Hacker News new | past | comments | ask | show | jobs | submit login
Cable Haunt: A critical vulnerability found in cable modems (cablehaunt.com)
210 points by Aissen 8 months ago | hide | past | favorite | 144 comments

This is nothing new, really. Crappy SOHO routers have been proven to be vulnerable over and over again.

The thing though is that in most countries you don't actually own the modem, it stays property of the ISP. And because of that you are locked out, and often you can't even run a firmware update even if you have the technical knowledge.

Really, ISPs should be held responsible for this. It is their equipment so they should also maintain it.

For me this is the reason my 'modem' is still in the original box, I've installed my own equipment which I maintain myself. Granted, I am lucky because I have a fiber connection to my home, so really all I needed was an SFP module for my Edgerouter. I also live in a country where ISPs are required to support running your own equipment. With cable this becomes a lot harder or even impossible due to all kinds of network specific systems such as DOCSIS.

The problem gets worse when thing aren't just routers, but modems from your ISP. Unlike routers, which you are free to replace it (or install OpenWrt), using a modem is mandatory, and it's very likely that there is no alternative. Even if the modem uses a standard protocol like DOCSIS internally, it either has some vendor-lockins or proprietary/customized software by ISPs.

A few years ago, I got my optical cable modem from my ISP, and I immediately found that the real admin account was locked from me, only accessible by the ISP. So I couldn't just PPPoE and gets my connection, but I had to use the NAT on the modem. After a quick websearch, I realized there are plenty of ISP/OEM management interfaces and backdoors in the modem. Although the documented backdoor has been disabled, I eventually found my way to a root shell, so I could change the mode to bridged w/ PPPoE.

Meanwhile, I always use my own router behind the modem, with an additional firewall blocking all the incoming connections from the modem's IP address. I absolutely don't have the slightest trust on these modems. If I cannot change the modem, at least I can isolate the problem away from my routers (and use encrypted protocols as much as possible). Attackers are free to execute arbitrary code on my modem, I'll simply treat the modem as part of the untrusted Internet, which can be as dangerous as a hacked modem.

Letting the attackers be 'mittle in the man' is little bit too generous especially on dns side

Your ISP is has a MITM position whether they own your cable box or not¹. What you usually don't want is them having access to your LAN.

¹ As far as is relevant in this context.

You are unfortunately right about the reputation of SOHO routers and modems. The programming required to correct this issue is rather trivial, so hopefully patches should be easy to roll out.

The unfortunate thing, is how the code has propagated from Broadcom across many vendors to even more ISPs, and how getting in touch with every affected ISP is a bit of a mess. Hence our attempt at branding, as this has a better chance of getting non-technical focus, which seems to be the way to reach many ISPs these days.

If you have fiber you're probably plugging your SFP into an ONT which is already acting like a modem anyway.

> With cable this becomes a lot harder or even impossible due to all kinds of network specific systems such as DOCSIS.

You're probably on a PON which doesn't use DOCSIS exactly but it's still doing TDM and/or WDM multiplexing because you're sharing a laser diode with a bunch of your neighbors - the ONT transceives the multiplexed laser signal. You're still dealing with DOCSIS-like functionality.

By my reckoning, as long as the modem has no public- or customer-facing IP address, it's probably not going to be a vector for easy attacks. It might be accessible from within the ISP network, but if someone has access there then they can probably just tap your line directly, no need for additional exploits.

ONTs typically terminate to Ethernet at the customer premises so it's effectively the exact same thing as a cable modem. So not any more secure than having cable and using the cable company's provided modem.

If you tapped someone's fiber line, all the traffic between the ISP headend and customer premises (OLT and ONT if we're talking fiber) will be encrypted. In fact on a PON network using TDM it has to be, because if you stared down your own fiber you would be seeing all your neighbors' traffic as you're all time-sharing the same laser diode at the ISP headend (because it's a passive network, you will be seeing your neighbor's traffic when the diode is transmitting outside of your designated time cycle).

Anyway my only point was to inform OP that contrary to their belief, they effectively are in the situation of having an ISP-owned modem.

