The thing though is that in most countries you don't actually own the modem, it stays property of the ISP. And because of that you are locked out, and often you can't even run a firmware update even if you have the technical knowledge.
Really, ISPs should be held responsible for this. It is their equipment so they should also maintain it.
For me this is the reason my 'modem' is still in the original box, I've installed my own equipment which I maintain myself. Granted, I am lucky because I have a fiber connection to my home, so really all I needed was an SFP module for my Edgerouter. I also live in a country where ISPs are required to support running your own equipment. With cable this becomes a lot harder or even impossible due to all kinds of network specific systems such as DOCSIS.
A few years ago, I got my optical cable modem from my ISP, and I immediately found that the real admin account was locked from me, only accessible by the ISP. So I couldn't just PPPoE and gets my connection, but I had to use the NAT on the modem. After a quick websearch, I realized there are plenty of ISP/OEM management interfaces and backdoors in the modem. Although the documented backdoor has been disabled, I eventually found my way to a root shell, so I could change the mode to bridged w/ PPPoE.
Meanwhile, I always use my own router behind the modem, with an additional firewall blocking all the incoming connections from the modem's IP address. I absolutely don't have the slightest trust on these modems. If I cannot change the modem, at least I can isolate the problem away from my routers (and use encrypted protocols as much as possible). Attackers are free to execute arbitrary code on my modem, I'll simply treat the modem as part of the untrusted Internet, which can be as dangerous as a hacked modem.
¹ As far as is relevant in this context.
The unfortunate thing, is how the code has propagated from Broadcom across many vendors to even more ISPs, and how getting in touch with every affected ISP is a bit of a mess. Hence our attempt at branding, as this has a better chance of getting non-technical focus, which seems to be the way to reach many ISPs these days.
> With cable this becomes a lot harder or even impossible due to all kinds of network specific systems such as DOCSIS.
You're probably on a PON which doesn't use DOCSIS exactly but it's still doing TDM and/or WDM multiplexing because you're sharing a laser diode with a bunch of your neighbors - the ONT transceives the multiplexed laser signal. You're still dealing with DOCSIS-like functionality.
If you tapped someone's fiber line, all the traffic between the ISP headend and customer premises (OLT and ONT if we're talking fiber) will be encrypted. In fact on a PON network using TDM it has to be, because if you stared down your own fiber you would be seeing all your neighbors' traffic as you're all time-sharing the same laser diode at the ISP headend (because it's a passive network, you will be seeing your neighbor's traffic when the diode is transmitting outside of your designated time cycle).
Anyway my only point was to inform OP that contrary to their belief, they effectively are in the situation of having an ISP-owned modem.
There's also an additional VLAN 301 for TR069 management traffic, which is used by the HG612 modems (and possibly others) that Openreach used to enjoy flinging at all VDSL subscribers. The modem itself claims an IP address in this VLAN.
Although usually hidden from the end-user, it's actually surprisingly easy to drop yourself onto VLAN 301 even with the HG612 and get an IP address on that management network. I imagine that this is the kind of way that modem exploits become dangerous if they are indeed routable on networks like this.
All ISPs I've ever seen in the US allow you to use your own router.
Comcast at least now made equipment returns easier though ups franchises, historically, it could take hours at an under staffed, low budget facility to return a item. And if you didn't you'd often expect to argue with collections.
It's their way of charging me to use my own modem (which I believe is illegal), hidden behind the ruse of it being a discount to rent theirs.
Then buy better modems. My current modem is 4 years old and functions as well as it did on day 1.
If they weren't making money on it they wouldn't sell it to you as an option. Sure the "insurance" might be nice, but overtime they're making money off of you.
Importantly, the company I mention historically had such a bad satisfaction experience that it was rated lowest for customer experience. Such issues that they rebranded. With their contractor model it was regularly the experience of customers that the install goes through 2 or 3 cheap cable modems until one worked; in combination with their Mac locking, dns poisoning data caps, almost daily scheduled downtimes.
Though I'm still not sure how it's a decent price to pay $120 for something that retails for $60.
* there was any choice in the market
* my satisfaction was actually guaranteed
* The cost of switching was low (it will take at least a day of coordination to end one service, and start the second)
It’s quite possible that, similar to the situation in the Netherlands, the rules don’t align with the opinion of the appointed authority and any appeal is nullified by an endless stream of denials and delays.
For a truly determined citizen or group it would be possible to work through the national and European legal system and force the authority to do its job but it takes a very long time and a lot of money and determination.
They may technically own the modem but you’re in your own to keep it running.
The cable modems I've interacted with all seem to be immutable infrastructure: their state consists of 1. a signed firmware image; 2. a DOCSIS initialization packet received upon network registration (essentially equivalent to a cellular "carrier profile"); 3. a set of saved preferences; and 4. some volatile working state, like ARP tables or WPA encryption-stream key state.
