Time Warner Cable's 65,000 Routers Open to Hack

Status
Not open for further replies.

JasonAkkerman

Distinguished
Apr 28, 2008
457
0
18,790
4
There is an account that can be used to access any of their routers? Sounds like they left a backdoor open on purpose. Maybe for tech support reasons, but it's still a shady thing to do.
 

hellwig

Distinguished
May 29, 2008
1,743
0
19,860
26
[citation][nom]JasonAkkerman[/nom]There is an account that can be used to access any of their routers? Sounds like they left a backdoor open on purpose. Maybe for tech support reasons, but it's still a shady thing to do.[/citation]

Comcast was able to "remotely program" my Motorolla cable modem to be compatible with their network. I'm not sure what this means, maybe they did nothing and just added my MAC address into their system, but I wouldn't be surprised if all these devices had some sort of backdoor for the ISPs to use.

That said, it's ridiculous that simple javascript was used to "hide" the admin features. Your average user may not know how to bypass this, but obviously anyone savvy enough to even attempt to gain access to your router would know how to do this. And a universal account that can access each router? And that can be printed out in plain text? Unbelievable.
 

doomtomb

Distinguished
May 12, 2009
810
0
18,980
0
[citation][nom]hellwig[/nom]Comcast was able to "remotely program" my Motorolla cable modem to be compatible with their network. I'm not sure what this means, maybe they did nothing and just added my MAC address into their system, but I wouldn't be surprised if all these devices had some sort of backdoor for the ISPs to use.That said, it's ridiculous that simple javascript was used to "hide" the admin features. Your average user may not know how to bypass this, but obviously anyone savvy enough to even attempt to gain access to your router would know how to do this. And a universal account that can access each router? And that can be printed out in plain text? Unbelievable.[/citation]
My ISP was also able to remotely program my modem and see it. My ISP is Suddenlink.
 

intelliclint

Distinguished
Oct 20, 2006
69
0
18,640
2
AT&T U-verse using a similar "residential gateway" which is basically a DSL adapter and router combined. I wonder how secure it is. It even offers some remote file access. You have to use it if you’re using the IP-TV or the VoIP as it handles all of that on dedicated pipes.

First thing I did with mine is a full ip / port forward to a Linux server that functions as my router. I use a content filter / proxy for web traffic and intrusion detection. I do miss the lower latency I was getting with my old cable modem.
 

void5

Distinguished
Sep 7, 2009
12
0
18,510
0
hellwig & doomtomb:

Indeed you can upload new firmware to cable modem (CPE) remotely - but to do so you need admin access to CMTS your cable modem is physically connected too (and/or ISP servers if configuration details are stored outside of CMTS). CMTS hardware is quite costly. And any sane cable modem manufacturer would implement digital signing of firmware to thwart malicious "reflashing" attempts (so it is necessary to physically disassemble CPE and use special hardware to "flash" something non-official).

Insanity described is this article is sad yet typical example of "security" in real world...
 

JonathanDeane

Distinguished
Mar 28, 2006
1,469
0
19,310
6
[citation][nom]doomtomb[/nom]My ISP was also able to remotely program my modem and see it. My ISP is Suddenlink.[/citation]

Cable modems download a software update to enable different modes. Its how people hack there own cable modems to "uncap" them. Basically you run a "server" on your PC and update that file to say 100mpbs or what ever. Please note that this is totally illegal and will get you disconnected in a hurry (although I have heard small bumps in speed can be gotten away with) The cable company only updated a small file on your modem with your tier information and what version of DOCSIS they are using. This is unrelated to the story though. The story is only talking about the routers that the cable company can install for you, now with access like this I wonder if it would be possible to install a custom firmware something like tomato... With that kind of access one could have an almost instant 65,000 machine broadband botnet...
 

razor512

Distinguished
Jun 16, 2007
2,052
7
19,815
15
while it is a stupid mistake that should have never happened, at least time warner is fixing it.