When I was setting this up for an ISP a few years ago the TDM was just a SFP that has its own MAC address inside. Its doing the TDM part inside the SPF itself. When we configured a new customer it was just adding the MAC to the config of an interface on an alcatel router at the hub side. You might not be able to transmit without interference but I bet you could spoof the MAC of a neighbor on the same fiber and listen in.

Wow that is very interesting! That would be a worthwhile experiment to test out for sure.

In the case of Openreach in the UK, the majority of subscriber lines carry PPPoE traffic over VLAN 101 which is bridged on the modem to the consumer equipment.

There's also an additional VLAN 301 for TR069 management traffic, which is used by the HG612 modems (and possibly others) that Openreach used to enjoy flinging at all VDSL subscribers. The modem itself claims an IP address in this VLAN.

Although usually hidden from the end-user, it's actually surprisingly easy to drop yourself onto VLAN 301 even with the HG612 and get an IP address on that management network. I imagine that this is the kind of way that modem exploits become dangerous if they are indeed routable on networks like this.

Can you recommend any resources to learn more about this kind of stuff?

Most countries allow you to own a modem, and that’s why all the major retailers sell them. They are not property of the ISP. Only the ISP can upgrade them however.

You make it sound like the providers giving you a modem is a bad thing. This is a good thing. You as the consumer just needs to buy a decent router, and it's your ISPs responsibility to maintain the modem. If you have a decent router you have nothing to worry about. You can simply consider an attack on your modem an attack on your ISP.

All ISPs I've ever seen in the US allow you to use your own router.

At a $5+/mo fee for items that normally sell for $60 it seems like profit seeking behavior.

Comcast at least now made equipment returns easier though ups franchises, historically, it could take hours at an under staffed, low budget facility to return a item. And if you didn't you'd often expect to argue with collections.

Here's a fun trick Comcast is now playing with in Chicago. For unlimited data, it costs $50 a month if you're using your own modem, but using Comcast's modem, I get a "discounted" rate of $20 a month including the modem rental.

It's their way of charging me to use my own modem (which I believe is illegal), hidden behind the ruse of it being a discount to rent theirs.

Comcast in Washington is $10/mo

5/mo is 120 over 2 years, which is imo the expected life on a modem. Now of course some last 5 years or more, but then some last 6 months. I think 60/year is a decent price for a 100 percent satisfaction guaranteed working modem.

> which is imo the expected life on a modem

Then buy better modems. My current modem is 4 years old and functions as well as it did on day 1.

If they weren't making money on it they wouldn't sell it to you as an option. Sure the "insurance" might be nice, but overtime they're making money off of you.

> for a 100 percent satisfaction guaranteed working modem.

Importantly, the company I mention historically had such a bad satisfaction experience that it was rated lowest for customer experience. Such issues that they rebranded. With their contractor model it was regularly the experience of customers that the install goes through 2 or 3 cheap cable modems until one worked; in combination with their Mac locking, dns poisoning data caps, almost daily scheduled downtimes.

Though I'm still not sure how it's a decent price to pay $120 for something that retails for $60.

Satisfaction guaranteed. Don't like the service? Move along, you're out very little/nothing.

This would be a good argument if:

* there was any choice in the market * my satisfaction was actually guaranteed * The cost of switching was low (it will take at least a day of coordination to end one service, and start the second)

Where are you living where modems die every 2 years? My cable modem/wifi router from ISP is about 5 years old. Can't use your own cable modem in UK. They don't list providing of the modem as a line item on the bill either

Officially the EU requires allowing customers to use their own modem if they want to. If the ISP setup requires registering MAC addresses they are obligated to register your personal modem and if a weird setup is required they have to document everything and notify you in advance of changes.

Do you have any more details about this? A link or what to search for would be also great.

Can only see one example of someone asking about that on google.

I do not understand what you mean by that. Note that these directives force the member states to adopt their own laws implementing them. They do not directly affect people, only indirectly. So if people want to invoke the rights they have to cite the national law implementing the directive.

The response in the UK is always "you can't do that", so either the UK hasn't implemented the law, or no one cares

The directive stipulates some authority who enforces the rules.

