is compromised continuously.
I use pfsense on a usb stick in a little box with 2 ethernets.
Which, frankly, isn't even a paradigm shift. It just means the transition from trusted to untrusted is in your living room instead of on the street corner outside in the cable box.
DOCSIS is the standard for IP networking over cable TV infrastructure. An open source modem can't be built because there's a huge certification / documentation fee from CableLabs and part of the requirements involve the cable carrier being able to control/update the modem at their whim.
Putting your router behind the DOCSIS modem lets you firewall the modem the same way you'd firewall the Internet at large - that is, an attacker who compromises the modem wins the ability to specifically monitor your traffic, but does not immediately gain free access to your local network.
Would it be possible to just fake the cert or generate your own, in the same way that some people self sign SSL certificates instead of paying Verisign?
Parent wasn't talking about SSL certificates - you need to certify both hardware and software and pay a fee and the ISPs generally don't let you run your own firmware on the cable modem - heck they don't let the OEM update it either.
The cable companies need to be able to push firmware and settings to maintain the network and avoid abuse. So they have certification standards and you need to pay to play.
For example, with DOCSIS 2 modems, you could spoof the MAC address and make some config changes and get anonymous internet access at the highest service tier.
It's a completely shared infrastructure from the demarc in your home to the local cable node. It's not very secure and pretty trivial to abuse. Remember this was an infrastructure originally implemented to distribute TV signal.
Because of that TV heritage and the way they grew (on a town by town franchise basis), cable networks were usually a patchwork of really shitty networks up until fairly recently. My (limited) understanding is that on relatively modern cable systems, there is fiber connectivity to the local nodes, and then coax from that device to the homes in the area.
DSL is a switched network of sorts, and provisioning happens on the switch in the CO. Ditto for fiber.
Seems like this only affects the LAN interface. Since most people aren't trying to break into your computer just to break into your cable modem, this shouldn't be considered a high priority exploit.
Malware changing the DNS server on your router's DHCP server could be bad for you. But even though malware on your desktop attacking your network is bad, what's worse is there's malware on your desktop.
"Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts"
It doesn't look like this is LAN-only.
Even if it were, an escalation from unprivileged code execution on a single device to MITM any connection out of a network hardly seems "low priority".
I'm guessing they used Shodan to locate the models they knew were affected (i.e. by model numbers), not to try the backdoor on unsuspecting devices (which would be illegal).
Just because you can't of a useful use by the bad guys, doesn't mean they can't :-) It is also quite possible the bad guys have figured out how to exploit this using regular Javascript - ie you don't need malware in your LAN, just Javascript in a browser.
Assuming you could exploit the browser's JS to submit such a request (I thought I remembered seeing a security feature of modern browsers to prevent this?) and assuming the web interface requires no authentication, you would only be able to enable WAN HTTP access. The telnet and ssh still appear to be LAN-only. And you still need the serial number to generate a password (does the web interface even show that?). I don't see a viable drive-by attack vector other than malware.
edit It does look like telnet can be accessed via WAN, which is pretty bad.
There is a same origin policy and CORS. Sometimes cross site stuff is supposed to work (JSONP). In some cases the request is made to the non-origin site, and the response is then blocked based on returned headers. That however doesn't stop the request's side effects. A few years ago there were a round of hacks against many home routers doing this, exploiting vulnerabilities in their web admin interfaces. I stand by my first sentence in my first comment.
Yes, this class of web vulnerability is called Cross-Site Request Forgery or CSRF (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%...). The Same Origin Policy (SOP) prevents one domain from receiving the HTTP responses for requests it sends to other domains. As you suggest however, the request itself can sometimes be enough to cause adverse side effects on the target server (that may be beneficial to an attacker).
It continues to be a common security issue among web applications and is why all sensitive actions should be protected with unique anti-CSRF tokens (most good development frameworks provide support for this).
Don't trust them. Add a system you control between the device and your internal network. If you're just worried about your traffic privacy and not just internal resources, establish an end-to-end encrypted tunnel from that jump system to a network or VPN provider you trust.
Edit: excuse me, I misread your question. I thought you were asking for best practice. I don't have have a specific hardware recommendation (because I don't trust them :) )
Encrypt everything between your computer and the server you're connecting to, ideally use a VPN. The ISP already owns the lines anyway, 0wning the modem doesn't really make much more of a difference. The reasoning behind being able to push new firmware to a modem from the ISP is automatic configuration and to stop abuse on the network although I'd rather configure things myself.
I'm not sure I'd trust Arris products at this point. From another blog post in 2014: "It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie." http://console-cowboys.blogspot.ca/2014/09/arris-cable-modem...
