DOCSIS Insecure by Design[Self]

8/12/2019 DOCSIS Insecure by Design[Self]

1/42


2/42

Humor

2

Maybe !ed "te#ens has a series ofhacked modems and a drop amp at his

place. $ould this be the reason hethinks that the internet is a series oftubes%


3/42

&ackground

' (ersonal

) "tarted working in the security industry at the age of1*.

) $onducted "+(, ! dministration and ,ed !eam(enetration !esting for the 0"M$.

)+ currently do research for " ,$ "oftwarengineering ,esearch $enter23 an "4+ndustry/0ni#ersity $ooperati#e ,esearch $enter.

' "peech ) much shorter #ersion of this presentation was gi#en

at the "pring 5 7 " ,$ "howcase. ) + ha#e had #arious experts on this topic such as

bitemytaco from http://www.sbhacker.net2 #erify theinformation in this 8efcon presentation.

3


4/42

9hat !his "peech 9ill $o#er

' ,e uirements for our examples2

' etwork ;#er#iew' nonymous ccess

)


5/42

,e uirements

' 9hat do you need for our example%

) $able connection to the cable company2 ) >! < cable M+(" >! < for our example2

' >! < stands for nhanced >oint !est ction


6/42


7/42

,e uirements +n 8epth cont@d2

' Modify the "&?1 or buy a (remod

) a#ailable from sites like www.sbhacker.net2

7


8/42

,e uirements +n 8epth cont@d2

' (rogram the "&?1 using "chwarCeDatCe.

8


9/42

Modified 4irmware' bilities of "+


10/42

$able etwork ;#er#iew

10


11/42

nonymous +nternet ccess' 4or our example of anonymous internet access3 we will be using $omcast.' 9hy $omcast%

) ccording to lex


12/42

4aster "peeds' nonymous access is good3 but faster anonymous access is better.' +n order to increase speeds3 you can specify a faster configuration file

to use or upload your own.' =ou can specify a !4!( ser#er +( address3 but on $omcast almost

e#ery !4!( ser#er has the same configuration files.' "ome example configuration files that $omcast uses:

) 8;$"+" 1.' d1 _m_sb?1 _speedtierextreme5_c ?.cm A 16/5' d1 _m_sb?1 _showcase_c 1.cm A ??/?' d1 _m_na_c ?.cm A / unrestricted2

) 8;$"+" 1.1' d11_m_sb?1 _speedtierextreme5_c ?.cm A 16/5' d11_m_sb?1 _showcase_c 1.cm A ??/?' d11_m_na_c ?.cm A / unrestricted2

12


13/42

$hanging the $onfiguration 4ile' a#igate to http://1I5.167.1 .1:1JJ*

13

=ou can either specify a file thatexists and the ser#er that it existson blank for your +"(s tftp ser#er2or you can upload your own.


14/42

!echni ues for ,emaining nonymous' 8isable ,eading the Modem with " M(

) cd /

) cd snmp ) #iew_#1#5 oaccess ) y ) cd /

' Hide the Modem@s H4$ +( ddress =ou cannot hide $( +(addresses2 ) cd / ) cd non-#ol ) cd snmp ) hide_ipstack_ifentries true ) write

' Hide ,eported "oftware ersion system ;+82 ) cd / ) cd snmp ) delete sys8escr ) write

14


15/42

4ield ,esults' arious members of ";G8+ ,E and other

groups ha#e reported high success rates withCero signs of detection ) 8urandal has a high use ser#er that has been

online for o#er 1 months ) n anonymous indi#idual has a machine on a

business configuration that has been seedingtorrents steadily for 6 months

) Many people ha#e as many as 7 modemsrunning concurrently

) +n all of these scenarios3 the indi#iduals arepaying for ser#ice. !hey are simply splicingtheir line to add additional modems

15


16/42

$loning' $loning is where you use another

customer@s M $ address in order to get thesame ser#ice they are paying for.

' 8ue to the way the system is setup3 youha#e to use the M $ address of acustomer that is on a $M!" other thanyours.

' !his method is not as stealthy becauseyour modem is now tied to somebodyelse@s account.

16


17/42

$loning $ont@d2' !he $M!" $able Modem !ermination "ystem2 does not pre#ent the

cloning of a M $ address from ode J to ode 1.

17


18/42


19/42

How nonymous re =ou%' !he ;perations "upport "ystem is unable to pinpoint a

modem to an exact location due to the design of thelegacy cable network.' $urrently3 detection only goes as far as the ode where

the modem in uestion is located.

19


20/42

How nonymous re =ou% cont@d2' "ome +"(s poll for poor signal le#els.

) !his technician will disconnect each line to find out which line iscausing the signal loss. ) =ou can pre#ent this by using an amp if your signal strength is too

low. 9e personally like the &8 -"1 &roadband 8rop mp fromMotorola.

) !he downstream should be between -1? and K1? d&m and theupstream should be between -J? to -? 0pstream is alwaysnegati#e2.

' Many +"(s perform routine check on lines that should notbe connected in order to #erify that they are not. ) Many +"(s use colored tags to identify the account and ser#ice.

20


21/42

!hrowing 0p a ,ed 4lag

' ot using pre#iously discussed techni uesfor remaining anonymous

' xcessi#e torrenting' 4!(/9eb "er#ers hosting 9areC/(orn or

other types of hea#ily used ser#ices2' 0ncapping on cloned M $ addresses' "plitting the connection too many times will

weaken the signal and can cause techs tocome out to check it.