PS currently many routers provided for verizon dsl and qwest dsl (not fios)

have the actiontec gt704wg or other actiontec series with a crappy bloated firmware from verizon. and guess what, they have remote access over the internet enabled by default and even though the password can be changed, the telnet password cant on some firmware versions, it also offers no protection against brute force attacks. a simply port scan of a range of like 100 ip's from either companies net block will lead to probably 20-30 vulnerable dsl gateways which are easy to log into

I have called verizon to tell them about this since I used to have a actiontec, the worker didn't understand what I was telling them.
 

jellico

Distinguished
Apr 17, 2009
622
0
18,980
0
This wouldn't really be a problem if you put decent router between their router/cable modem and your computer or network. And for Pete's sake, CHANGE THE DEFAULT PASSWORD!
 

SAL-e

Distinguished
Feb 4, 2009
383
0
18,780
0
[citation][nom]jellico[/nom]This wouldn't really be a problem if you put decent router between their router/cable modem and your computer or network. And for Pete's sake, CHANGE THE DEFAULT PASSWORD![/citation]
It is a big problem. If I can get access to TW router I will own your network in no time.
1. I will change your DNS settings and redirect all your traffic to proxy that I control.
2. I will monitor your traffic and collect all your passwords quite easy.
3. I can perform "men in the middle" attack. None of the security protocols will protect you if I can control your TW router.
 

wildwell

Distinguished
Sep 19, 2009
658
0
19,060
50
Oh man, I have Time Warner's cable internet and a Time Warner modem (says Comcast actually) but I don't use their router. I have lots of friends (at least three others) who have Time Warner and I think they all use the Time Warner wifi routers.
 

void5

Distinguished
Sep 7, 2009
12
0
18,510
0
leafblower29, your ISP can do quite a lot of things with your internet connection. And thanks to the stupidity of some ISPs malicious folks can do a lot of damage and remain anonymous...
 

JasonAkkerman

Distinguished
Apr 28, 2008
457
0
18,790
4
[citation][nom]hellwig[/nom]That said, it's ridiculous that simple javascript was used to "hide" the admin features. Your average user may not know how to bypass this, but obviously anyone savvy enough to even attempt to gain access to your router would know how to do this. And a universal account that can access each router? And that can be printed out in plain text? Unbelievable.[/citation]

It wouldn't take anyone that savvy. Using Firefox with the noscript plugin will disable javascript on all site, including local addresses.

I bet he was using the same setup and just stumbled on this security hole.
 

hemelskonijn

Distinguished
Oct 8, 2008
412
0
18,780
0
Nearly all ISP's have this kind of problem since they all want to be in control over there clients.
Any dutch ISP at the time of writing gives out a box they can remote update and reset which in my humble opinion that it is insecure.
Another downside to this would be all my carefully chosen settings are reset as soon as they update my modems/routers.
In my case since i have a multi-wan setup (2x(a)DSl + cable) i simply have to reset an exposed host (my dedicated multi-wan router/firewall).
But it should be in my control since no end user should be forced to reset port assignments every 14 days or so.

ISP's should just let go of their need to control our routers or at least give the end user a choice between being controlled or taking control.
At the moment your allowed to use your own hardware so you can eliminate needless updates that way, however it wont stay this way forever and even though i bought my own stuff there should be an option to kill remote updates/resets.
 

huron

Distinguished
Jun 4, 2007
2,420
0
19,860
43
This is simply amazing. It's hard to believe that in such a major company that a hole this large would be allowed to happen.