It’s quite possible that, similar to the situation in the Netherlands, the rules don’t align with the opinion of the appointed authority and any appeal is nullified by an endless stream of denials and delays.

For a truly determined citizen or group it would be possible to work through the national and European legal system and force the authority to do its job but it takes a very long time and a lot of money and determination.

Likewise, you make it seem like ISPs are competent enough to recognize an attacked modem, and repair or replace it on demand, and promptly. My experience is that when your internet connection goes down or becomes unusable, and you call and complain, it can be literally several weeks before they even respond to you.

They may technically own the modem but you’re in your own to keep it running.

> competent enough to recognize an attacked modem, and repair or replace it on demand

The cable modems I've interacted with all seem to be immutable infrastructure: their state consists of 1. a signed firmware image; 2. a DOCSIS initialization packet received upon network registration (essentially equivalent to a cellular "carrier profile"); 3. a set of saved preferences; and 4. some volatile working state, like ARP tables or WPA encryption-stream key state.

#4 gets trashed on reboot; #3 shouldn't be large enough (or executable) in a way where programs can run from it; #2 gets overwritten every time the network reconnects; and so the only place to put a persistent malware vector should be #1. And #1 can only be written to using signed code (sort of like Intel CPU microcode.)

So what's the problem that can't be solved by rebooting the modem?

Not my experience. My parents are stuck with Comcast due to their monopoly and even they bend over backwards to fix my parents recent issues (hardware failure). Sure it took a couple weeks, but it a couple weeks of troubleshooting, testing, a couple visits, some hardware replacements. People expect these repair installers to be miracle workers, but sometimes an intermittent fault takes time.

> You can simply consider an attack on your modem an attack on your ISP.

Never thought about it that way. I agree.

> All ISPs I've ever seen in the US allow you to use your own router.

I'm not familiar with the US market, I was speaking from my personal experience with EU based ISPs. I should have made that clear.

In the USA, you can use your own router and your own modem, if you are aware enough to do so. Most common people just use whatever the ISP hands them, and pay $5 per month or more for years on end for the privilege of using boxes that never get updated.

I recently had the frustration of trying to use a Vodafone ISP Supplied modem. It had a propietary interface which didn't allow using the modem as a bridge to a network not on a vlan. Along with the help of the awesome team at hack-technicolor we managed to find a command execution exploit in the dyndns updater which allowed us to free the Vodafone UltraHub Technicolor DGA0130VDF modem along with others. The device is a cool box running a Dual Core Broadcom 400MHz CPU with 256MB DDR3 RAM it's a DSL/WAN router with ADSL/VDSL, Wi-Fi 11b/g/n/ac 5GHz/2.4GHz, And SIP support for two phones. Also now a working WAN port to a non-vodafone gateway. The device was running openwrt; We also figured out how to keep persistance on the device after a firmware update to an unexploitable version meaning you can even have SSH running on the latest kernel from Vodafone too. In all had a great time working on this box and feels awesome to free an otherwise awesome device from the trash-heap! https://github.com/kevdagoat/hack-technicolor/issues/68

For years now I insisted on getting a modem operating in bridge mode, with a Ubiquiti Unifi USG doing the actual routing and Unifi access points providing Wi-Fi. I never trusted the crappy modems, especially the ones provided by the cable company.

Ubiquiti cares much more about frequent software updates and the general security and reliability of their gear. The cable companies push trash, because they can get away with it in most cases.

In this particular case, I don't know if my modem is affected, but I don't really care: it's part of the operator's network, beyond the security boundaries of my network.

My cable modem is in bridge but I can also reach its web interface the management IP. In that case, you should find out if the modem is vulnerable because an exploited modem could still be messing with your traffic.

Messing how?

I mean, yes, it is a problem, but so is any networking device anywhere on the Internet — as soon as the traffic leaves my network, all bets are off.

The point is not to allow operator-managed crappy devices (like cable modems) into my network.

I'm hoping someone secretly deploys tor nodes onto all of these 200 million connections, and tor (or something like it) becomes the defacto standard for connecting to the internet.

Privacy matters more now than it did in the 1980's, and in todays age, having every website operator see your IP address isn't really cool.

