Upload
ti-nguyen
View
244
Download
0
Embed Size (px)
Citation preview
8/12/2019 DOCSIS Insecure by Design[Self]
1/42
8/12/2019 DOCSIS Insecure by Design[Self]
2/42
Humor
2
Maybe !ed "te#ens has a series ofhacked modems and a drop amp at his
place. $ould this be the reason hethinks that the internet is a series oftubes%
8/12/2019 DOCSIS Insecure by Design[Self]
3/42
&ackground
' (ersonal
) "tarted working in the security industry at the age of1*.
) $onducted "+(, ! dministration and ,ed !eam(enetration !esting for the 0"M$.
)+ currently do research for " ,$ "oftwarengineering ,esearch $enter23 an "4+ndustry/0ni#ersity $ooperati#e ,esearch $enter.
' "peech ) much shorter #ersion of this presentation was gi#en
at the "pring 5 7 " ,$ "howcase. ) + ha#e had #arious experts on this topic such as
bitemytaco from http://www.sbhacker.net2 #erify theinformation in this 8efcon presentation.
3
8/12/2019 DOCSIS Insecure by Design[Self]
4/42
9hat !his "peech 9ill $o#er
' ,e uirements for our examples2
' etwork ;#er#iew' nonymous ccess
)
8/12/2019 DOCSIS Insecure by Design[Self]
5/42
,e uirements
' 9hat do you need for our example%
) $able connection to the cable company2 ) >! < cable M+(" >! < for our example2
' >! < stands for nhanced >oint !est ction
8/12/2019 DOCSIS Insecure by Design[Self]
6/42
8/12/2019 DOCSIS Insecure by Design[Self]
7/42
,e uirements +n 8epth cont@d2
' Modify the "&?1 or buy a (remod
) a#ailable from sites like www.sbhacker.net2
7
8/12/2019 DOCSIS Insecure by Design[Self]
8/42
,e uirements +n 8epth cont@d2
' (rogram the "&?1 using "chwarCeDatCe.
8
8/12/2019 DOCSIS Insecure by Design[Self]
9/42
Modified 4irmware' bilities of "+
8/12/2019 DOCSIS Insecure by Design[Self]
10/42
$able etwork ;#er#iew
10
8/12/2019 DOCSIS Insecure by Design[Self]
11/42
nonymous +nternet ccess' 4or our example of anonymous internet access3 we will be using $omcast.' 9hy $omcast%
) ccording to lex
8/12/2019 DOCSIS Insecure by Design[Self]
12/42
4aster "peeds' nonymous access is good3 but faster anonymous access is better.' +n order to increase speeds3 you can specify a faster configuration file
to use or upload your own.' =ou can specify a !4!( ser#er +( address3 but on $omcast almost
e#ery !4!( ser#er has the same configuration files.' "ome example configuration files that $omcast uses:
) 8;$"+" 1.' d1 _m_sb?1 _speedtierextreme5_c ?.cm A 16/5' d1 _m_sb?1 _showcase_c 1.cm A ??/?' d1 _m_na_c ?.cm A / unrestricted2
) 8;$"+" 1.1' d11_m_sb?1 _speedtierextreme5_c ?.cm A 16/5' d11_m_sb?1 _showcase_c 1.cm A ??/?' d11_m_na_c ?.cm A / unrestricted2
12
8/12/2019 DOCSIS Insecure by Design[Self]
13/42
$hanging the $onfiguration 4ile' a#igate to http://1I5.167.1 .1:1JJ*
13
=ou can either specify a file thatexists and the ser#er that it existson blank for your +"(s tftp ser#er2or you can upload your own.
8/12/2019 DOCSIS Insecure by Design[Self]
14/42
!echni ues for ,emaining nonymous' 8isable ,eading the Modem with " M(
) cd /
) cd snmp ) #iew_#1#5 oaccess ) y ) cd /
' Hide the Modem@s H4$ +( ddress =ou cannot hide $( +(addresses2 ) cd / ) cd non-#ol ) cd snmp ) hide_ipstack_ifentries true ) write
' Hide ,eported "oftware ersion system ;+82 ) cd / ) cd snmp ) delete sys8escr ) write
14
8/12/2019 DOCSIS Insecure by Design[Self]
15/42
4ield ,esults' arious members of ";G8+ ,E and other
groups ha#e reported high success rates withCero signs of detection ) 8urandal has a high use ser#er that has been
online for o#er 1 months ) n anonymous indi#idual has a machine on a
business configuration that has been seedingtorrents steadily for 6 months
) Many people ha#e as many as 7 modemsrunning concurrently
) +n all of these scenarios3 the indi#iduals arepaying for ser#ice. !hey are simply splicingtheir line to add additional modems
15
8/12/2019 DOCSIS Insecure by Design[Self]
16/42
$loning' $loning is where you use another
customer@s M $ address in order to get thesame ser#ice they are paying for.