21


22/42

(recautions to !ake' 8o not transfer personal information o#er

unencrypted connections' Deep an eye out for the party #an or cable

technicians2

' (ay for ser#ice on one modem and ha#e anotherone hooked up that is modified for anonymousinternet.

' ,emo#e line identifiers to assist in anonymity

especially at apartment complexes2

22


23/42

,esponse 4rom the " ,$ "howcase

' nonymous +nternet was not nearly as much of a

concern as &(+/&(+K in 8;$"+" 1/1.1/5. ) !he maximum pri#acy that is offered #ia encryption is ?6bit 8 ".

23


24/42

' !hanks to bitemytaco of "&H http://www.sbhacker.net 2 for re#iewing theinformation in these slides.

' nonymous network technicians thatanswered uestions about ;"".

' !hanks to 8er ngel of !$ i"; for startingmainstream cable modem hacking.

' nonymous cable modem hackers thattold me their stories and ga#e me enoughinformation to #erify it.

24

!hanks
http://www.sbhacker.net/http://www.sbhacker.net/


25/42

$able Modem Hardware

;r How + Gearned to ,elax and

Go#e the "urfboard

nter 8urandal

25


26/42

' (resenter &ackground' 9H=!; #ersus H;9!;' "&?1 ) >ust another $omputer ' $urrently #ailable 4irmware and

4eatures' 4irmware ,e#erse ngineering'

4irmware Modification

26

bstract


27/42

' 9hy you should listen to what + ha#e tosay

' 9hy you shouldn@t listen to random peopleon forums

' 9hy you shouldn@t panic' How to a#oid obsolescence by not being

dumb' (roof it doesn@t take an angel to impress

people

27

bstract - !ranslated


28/42

' cti#e in the underground communitysince 1II7

' rabic Ginguist 5 5-5 F' > !" trainer under some of the most

respected leadership in rmy +ntelligence5 J-5 F

28

&ackground +nformation


29/42

HOWTO

' !ells you how to dosomething in amethodical3 step by stepmethod3 allowing one to

perform a task withoutunderstanding it.

WHYTO

' !ells you why somethingis a certain way3 creatingthe underlyingunderstanding necessary

to perform a task.

29

H;9!; #s 9H=!;


30/42

HOWTO

' +ndi#idual can followsimple steps3 but cannotoperate independently3 orperform anything notspecifically discussed inH;9!;.

WHYTO

' +ndi#idual is capable ofoperating independentlyand to the fullest ability ofa#ailable e uipment3including the applicationof knowledge to situationsnot specifically mentionedin any document or

briefing.

30

H;9!; #s 9H=!; ;utcome


31/42

SB5100 HARDWARE: WHY

YOU ALREADY HAVE IT

WRONG

+f you fail3 you can always do social engineering consultingL.

31


32/42

' cablemodem is ust a computer3 soyou@re already halfway there: ) $hipset: &roadcom &$MJJF7 ) (rocessor: 5 MHC M+("-J5 core with MM0

) , M: 16-bit "8, M bus with 7M& , Mupgradeable2

) "torage: 5M& 4lash ,;M

) ;": 9ind,i#er x9orks 0 +E-es ue ,!;"2

32

9hat does a "&?1 $onsist ;f%


33/42

' 8ue to the nature of the 8;$"+"

infrastructure3 most of the burden associatedwith authentication is placed solely on thecable modem.

' #en if 8;$"+" 5JI7? comes out next year3it stands to reason that if you can undermineall the countermeasures put into the cablemodem3 you@re still online while all the kidsare waiting for someone to make a firmwareupdate.

33

!rust


34/42

SB5100 FIRMWARE

OVERVIEW

d#ice is like assholesL

34


35/42


36/42

!"#

' 9orks without too muchtrouble

' Made by someone whowrote a book

$"%#

' !hat somebody was8er ngel

' =ou ha#e to pay for it' $laimed to come with

N#alue-added featuresO

backdoors2' "ince it3 and e#erything elsethat goes with it you@ll needa licensed copy ofschwartCekatCe as well23re uires a #alid license3 theidea of anyone actuallypaying for it so they cansteal ser#ice defies all logic.

36

"igma E5 ) !he Gips of an ngel


37/42

!"#

' $racked #ersion of!$ i";@s firmware3meaning you sa#emoney.

' 0sually has fixes tothings 8er ngel broke.

' ll around stablefirmware.

$"%#

' "ome #ersions are e#enharder to unpack than8er ngel@s firmware3raising speculations as to

the intentions of theauthor.

' 9ith a name like "tealthdition3 you@re bound to

get caught.

37

"igma "tealth

$


38/42

' +f you simply want free internet access3 the4 ,$" -modified firmware is about aseasy as it comes3 re uiring no knowledge

of underlying commands.

38

$onsiderations


39/42

DISASSEMBLING THE

FIRMWARE

"ince your firmware can@t possibly be worse than anything else outthereL

39

l d d


40/42

' +mage of firmware you wish todisassemble

' $M+mage!ool by &;G! ,' GPM . E' 9inHex' +8 (ro d#anced' >! < cable and software optional2

40

!ools eeded

b i i 4i


41/42

' !wo types of firmware images: ) $ompressed .bin files usually packed and

compressed2 ) ,;M dump images already unpacked2

41

;btaining 4irmware

Q/


42/42

Q/' Questions%

Documents

DOCSIS Insecure by Design[Self]