#4 gets trashed on reboot; #3 shouldn't be large enough (or executable) in a way where programs can run from it; #2 gets overwritten every time the network reconnects; and so the only place to put a persistent malware vector should be #1. And #1 can only be written to using signed code (sort of like Intel CPU microcode.)
So what's the problem that can't be solved by rebooting the modem?
Never thought about it that way. I agree.
> All ISPs I've ever seen in the US allow you to use your own router.
I'm not familiar with the US market, I was speaking from my personal experience with EU based ISPs. I should have made that clear.
Ubiquiti cares much more about frequent software updates and the general security and reliability of their gear. The cable companies push trash, because they can get away with it in most cases.
In this particular case, I don't know if my modem is affected, but I don't really care: it's part of the operator's network, beyond the security boundaries of my network.
I mean, yes, it is a problem, but so is any networking device anywhere on the Internet — as soon as the traffic leaves my network, all bets are off.
The point is not to allow operator-managed crappy devices (like cable modems) into my network.
Privacy matters more now than it did in the 1980's, and in todays age, having every website operator see your IP address isn't really cool.
Back when I was a Comcast customer I did find it useful when I was in an area with no - or too slow - mobile-data connections.
I assume that traffic on that network is always qossed to lowest priority, but I've never used it (I don't use a BT router)
They never disabled my account - I not get worldwide FON roaming for free forever - yay!
I wouldn't want that kind of traffic flowing through my IP address, even if it was only for legal reasons.
If you are just a relay, the content is encrypted and your chances of liability are low. Same goes if you are promoted to a guard node.
It's not just liability, for me it's also ethics. It gives me piece of mind that I am not contributing towards these practices.
Sometimes you have to look at the big picture when making ethical decisions.
Paying tax is mandatory, unlike installing a tor node on your modem.
How did the bank block you? By blocking your ip or your user account?
Cox is also very prone to turning off your internet at random times due to botnet traffic looking like it's originating from inside your network.
> Cable Haunt is exploited in two steps. First, access to the vulnerable endpoint is gained through a client on the local network, such as a browser. (emphasis mine)
This issue is based on WebSockets where the software on the modem:
a) Doesn't verify any of the origin headers sent, so any origin works (rebinding is designed to beat origin checks)
b) Copies an uploaded message straight onto the stack without doing any size checks
Edit: or you could get them to click on a link
In France, cable is basically non-existent except in a few large cities. DSL is everywhere as legacy infrastructure and fiber coverage over the whole country is increasing at a fast rate.
Is the US in a somewhat similar situation or is cable found pretty much anywhere?
Snapshots from 2012 including technology mix
The irony though is that if you are building FTTN new as much of AT&T has been doing the last decade and a half, it's not that much harder to at the same time push all the extra few dozen feet into the Home for FTTH, which Verizon figured out years back and AT&T only finally got a clue much more recently.
(AT&T also hurts their case by charging basically the exact same prices for bad POTS DSL and FTTN DSL, despite the huge variance in speeds, and tend to be not entirely forthright about which option is serviced to a particular address, leaving a lot of US consumers with an overall distrust of DSL.)
And the cable companies already had a high bandwidth (at least for ~2000) transmission line to most houses in America.
Notably, Verizon tried with FIOS, but it wasn't that profitable. Most people stuck with cable internet, even if it was slower.
This means it offers 100 Mbit service, but at my house it actually maxes out at 8 Mbit.
That's probably the device you're looking for.
It’s also true that a requirement when buying our house was “less than a mile from the CO”. More recently (like ~ 10 years ago) they put a DSLAM 2 blocks from my house.
Although fiber is available nearby (and further from the CO), they’re not going to wire our neighborhood anytime soon.
The US problem is no Local loop unbundeling and forced sharing of Central Office space
And since available speeds far outpace DSL for fairly similar prices (or at least they did last time I looked at DSL), a lot of households subscribe to cable — especially where fiber isn’t yet available.
When non-terrestial television became big, North America went largely with cable, while Europe went with satellites. Thus, the infrastructure was already in place for NorthAms to get high speed internet over their existing coax connections.
Over the 6~7 years that I lived there, things improved somewhat, with the speed jumping to 11/1.5 and then 21/1.5, and the evening and weekend issues lessened.
The "guaranteed for life" price also went up at least once a year. (The base price remained the same, but they kept adding new fees.)
I was never really satisfied with the speed, price, or reliability from Windstream.
At my new home, in town, I have a cable internet through Spectrum (Time Warner) which was advertised at 940mbps down and 35mbps up, and it often exceeds that by a few mbps.
DSL is also an option, but the fastest speed I saw advertised was 45mbps.
DSL has a relatively limited range compared to cable, and the US is more rural/suburban than Europe. So ISPs put more effort into cable. Economy of scale meant that cable won out over DSL. If 80% of your customers need cable in order to achieve acceptable performance, and 20% of your customers will be better off with DSL but cable still works fine, the ISP is just going to ship 100% cable.