' 8ue to the way the system is setup3 youha#e to use the M $ address of acustomer that is on a $M!" other thanyours.
' !his method is not as stealthy becauseyour modem is now tied to somebodyelse@s account.
16
8/12/2019 DOCSIS Insecure by Design[Self]
17/42
$loning $ont@d2' !he $M!" $able Modem !ermination "ystem2 does not pre#ent the
cloning of a M $ address from ode J to ode 1.
17
8/12/2019 DOCSIS Insecure by Design[Self]
18/42
8/12/2019 DOCSIS Insecure by Design[Self]
19/42
How nonymous re =ou%' !he ;perations "upport "ystem is unable to pinpoint a
modem to an exact location due to the design of thelegacy cable network.' $urrently3 detection only goes as far as the ode where
the modem in uestion is located.
19
8/12/2019 DOCSIS Insecure by Design[Self]
20/42
How nonymous re =ou% cont@d2' "ome +"(s poll for poor signal le#els.
) !his technician will disconnect each line to find out which line iscausing the signal loss. ) =ou can pre#ent this by using an amp if your signal strength is too
low. 9e personally like the &8 -"1 &roadband 8rop mp fromMotorola.
) !he downstream should be between -1? and K1? d&m and theupstream should be between -J? to -? 0pstream is alwaysnegati#e2.
' Many +"(s perform routine check on lines that should notbe connected in order to #erify that they are not. ) Many +"(s use colored tags to identify the account and ser#ice.
20
8/12/2019 DOCSIS Insecure by Design[Self]
21/42
!hrowing 0p a ,ed 4lag
' ot using pre#iously discussed techni uesfor remaining anonymous
' xcessi#e torrenting' 4!(/9eb "er#ers hosting 9areC/(orn or
other types of hea#ily used ser#ices2' 0ncapping on cloned M $ addresses' "plitting the connection too many times will
weaken the signal and can cause techs tocome out to check it.
21
8/12/2019 DOCSIS Insecure by Design[Self]
22/42
(recautions to !ake' 8o not transfer personal information o#er
unencrypted connections' Deep an eye out for the party #an or cable
technicians2
' (ay for ser#ice on one modem and ha#e anotherone hooked up that is modified for anonymousinternet.
' ,emo#e line identifiers to assist in anonymity
especially at apartment complexes2
22
8/12/2019 DOCSIS Insecure by Design[Self]
23/42
,esponse 4rom the " ,$ "howcase
' nonymous +nternet was not nearly as much of a
concern as &(+/&(+K in 8;$"+" 1/1.1/5. ) !he maximum pri#acy that is offered #ia encryption is ?6bit 8 ".
23
8/12/2019 DOCSIS Insecure by Design[Self]
24/42
' !hanks to bitemytaco of "&H http://www.sbhacker.net 2 for re#iewing theinformation in these slides.
' nonymous network technicians thatanswered uestions about ;"".
' !hanks to 8er ngel of !$ i"; for startingmainstream cable modem hacking.
' nonymous cable modem hackers thattold me their stories and ga#e me enoughinformation to #erify it.
24
!hanks
http://www.sbhacker.net/http://www.sbhacker.net/8/12/2019 DOCSIS Insecure by Design[Self]
25/42
$able Modem Hardware
;r How + Gearned to ,elax and
Go#e the "urfboard
nter 8urandal
25
8/12/2019 DOCSIS Insecure by Design[Self]
26/42
' (resenter &ackground' 9H=!; #ersus H;9!;' "&?1 ) >ust another $omputer ' $urrently #ailable 4irmware and
4eatures' 4irmware ,e#erse ngineering'
4irmware Modification
26
bstract
8/12/2019 DOCSIS Insecure by Design[Self]
27/42
' 9hy you should listen to what + ha#e tosay
' 9hy you shouldn@t listen to random peopleon forums
' 9hy you shouldn@t panic' How to a#oid obsolescence by not being
dumb' (roof it doesn@t take an angel to impress
people
27
bstract - !ranslated
8/12/2019 DOCSIS Insecure by Design[Self]
28/42
' cti#e in the underground communitysince 1II7
' rabic Ginguist 5 5-5 F' > !" trainer under some of the most
respected leadership in rmy +ntelligence5 J-5 F
28
&ackground +nformation
8/12/2019 DOCSIS Insecure by Design[Self]
29/42
HOWTO
' !ells you how to dosomething in amethodical3 step by stepmethod3 allowing one to
perform a task withoutunderstanding it.