I'm not comfortable with sharing my internet connection with other people. Also, some people are on metered and / or low bandwidth internet connections.

Comcast in the US (idk ++millions of users) by default enables a 2nd WiFi network that is open to all of their subscribers. Is convenient, amusing, and annoying, depending on perspective.

To be fair - it is rate-limited and QoS-managed and traffic doesn’t count towards your usage limit (if you have one).

Back when I was a Comcast customer I did find it useful when I was in an area with no - or too slow - mobile-data connections.

Also, I believe using other people's xfinitywifi doesn't count towards your bandwidth.

BT in the UK does a similar thing - called "Fon"

I assume that traffic on that network is always qossed to lowest priority, but I've never used it (I don't use a BT router)

I glad to hear that Fon is still around. Back when they were giving out free AP's I snagged a couple and they were my first foray into hardware hacking. Neat little devices, I always felt a bit guilty about not using them to actually deploy fon hotspots.

A year or two ago they sent an email to all of us with 1st gen FON hardware and said they were retiring it and that we'd have to buy a new one. I didn't.

They never disabled my account - I not get worldwide FON roaming for free forever - yay!

Virgin Media do this too, your box is by default something like VM123456-[2|5]G and an (optional) 'community' hotspot (like FON) of VirginMedia

Not just that. The reality is, unfortunately, that Tor is used for a whole bunch of illegal activities too. Most notably child pornagrahpy.

I wouldn't want that kind of traffic flowing through my IP address, even if it was only for legal reasons.

This is really only a concern if you are an exit node, which is not something that people are encouraged to do without experience and measures in place to knowingly protect themselves.

If you are just a relay, the content is encrypted and your chances of liability are low. Same goes if you are promoted to a guard node.

> If you are just a relay, the content is encrypted and your chances of liability are low.

It's not just liability, for me it's also ethics. It gives me piece of mind that I am not contributing towards these practices.

But being an ordinary relay means you are still being used as a hop for people to connect to hidden services. Do you think hidden services are less ethically dubious than clearnet services?

I think you're misunderstanding their argument. They don't want to be an exit node because they don't want to share their public IP (liability), nor do they want to be a relay because they don't want to help route to hidden services (ethics).

You pay your taxes used to pay for bombs to kill people.

Sometimes you have to look at the big picture when making ethical decisions.

> You pay your taxes used to pay for bombs to kill people.

Paying tax is mandatory, unlike installing a tor node on your modem.

Based on that argument we shouldn't have the internet because some users will do unethical things with it.

You really shouldn't do anything for that matter.

How's your piece of mind being complacent in the surveillance and persecution of innocent victims?

i used to run a tor node but then my bank blocked me because i was a tor node, even though i wasn't an exit node. that alone was too much of a hassle so i stopped doing it. i also work from home now and vpn to work at a really big company that it wouldn't surprise me if they would notice i ran a tor node with whatever edge security they have. so there are very valid reasons to not even run a tor node from home.

> i used to run a tor node but then my bank blocked me because i was a tor node, even though i wasn't an exit node. that alone was too much of a hassle so i stopped doing it. i also work from home now and vpn to work at a really big company that it wouldn't surprise me if they would notice i ran a tor node with whatever edge security they have. so there are very valid reasons to not even run a tor node from home.

How did the bank block you? By blocking your ip or your user account?

If you run an exit node on you home internet connection _EVERYTTHING_ that sits behind cloudflare will recaptcha you on every page load. It's easy for service providers to get a list of all tor exit nodes and then blacklist them. If your home IP is an exit node, even non tor traffic coming from regular browsing on your machine is indistinguishable from actual tor traffic. 3

Cox is also very prone to turning off your internet at random times due to botnet traffic looking like it's originating from inside your network.

I'm with you but parent specifically said they were not running an exit node.

my ip. when i would visit their website it would say they don't allow tor. a week or two after i disabled my node they unblocked my ip.

Not just that. The reality is, unfortunately, that money is used for a whole bunch of illegal activities too. Most notably child pornagrahpy. I wouldn't want that kind of currency flowing through my house, even if it was only for legal reasons.

Who would trust Tor if one party controls 200 million nodes?