With mistakes like that, and three layers of backdoors, I'm half expecting discoveries of hardware backdoors next ...
But if you ssh and have root access, then you should be able to change the password. As well as edit a startup script to move/delete the backdoor files.
The whole point of a backdoor is that changing the password is ineffective. And the backdoor isn't a file you can delete, it's just a couple of extra instructions buried in the code - the article made that clear.
it almost certainly still has an externally accessible ip at that point for management purposes. (bridge 2 interfaces, add a virtual interface to the bridge)
Management for the DOCSIS modems is definitely done over IP. It isnt over SSH but via a webapp controller. This webapp is used to push the firmwares which have the speed limits set in them.
Yes, but by default a modem from your ISP is acting as a NAT device routing to a private IP space. By default, it has an externally available IP address and will answer on that or those addresses.
Many can, however, be configured as a bridge, which turns the device into just a converter between physical mediums. You now need another device to route and act as your gateway. In that setup you shouldn't be able to find it with an IP connection scan, because it doesn't have one.
> Yes, but by default a modem from your ISP is acting as a NAT device routing to a private IP space.
Not in my experience. The default modem provided by both Comcast and Knology (who is -I guess- now WOW!) is (or was, in the case of Knology) a bridge device that requires you to provide your own router. You have to ask for a modem that's also a router to get something that's not a bridge.
That doesn't mean that the modem doesn't have an IP address, mind. AIUI, on Comcast's network the modem gets an IPv6 address so that they can do network management stuff to it.
That said, it's possible that your cable company could protect you (and their other customers) at the expense of you possibly losing access to port forward SSH, etc.
Hi. I own Arris TG862G, TWC pushed their firmware on it, it seems much older than discussed here.
Firmware Name: TS070563C_032913_MODEL_862_GW_TW_SIP_PC20
Firmware Build Time: Fri Mar 29 2013
I got a permanent password to advanced page/technician. But I don't have URL http://192.168.100.1/cgi-bin/tech_support_cgi, it's 404 and as a result I don't know how to enable SSH. Can anyone help with this old firmware?
I also have a TG862G, but from Xfinity (a Comcast company).
The default admin page is @ http://192.168.100.1/ & http://10.0.0.1/, but neither of them have a /cgi-bin/tech_support_cgi.
However, I discovered this page: http://10.0.0.1/wireless_network_configuration-1.php (probably also exists on 192.168.100.1) which looks like a secret wifi config page that has more advanced options than the normal wifi config page @ http://10.0.0.1/wireless_network_configuration.php (I found the wireless_network_configuration-1.php file by viewing the source of a few pages on 10.0.0.1, it was hiding in some HTML comments).
On the normal wifi config page, you can only edit the settings for your "Private" wifi hotspot, but on this -1.php page you can also edit the two "Public" hotspots: "xfinitywifi", and one that (on mine) looked like: "XHS-A6B18523". Since you can edit these two "Public" ones, you can also viewed the stored WPA key for XHS ("xfinitywifi" has no key).
Once I grabbed the XHS-* key and connected to it, I received a 172.16.12.100 IP (a subnet I've never seen on the other access point). On this one the gateway IP was 172.16.12.1. Nmap shows these ports on that gw IP:
443 = NET-DK 1.0 (ssl)
5001 = Arris/1.0 UPnP/1.0 miniupnpd/1.0 (Status: 501 Not Implemented)
8080 = (SIP end point; Status: 501 Not Implemented)
and same as the above for ports 8081 & 8888 & 5540.
All of those SIP ports were just HTTP servers that looked exactly like the customer version you see on http://10.0.0.1/ , except that my admin pass didn't work on it (tried the defaults too, plus some guesses).
When I went to https://172.16.12.1/ it redirected me to /cgi-bin/status_cgi, which contains a link to /cgi-bin/tech_support (which redirects to /cgi-bin/adv_pwd_cgi).
So maybe you could try all of that to see if your TG862G works the same :-)
P.S.
I tried the password of the day thing but the seed must be different on this one, and the SNMP thing doesn't exist on any of these webservers.
Thank you for reply, but I don't have xfinity firmware anymore, cause TWC wiped it out and wrote their own. It seems I don't have wireless_network_configuration.php pages anywhere and it doesn't broadcast wi-fi at all (I actually can't enable it, there is bug or something, it just shuts down), so I can't try that subnet either.
This is frustrating, cause I do have a password to /cgi-bin/adv_pwd_cgi but I can't find the SSH/Telnet options to enable.
Something old, something new. Of course exploits and chiptunes have always gone together like bread and butter. But now exploits need marketing committees too.