With the ubiquitousness of bundled cable TV/cable internet/cable telephone, (which is VOIP that looks like POTS to the average consumer) a lot of the actual POTS providers started switching over to the cable business model. Resulting in even less investment in the DSL technology stack. It's basically dead.
Even if it isn't immediately DOCSIS compatible...
Heck, just get a single packet of data over a cable from point A to point B using an open FPGA-based design... Put that on the Internet... that's the starting point...
Let it evolve from there...
Really, we need more fiber optic everywhere. It's easier to hack on, because cable modems are technically radios, and run into the usual FCC red tape. Plus, fiber is just better.
But tbh that's been my experience with most technicians accross ISPs, they're generally nice and willing to fix a problem once they're there. It's getting the office to actually send one out (like you said) that's the issue...
checked the spectrum website for compatible modems available on the market, ordered a DOCSIS 3.0 Motorola Surfboard and when the technician came in, he pulled cable across our (admittedly tiny) apartment to where I had all my networking gear mounted to the wall on 3M strips
the actual internet itself, not so much, but that has a lot more to do with the terrible nest of interconnects in older apartment buildings in New York than Spectrum's upstream network capacity
This could be a default setting when going through a setup wizard on most routers, detecting the MAC of the modem is easy, and automatically blocking any LAN traffic to that MAC which is not merely using it as a next-hop.
I think the only challenge is that very rarely you will want to access your modem’s LAN IP for debugging purposes. But I suppose the average user will have no clue how to do this anyway...
Unfortunately this is just the tip of the iceberg for so many ways these SOHO devices are vulnerable, this level of defense in depth is nice in theory but perhaps just a finger in the dike.
Yep, most of this vulnerability is (very) old news. There used to be a vulnerability for the very popular Motorola / Arris SB series where any website could CSRF into the modem's webpage and do a "reset", which would shut off your internet for up to half an hour until it could reprovision with your ISP. There was even a proof of concept site that did this (with a big red warning first), I really wish I could remember the domain name.
Anyway, I used that modem and of course I just completely blocked access to its IP address on my router's firewall. It's really incredibly unfortunate that even today you have to be tech savvy to protect yourself from the devices running in your home. Basic security should come default.
Here's a another vulnerability for you. On my grandparents' DSL, the ISP supplied combined modem/router has a config page that is (mostly) not password protected. You can see the passwords for every SSID without logging in, you can reset the router, see information on other devices connected to the network, etc etc. Absolute insanity.
Edit: I did find the website, but it was eventually taken down by the creator after (most?) ISPs patched the problem. https://web.archive.org/web/20160921191154/http://www.reboot...
Also, what makes it super? And how does that compare to normal illegal?
At least in my country, Germany, fraudulent use of telecommunications services, public transport or paid events/facilities ("Erschleichen von Leistungen", § 265a StGB) is not just a civil matter, but also a criminal offence. If you got caught manipulating your modem to avoid paying for faster broadband, you would likely to get into trouble.
Note, the premise of this comment is based off another commenter's claim that you can pull this off remotely and don't actually need to be on the local network.
Morality aside, I just don't see how it could ever end well for the uncapper.
Source: Back in the TCNISO days, I ran cloned modems on Charter's network. Their network security was atrocious.
So if hackers break into the modem, the worst they can do is shut off your internet. And if you really cared about reliability of your internet, you'd have two connections anyway.
Really this is a non-issue.
> Change default DNS server
> Conduct remote man-in-the-middle attacks
> Hot-swap code or even the entire firmware
> Upload, flash, and upgrade firmware silently
> Disable ISP firmware upgrade
> Change every config file and settings
> Get and Set SNMP OID values
> Change all associated MAC Addresses
> Change serial numbers
> Be exploited in botnet
A simple change in DNS servers combined with man-in-the-middle attacks is enough to fool many people into entering CC details into rogue sites for example.
(Edit for typos!)
Would this matter if the devices on the network are all themselves configured to use other DNS servers?
No, if your modem gets owned, you are in a whole lot of trouble.
You become vulnerable for all sorts of MITM attacks. The attacker now also has access to your LAN, which is usually trusted by all devices on it.
Good points; these two issues are quite different.
You could stop the network-access problem by putting an extra router (a secure one) between the modem and your local network, but that wouldn't save you from MITM.
And all the pushback we get from people here that DoH/DoT is a bad thing.
I can imagine just a couple of more things about having complete control of the only internet gateway most of us have at home.
And even if the worst thing is shutting off peoples internet, I fail to see how, at this scale, it is not at least a tiny issue?
That is, the attacker either needs to have been allowed to connect to your WiFi (either through another vulnerability or voluntarily) or attached a cable to your WiFi router or your cable modem.
This is not impossible (not even requiring reliance on the fact that Google, Apple, and Microsoft among them have pretty much everyone's WiFi passwords), but a wave of attacks based on this is much less feasible than if they could be carried en masse on the internet.
From the article:
> Accessing the Endpoint
no you just have to visit a malicious link, through dns rebinding any local attack against a router can be done remotely.