I've theorized the 50 percent attacks have already been executed at the nation state level for a long time now, but that many nodes could reduce the effectiveness of the current 50 attack. Unless of course the same three letter did both...

I don't know if 50percent attacks exist on Tor, but in Tor, you don't need a 50percent attack, all you need is to attack the single Entry Guard a target uses.


I think 50 percent attacks apply to any supposedly decentralized service don't they?

It doesn't seem to be feasible using this vulnerability:

> Cable Haunt is exploited in two steps. First, access to the vulnerable endpoint is gained through a client on the local network, such as a browser. (emphasis mine)

That means loading a webpage from the internet, which then runs the exploit in javascript on your local machine. Tricking users to load the page through phishing or through ads served from shady ad networks is ‘all’ it takes

Thank you for the correction.

Sibling comments mention hacked web pages and DNS rebinding. I imagine there are also many of these routers that still have unpatched issues with SNMP, like "stringbleed". https://www.bleepingcomputer.com/news/security/several-cable...

This is almost certainly exploitable remotely with a DNS rebinding attack.

You don't need any fancy rebinding attacks. That's a bit 2001 era web hacking :)

This issue is based on WebSockets where the software on the modem:

a) Doesn't verify any of the origin headers sent, so any origin works (rebinding is designed to beat origin checks)

b) Copies an uploaded message straight onto the stack without doing any size checks

@thu2111 He's giving you an attack chain. If you rebind the dns server of the modem with a snmp/tr069 exploit you could redirect/inject into the http traffic a page that contained the javascript payload to exploit the Cable Haunt vulnerabiliy against the Spectrum Analyser endpoint. Because websockets doesn't use CORS to restrict the requesting hosts domain to the modem, you could execute code on the gateway modem from the internet with the combination of a client on the remote network running a http request from a browser combined with an alternative dns rebinding attack against the gateway and a server hosting the malicious websockets payload on a http server.

Edit: or you could get them to click on a link

It also seems to require that the attacker knows the credentials for the modem.

They are virtually always either the manufacturers default credentials or the carriers default credentials. Anyone can find the former, and all one has to do is find a pliable tech to get the latter.

I'm wondering, how prevalent is DSL in the US?

In France, cable is basically non-existent except in a few large cities. DSL is everywhere as legacy infrastructure and fiber coverage over the whole country is increasing at a fast rate.

Is the US in a somewhat similar situation or is cable found pretty much anywhere?

Average cable coverage in the US is significantly higher than Europe. However, inside Europe there is large variance between the different countries. E.g. Belgium has nearly 100% coverage, while France as you correctly observed has very little. France is a-typical for Europe in broadband reach, lagging the average significantly.


Snapshots from 2012 including technology mix



Cable is probably the leader in most markets in the US. DSL hasn’t been given the same innovation love, so in markets where it is still marketed (primarily by AT&T) the speeds are almost always lower/capped at 50Mbps down. In more rural areas DSL still has a stronger foothold. But in general, yes, cable is quite prevalent.

I haven’t seen DSL at more than 2-3mbps down even around the biggest US cities. The only real high bandwidth download option is cable (coaxial), and the only high bandwidth download and upload is fiber.

AT&T markets a hybrid DSL technology under their UVerse brand name. They run FTTN (fiber to the node), then split from the node via standard DSL, albeit at much closer distances (and hence much higher speeds). This product can provide "DSL" in the 50-200Mb/s range (currently), but it is not the regular DSL that most people associate with the technology.

From what I gather, FTTN itself illustrates the bootstrap problem the US market faces in that in some cases they should have fiber already run to the nodes decades previously, but didn't until the early days of DSL. US Telecoms are nothing if not procrastinators on infrastructure upgrades.

The irony though is that if you are building FTTN new as much of AT&T has been doing the last decade and a half, it's not that much harder to at the same time push all the extra few dozen feet into the Home for FTTH, which Verizon figured out years back and AT&T only finally got a clue much more recently.

(AT&T also hurts their case by charging basically the exact same prices for bad POTS DSL and FTTN DSL, despite the huge variance in speeds, and tend to be not entirely forthright about which option is serviced to a particular address, leaving a lot of US consumers with an overall distrust of DSL.)