WHYTO
' !ells you why somethingis a certain way3 creatingthe underlyingunderstanding necessary
to perform a task.
29
H;9!; #s 9H=!;
8/12/2019 DOCSIS Insecure by Design[Self]
30/42
HOWTO
' +ndi#idual can followsimple steps3 but cannotoperate independently3 orperform anything notspecifically discussed inH;9!;.
WHYTO
' +ndi#idual is capable ofoperating independentlyand to the fullest ability ofa#ailable e uipment3including the applicationof knowledge to situationsnot specifically mentionedin any document or
briefing.
30
H;9!; #s 9H=!; ;utcome
8/12/2019 DOCSIS Insecure by Design[Self]
31/42
SB5100 HARDWARE: WHY
YOU ALREADY HAVE IT
WRONG
+f you fail3 you can always do social engineering consultingL.
31
8/12/2019 DOCSIS Insecure by Design[Self]
32/42
' cablemodem is ust a computer3 soyou@re already halfway there: ) $hipset: &roadcom &$MJJF7 ) (rocessor: 5 MHC M+("-J5 core with MM0
) , M: 16-bit "8, M bus with 7M& , Mupgradeable2
) "torage: 5M& 4lash ,;M
) ;": 9ind,i#er x9orks 0 +E-es ue ,!;"2
32
9hat does a "&?1 $onsist ;f%
8/12/2019 DOCSIS Insecure by Design[Self]
33/42
' 8ue to the nature of the 8;$"+"
infrastructure3 most of the burden associatedwith authentication is placed solely on thecable modem.
' #en if 8;$"+" 5JI7? comes out next year3it stands to reason that if you can undermineall the countermeasures put into the cablemodem3 you@re still online while all the kidsare waiting for someone to make a firmwareupdate.
33
!rust
8/12/2019 DOCSIS Insecure by Design[Self]
34/42
SB5100 FIRMWARE
OVERVIEW
d#ice is like assholesL
34
8/12/2019 DOCSIS Insecure by Design[Self]
35/42
8/12/2019 DOCSIS Insecure by Design[Self]
36/42
!"#
' 9orks without too muchtrouble
' Made by someone whowrote a book
$"%#
' !hat somebody was8er ngel
' =ou ha#e to pay for it' $laimed to come with
N#alue-added featuresO
backdoors2' "ince it3 and e#erything elsethat goes with it you@ll needa licensed copy ofschwartCekatCe as well23re uires a #alid license3 theidea of anyone actuallypaying for it so they cansteal ser#ice defies all logic.
36
"igma E5 ) !he Gips of an ngel
8/12/2019 DOCSIS Insecure by Design[Self]
37/42
!"#
' $racked #ersion of!$ i";@s firmware3meaning you sa#emoney.
' 0sually has fixes tothings 8er ngel broke.
' ll around stablefirmware.
$"%#
' "ome #ersions are e#enharder to unpack than8er ngel@s firmware3raising speculations as to
the intentions of theauthor.
' 9ith a name like "tealthdition3 you@re bound to
get caught.
37
"igma "tealth
$
8/12/2019 DOCSIS Insecure by Design[Self]
38/42
' +f you simply want free internet access3 the4 ,$" -modified firmware is about aseasy as it comes3 re uiring no knowledge
of underlying commands.
38
$onsiderations
8/12/2019 DOCSIS Insecure by Design[Self]
39/42
DISASSEMBLING THE
FIRMWARE
"ince your firmware can@t possibly be worse than anything else outthereL
39
l d d
8/12/2019 DOCSIS Insecure by Design[Self]
40/42
' +mage of firmware you wish todisassemble
' $M+mage!ool by &;G! ,' GPM . E' 9inHex' +8 (ro d#anced' >! < cable and software optional2
40
!ools eeded
b i i 4i
8/12/2019 DOCSIS Insecure by Design[Self]
41/42
' !wo types of firmware images: ) $ompressed .bin files usually packed and
compressed2 ) ,;M dump images already unpacked2
41
;btaining 4irmware
Q/
8/12/2019 DOCSIS Insecure by Design[Self]
42/42
Q/' Questions%