March 1, 2010

Reality Check: How Secure are Modems?

The two biggest challenges to cable modem security lie in protecting the operator from service theft and protecting the consumers from cyber attacks. Both weaknesses tend to fly under the radar screen.

"Security management is one of those things that tend not to get a lot of attention because it does not bring in any revenue," Scott Helms, vice president of technology at Zcorum, said. "A lot of cable operators don’t pay attention to it unless they have a problem."

The worst problem that most MSOs have is when individuals replace the firmware on their modems. Paul Scarff, director of product management, Sigma Systems, said the most exploited problem is theft of service, where a hacked modem requests a configuration file that supports a higher class of services.

Websites such as cablehack.net sell old Motorola Surfboard modems that consumers can reprogram easily. Although one of the owners of Cablehack, Thomas Swingler (aka DerEngel), faced a six-count indictment in November 2009, the site continues to sell the modems. The site now says that it can only sell un-modified cable modems, but provides consumers instructions and firmware for reprogramming the modems themselves.

"Chen said the most serious problem would be if a hacker changed the DNS settings."

Some consumers will steal service outright, by reconfiguring their modem to imitate or "spoof" a legitimate media access control (MAC) address.

When the cable operator has migrated the whole network to DOCSIS 1.1 and above, this type of theft is likely to raise a red flag. It is more common on older systems in which the operator has chosen to remain backwards compatible with DOCSIS 1.0 modems.

On older networks, operators might find that have some piracy, but don’t know how to lock out the pirates without angering legitimate paying consumers. If the problem is small, the costs of upgrading the network or finding the pirates might not justify the rewards of reducing piracy.

The other side of cable modem security lies in protecting consumers from attacks on the cable modems themselves.

For example, Time Warner Cable’s deployment of SMC8014 integrated cable modem/Wi-Fi routers left the devices vulnerable to hackers who could use them to gain access to the routers of about 65,000 customers. Last October, Time Warner reported taking steps to correct the problem.

David Chen, the software developer and blogger (chenosaurus.com) who discovered the vulnerability, said that by disabling JavaScript on his browser he could read the administrative user name and password of the modems. This same user name and password could access the administrative panels for all of the routers he scanned. Chen said the most serious problem would be if a hacker changed the DNS settings, which could redirect customers to fraudulent banking sites designed to steal banking credentials. This kind of vulnerability might not be that much of a problem if operator properly configures the DOCSIS settings on CMTS, according to Chris Busch, vice president broadband technologies, Incognito Software.

Busch said the DOCSIS configuration file can implement Layer 2 and Layer 3 filters and drop out any source IP addresses not matching that of the LAN side of the cable modem.

Sigma Systems’ Scarff said operators could reduce cable modem threats by taking these measures:

• Control who has access to the CMTS.

• Keep config files away from config servers.

• Re-synch cached config files.

• Use BPI+ to detect MAC moving between agents.

• Track MACs that attempt to roam.

• Encrypt config files specific to MACs requesting service and deny other devices requesting same file.

• Dynamically filter DHCP MACs.

-George Lawton is a contributor to Communications Technology.