Part of the reason the telecoms in the US were slow to upgrade was that they were originally forced to do local loop unbundling. Why invest if competitors could use those lines for cheap rates?

And the cable companies already had a high bandwidth (at least for ~2000) transmission line to most houses in America.

Notably, Verizon tried with FIOS, but it wasn't that profitable. Most people stuck with cable internet, even if it was slower.

This is exactly my experience as well. In DSL's favor I would add that it's not a shared pipe and the latency is generally low and very very consistent. If it were 20-30mbps down DSL would be competitive again. Emotionally I'd like to ditch both the phone and cable providers, they and their exploitive business model suck fetid dingo kidneys.

That's weird, DSL is the most common way of going online in Germany and many providers offer 20-200 Mbit connections

My current ILEC "offers" 100 Mbit DSL, but you have to be within a certain distance of their main infrastructure (I forget what it's called. DMARC, maybe?)

This means it offers 100 Mbit service, but at my house it actually maxes out at 8 Mbit.

DSLAM: Digital subscriber line access multiplexer

That's probably the device you're looking for.

I dunno. The latency would have to be really really really low (like single digit ms) for me to even consider it. My cable is 220mbit down/17.5mbit up (actual measured values).

CenturyLink sells me 100Mb at about half of what cable would cost.

It’s also true that a requirement when buying our house was “less than a mile from the CO”. More recently (like ~ 10 years ago) they put a DSLAM 2 blocks from my house.

Although fiber is available nearby (and further from the CO), they’re not going to wire our neighborhood anytime soon.

FTC (Fiber to the CAB) uses a form of DSL (VDSL) over copper to do the last hop in the UK.

The US problem is no Local loop unbundeling and forced sharing of Central Office space

DSL typically runs at 100/40 or 50/16 now. Some unlucky people are still stuck on ADSL2+ with 16/3 or so.

Some people are stuck with Frontier who won't upgrade anything and can only provide 4Mb, if you're lucky, even with a CO 2500ft away.

Because cable TV was almost universally available and nearly as universally installed (at least in urbanized areas) before home internet access became common, cable is very common in US cities due to the infrastructure already existing.

And since available speeds far outpace DSL for fairly similar prices (or at least they did last time I looked at DSL), a lot of households subscribe to cable — especially where fiber isn’t yet available.

I think this is an important distinction that a lot of people don't realize.

When non-terrestial television became big, North America went largely with cable, while Europe went with satellites. Thus, the infrastructure was already in place for NorthAms to get high speed internet over their existing coax connections.

At my previous home, in a rural part of Ohio, DSL via Windstream was the only option for wired internet. It was advertised as 12mbps download, but after installing it, they told me the best speed they could do was only 7mbps down and 768kbps up - for the same price. It was generally reliable during the day but would often drop to slower speeds during evenings and weekends.

Over the 6~7 years that I lived there, things improved somewhat, with the speed jumping to 11/1.5 and then 21/1.5, and the evening and weekend issues lessened.

The "guaranteed for life" price also went up at least once a year. (The base price remained the same, but they kept adding new fees.)

I was never really satisfied with the speed, price, or reliability from Windstream.

At my new home, in town, I have a cable internet through Spectrum (Time Warner) which was advertised at 940mbps down and 35mbps up, and it often exceeds that by a few mbps.

DSL is also an option, but the fastest speed I saw advertised was 45mbps.

DSL development is so far behind, that it has been eclipsed by cable. DSL has such a short range of coverage (only works a few miles from a phone exchange facility), that it never became available to most of the countryside, while cable has become available even in many very rural areas. DSL is also around 10 times slower (or more) than cable here, in most cases.

Very uncommon. I would wager fiber is more common than DSL.

DSL has a relatively limited range compared to cable, and the US is more rural/suburban than Europe. So ISPs put more effort into cable. Economy of scale meant that cable won out over DSL. If 80% of your customers need cable in order to achieve acceptable performance, and 20% of your customers will be better off with DSL but cable still works fine, the ISP is just going to ship 100% cable.