Isn't someone in charge of network security there? Something like this, even for the sake of remote access, should not happen. There are much more secure ways to make this happen.
 

wildwell

Distinguished
Sep 19, 2009
658
0
19,060
50
So Time Warner is working on a patch for their routers; are they going to use their backdoor to update the firmware with this patch? More importantly, will they close the door behind them when the leave?
 

jellico

Distinguished
Apr 17, 2009
622
0
18,980
0
[citation][nom]SAL-e[/nom]It is a big problem. If I can get access to TW router I will own your network in no time.1. I will change your DNS settings and redirect all your traffic to proxy that I control.2. I will monitor your traffic and collect all your passwords quite easy.3. I can perform "men in the middle" attack. None of the security protocols will protect you if I can control your TW router.[/citation]
First of all, if you re-route DNS, the change will show up in the logs of the secondary router which you don't control. The secondary router will prevent you from directly infiltrating my network from the compromised TW router. So even if I wasn't aware of the gaping security hole in the TW router, I would know something is up. You would have control of my network traffic for maybe a few minutes, and the only thing you would be seeing with your packet sniffer is ping and network traffic tests as I try to figure out the sudden increase in latency of my Internet traffic. It wouldn't take long to figure out that there was a problem with the TW router, and then I would focus my attention there. Since I still have physical control of the hardware, I would perform a reset and then monitor incoming traffic to the TW router.

Anyway, that's what I would do. Someone less sophisticated would still benefit by putting another router between the TW router and their network because the second router prevents a hacker from COMPLETELY infiltrating their home network. All banking and credit card transactions use SSL and TLS encryption protocols, so you won't gain anything from there. I don't know if online games take the same precautions, so you might be able to hijack someone's World of Warcraft account.

Honestly, though, if your intention is to do any of this, your efforts would bear more fruit if you went war driving and attacked networks with unsecured wireless APs. If they don't secure their wireless routers, then chances are their computers are going to be under-protected as well. Or, another thing you could do is go to someplace like a university campus, or airport where there is free wi-fi and plenty of people using it. Setup your laptop to look like local AP, and then being your packet sniffing and MitM attacks.

As I'm sure you well know, no amount of network security will prevent the intrusion of a determined and skilled adversary. It's more like putting bars on the windows and doors of your house. Sure, a burglar could still get in if he really wanted to; but why waste the time when the neighbor's house has no bars, and... look at that, the back sliding door is unlocked. That's the point I was trying to make with my original post.
 

jerreece

Splendid
[citation][nom]hellwig[/nom]Comcast was able to "remotely program" my Motorolla cable modem to be compatible with their network. I'm not sure what this means, maybe they did nothing and just added my MAC address into their system, but I wouldn't be surprised if all these devices had some sort of backdoor for the ISPs to use.That said, it's ridiculous that simple javascript was used to "hide" the admin features. Your average user may not know how to bypass this, but obviously anyone savvy enough to even attempt to gain access to your router would know how to do this. And a universal account that can access each router? And that can be printed out in plain text? Unbelievable.[/citation]

Come to think of it, I used to use Comcast, and they were able to remotely access info off my Motorola Surfboard at the time. I think they were even able to force it to perform a power cycle (reboot).

I have to say though, with regards to this news article. It's pretty pathetic that a company like Time Warner is using Javascript to protect sensitive features. Lots of browsers these days disable Javascript by default, and sometimes business machines may have Javascript disabled as part of their own virus protection to keep employees from inadvertently downloading trojans and such.
 

mharris80

Distinguished
Oct 18, 2009
17
0
18,510
0
[citation][nom]ravewulf[/nom]I'd like to say that I'm surprised by this idiocy, but I'm not.[/citation]

Same here. I used to use TW where I used to live because they had the fastest internet around. (plus a decent phone/cable/internet package deal) Unfortunately, I had all sorts of problems with them. I remember having to call tech support a few times to try and report a problem that was occuring on their end. The operator kept trying to insist that it had to be my problem. What took the cake was when she asked me what OS is used. When I responded with Linux, she said: "Linux? This is an operating system?" And then tried to tell me that was my problem. Needless to say, a few days later it got fixed, and sure enough it was their equipment and not mine. I hate ISPs.
 
Status
Not open for further replies.

ASK THE COMMUNITY