Insecure Cable networks ?
Is it a common practice on cable network providers to leave access to the cable modem/router management web UI wide open ? Here is the scoop. I heard about it but didn't experienced it hands on or seen myself until recently when I was testing one of the embedded TCP/IP boards I produce which as many other IP gadgets has a mini HTTP server which I access just typing the IP address of the thing. In my home lab an IPv4 address on 10/8, not very uncommon I screwed up and made a typo on the IP address and ended on a different device web UI, an Ambit cable modem Hmmm my modem is from Toshiba, I tried the default factory password, it worked !!, not only that, this thing is several cities hundreds of miles away from here .. ehhh ? fired nmap, tried several 10/24 networks and just playing by hand found hundreds of devices and every single one I tried default password it worked, not only modems, also modem/routers and some with integrated VoIP where if I wanted I would have been able to change provisioning configuration, channel scanning, browse through the call manager logs and see who's calling or being called, etc. Isn't this a huge security hole ? It wont take much for a kiddie to write a very simple script to drive crazy the noc guys taking down pieces of the network here and there ... If a grownup from TWC/RR wants to get more specifics feel free to contact me. Regards
On Fri, Feb 5, 2010 at 9:43 PM, Jorge Amodio <jmamodio@gmail.com> wrote:
Is it a common practice on cable network providers to leave access to the cable modem/router management web UI wide open ?
it's very common for a CM to operate a web page, usually http://192.168.100.1/ that offer the local user diagnostic capabilities. it should not, however, provide administrative access. that said, in some of the newer "gateway" style modems, some administrative access to the to the CPE side can be made available via the use of split configuration. regards, /steve -- Steven J. Schecter
There are knobs on most models to restrict access to the GUI to: - the LAN interface - certain mgmt subnets. Sounds like the MSO doesn't have things set up correctly. Frank -----Original Message----- From: Jorge Amodio [mailto:jmamodio@gmail.com] Sent: Friday, February 05, 2010 8:43 PM To: NANOG Subject: Insecure Cable networks ? Is it a common practice on cable network providers to leave access to the cable modem/router management web UI wide open ? Here is the scoop. I heard about it but didn't experienced it hands on or seen myself until recently when I was testing one of the embedded TCP/IP boards I produce which as many other IP gadgets has a mini HTTP server which I access just typing the IP address of the thing. In my home lab an IPv4 address on 10/8, not very uncommon I screwed up and made a typo on the IP address and ended on a different device web UI, an Ambit cable modem Hmmm my modem is from Toshiba, I tried the default factory password, it worked !!, not only that, this thing is several cities hundreds of miles away from here .. ehhh ? fired nmap, tried several 10/24 networks and just playing by hand found hundreds of devices and every single one I tried default password it worked, not only modems, also modem/routers and some with integrated VoIP where if I wanted I would have been able to change provisioning configuration, channel scanning, browse through the call manager logs and see who's calling or being called, etc. Isn't this a huge security hole ? It wont take much for a kiddie to write a very simple script to drive crazy the noc guys taking down pieces of the network here and there ... If a grownup from TWC/RR wants to get more specifics feel free to contact me. Regards
On 6/02/2010, at 1:43 PM, Jorge Amodio wrote: <snip>
fired nmap, tried several 10/24 networks and just playing by hand found hundreds of devices and every single one I tried default password it worked, not only modems, also modem/routers and some with integrated VoIP where if I wanted I would have been able to change provisioning configuration, channel scanning, browse through the call manager logs and see who's calling or being called, etc.
Isn't this a huge security hole ?
It wont take much for a kiddie to write a very simple script to drive crazy the noc guys taking down pieces of the network here and there ...
If a grownup from TWC/RR wants to get more specifics feel free to contact me.
Regards
Yes this is a huge security hole. Management networks should always be restricted to some extent and the fact that default passwords allow you into VoIP gateways provides an avenue for call fraud. At a very minimum the devices should restrict which addresses can talk to them (ie. management servers in the MSO) and passwords should be non-default. Maybe you can consult with the local MSO? Kind regards, Truman
Yes this is a huge security hole. Management networks should always be restricted to some extent and the fact that default passwords allow you into VoIP gateways provides an avenue for call fraud. At a very minimum the devices should restrict which addresses can talk to them (ie. management servers in the MSO) and passwords should be non-default.
If I were them or involved in the operation of their network I should start with an audit. Obviously I didn't change or tried to change anything, the few cases I tried to gain access to some randomly selected devices/locations were just to confirm that imho there is a big exposure here. For example, I found devices such as an integrated modem and wireless router where if I wanted I would have been able to enable WiFi guest access or change the existing WiFi configuration such as SSID, keys, etc. Some modems don't seem to provide access via port 80, I didn't scan for any other potential ports or back doors (such as SNMP ports,etc), they simple show the message "Access to this web page is currently unavailable.". The most popular/used device, just for the number of times I've got the same interface for the few (less than a 100) IP I tried seems to be the Ambit modem, the main page shows sort of general modem information, something like: Cable Modem Information Cable Modem : DOCSIS 1.0/1.1/2.0 Compliant MAC Address : 00:1F:XX:XX:XX:XX Serial Number : REMOVED Boot Code Version : 2.1.6d Software Version : 2.105.1008 Hardware Version : 1.20 CA Key : Installed Gaining access to the modem is quite simple, on the left there is a frame that has a Login link and says "Factory default username/password is"user" ", which actually worked on all the ones I found and tried, on the right hand corner there are two links one that says Modem and other that says Tools, if I click on Tools I see at least two options, one that takes me to a form page to change the password, and the other one to change the Frequency Scanning Plan. Again I didn't try to change anything to confirm that it is actually possible but I've the hunch that it is possible. Another case could be integrated modem/router with VoIP features such as Motorola's SurfBoard, the standard management interface without even login in to the thing provides plenty of information, don't know how useful but, there is a link that says "Advanced" which requires you to enter a password, don't waste much of your brain, the password is simply "motorola", with that you get access to more information including MGCP Logs, I didn't analyze the logs in detail but it didn't take much effort to find out that a guy was being called by a collection department of Wells Fargo Bank from an Oregon (503) number. In another case I saw a log entry that could be interpreted as a dialed out number. In summary, I don't believe that any customer should have access to any other customer device in such a way that you can alter the provisioning of a service or snoop and see how the service is being used, this raises not only security but privacy concerns. I didn't use any scripts or tried any heavy tools or hacking, mine is a very minuscule sample of what seems to be a widespread bad practice or mismanaged network configuration. Ryan thanks for your message, I checked and saw that you work for TWC in the Albany area, but no offense, I've no problems to share more details and cooperate, only if being contacted by a "grownup" honcho in charge of networking/security. I promise, I won't break anything ... Cheers Jorge
participants (4)
-
Frank Bulk
-
Jorge Amodio
-
Steven Schecter
-
Truman Boyes