With the ubiquitousness of bundled cable TV/cable internet/cable telephone, (which is VOIP that looks like POTS to the average consumer) a lot of the actual POTS providers started switching over to the cable business model. Resulting in even less investment in the DSL technology stack. It's basically dead.

I think it's high time for an FPGA-based, open hardware, open software, auditable-by-everyone, cable modem project...

Even if it isn't immediately DOCSIS compatible...

Heck, just get a single packet of data over a cable from point A to point B using an open FPGA-based design... Put that on the Internet... that's the starting point...

Let it evolve from there...

Well there's this: https://github.com/ucsdsysnet/corundum But that's more intended for optical networks. Useful reference at the very least.

Really, we need more fiber optic everywhere. It's easier to hack on, because cable modems are technically radios, and run into the usual FCC red tape. Plus, fiber is just better.

Our ISP (Spectrum) refuses to work with customer-supplied equipment. Even when I have proven their equipment to be faulty - I still had to wait a day or two for a technician. And having a business account, at least it was that quick. My residential neighbors can sometimes wait up to a week for remedy, and are frequently told things like "check with your neighbors to see if they have service" when reporting service problems.

Eh? I have Spectrum and use my own modem and router... It's even advertised as something I can do.

You both seem to be right. According to [1], residential customers can use Spectrum-approved modem models, but business customers must use Spectrum-provided modems. (I use my own modem with Spectrum too.)

[1] https://www.spectrum.net/support/internet/compliant-modems-c...

I have Spectrum and got really lucky with the one technician I've had. He spent over two hours fixing the faulty cable line from the utility pole to our house, and then another 15-20 minutes on the phone getting them to activate my customer-owned modem (why that's a 20min call is beyond me).

But tbh that's been my experience with most technicians accross ISPs, they're generally nice and willing to fix a problem once they're there. It's getting the office to actually send one out (like you said) that's the issue...

similarly lucky as the other person who replied

checked the spectrum website for compatible modems available on the market, ordered a DOCSIS 3.0 Motorola Surfboard and when the technician came in, he pulled cable across our (admittedly tiny) apartment to where I had all my networking gear mounted to the wall on 3M strips

great experience

the actual internet itself, not so much, but that has a lot more to do with the terrible nest of interconnects in older apartment buildings in New York than Spectrum's upstream network capacity

Good luck with that. I think you’d be better off leveraging an existing open SDR board for the different waveforms these modems support. Even still I don’t think there are any affordable SDRs out there that can support the high order QAM modes of even just the old DOCSIS specs much less 3.0 and above

DSL has the same issue. You can run a PCI DSL modem (Sangoma S518 [ADSL1], Sangoma S519 [ADSL2], VigorNIC 132 [VDSL]) but it either uses a proprietary binary blob for the firmware, or it abstracts the interface to a generic RTL8139 or whatever (which works with many OSes).

The VigorNIC is really just a Vigor130 on a PCI card. It has it's own Linux-based modem/router firmware running on it and you configure it by accessing the usual web interface exposed on the virtual ethernet port.

As mentioned by several comments, an import defensive step that most home users can take is to ensure you have a firewall rule in your router blocking any traffic on your LAN from accessing the modem on its LAN port, and any traffic originating from the modem LAN IP from getting onto your LAN.

This could be a default setting when going through a setup wizard on most routers, detecting the MAC of the modem is easy, and automatically blocking any LAN traffic to that MAC which is not merely using it as a next-hop.

I think the only challenge is that very rarely you will want to access your modem’s LAN IP for debugging purposes. But I suppose the average user will have no clue how to do this anyway...

Unfortunately this is just the tip of the iceberg for so many ways these SOHO devices are vulnerable, this level of defense in depth is nice in theory but perhaps just a finger in the dike.

> As mentioned by several comments, an import defensive step that most home users can take is to ensure you have a firewall rule in your router blocking any traffic on your LAN from accessing the modem on its LAN port, and any traffic originating from the modem LAN IP from getting onto your LAN.

Yep, most of this vulnerability is (very) old news. There used to be a vulnerability for the very popular Motorola / Arris SB series where any website could CSRF into the modem's webpage and do a "reset", which would shut off your internet for up to half an hour until it could reprovision with your ISP. There was even a proof of concept site that did this (with a big red warning first), I really wish I could remember the domain name.

Anyway, I used that modem and of course I just completely blocked access to its IP address on my router's firewall. It's really incredibly unfortunate that even today you have to be tech savvy to protect yourself from the devices running in your home. Basic security should come default.

Here's a another vulnerability for you. On my grandparents' DSL, the ISP supplied combined modem/router has a config page that is (mostly) not password protected. You can see the passwords for every SSID without logging in, you can reset the router, see information on other devices connected to the network, etc etc. Absolute insanity.

Edit: I did find the website, but it was eventually taken down by the creator after (most?) ISPs patched the problem. https://web.archive.org/web/20160921191154/http://www.reboot...

Does someone know if I can « unlock » my modem speed with this exploit?

Super illegal, AND all ISPs have bandwidth accounting that will quickly spot the manipulation.

> Super illegal

[citation needed]

Also, what makes it super? And how does that compare to normal illegal?

Heh - sorry for the hyberbole.

At least in my country, Germany, fraudulent use of telecommunications services, public transport or paid events/facilities ("Erschleichen von Leistungen", § 265a StGB) is not just a civil matter, but also a criminal offence. If you got caught manipulating your modem to avoid paying for faster broadband, you would likely to get into trouble.

Yeah who would want to do such a thing on Hacker News

What if you used the exploit to change someone else's modem speed? If you are the who's modem was modified, how could you prove this in court? It sounds like it'd be very difficult. However, if you can somehow prove this, then you can just alter your own and claim someone else did it externally and claim it's their own fault because they provided a device that was exploitable.

Note, the premise of this comment is based off another commenter's claim that you can pull this off remotely and don't actually need to be on the local network.

Uncapping a modem to get more speed used to be possible but I can't imagine how it could be useful: It takes two to tango, so to actually go faster you'd need to get the other party to go faster as well. The other party being the ISP you're attempting to cheat, which has every incentive to monitor such things and act on those monitors.

Morality aside, I just don't see how it could ever end well for the uncapper.

Negative. Unless your ISP is operating in the stone ages, it will be quite a feat to run a cloned modem on your network.

Source: Back in the TCNISO days, I ran cloned modems on Charter's network. Their network security was atrocious.

Even if you could, it's super illegal to do so.

Most US cable providers let you use your own DOCSIS modem. I doubt there are any legal consequences for changing config on your own modem. Channel bonding has to be configured on both sides though.

You’d be wrong. People have been raided and charged for that in the US.

Eh, people have been raided and charged for the distribution modems and running websites. But cases of theft of service for running a hacked modem are nearly non-existent.

I guess we don’t have the same definition of « super illegal ».

Why are the admin pages of all these cable modems written with websockets if they can be accessed via a websocket request from any rando website you visit? Is this just a bunch of massive mistakes or is there a good reason?

I'm sure that this kind of thing is farmed out to the lowest bidder.

I do not allow Comcast modems or routers on my network. I think this still saves me $9/month or something, foregoing the rental charge for their hardware, but even if it didn't I wouldn't trust them.

Nobody should be trusting a modem. You don't put your private keys on a modem. Your credit card number isn't saved on the modem.

So if hackers break into the modem, the worst they can do is shut off your internet. And if you really cared about reliability of your internet, you'd have two connections anyway.

Really this is a non-issue.

There are considerable attack vectors opened up here... a quick glance at the front page shows:

> Change default DNS server > Conduct remote man-in-the-middle attacks > Hot-swap code or even the entire firmware > Upload, flash, and upgrade firmware silently > Disable ISP firmware upgrade > Change every config file and settings > Get and Set SNMP OID values > Change all associated MAC Addresses > Change serial numbers > Be exploited in botnet

A simple change in DNS servers combined with man-in-the-middle attacks is enough to fool many people into entering CC details into rogue sites for example.

(Edit for typos!)

"A simple change in DNS servers "

Would this matter if the devices on the network are all themselves configured to use other DNS servers?

> the worst they can do is shut off your internet

No, if your modem gets owned, you are in a whole lot of trouble.

You become vulnerable for all sorts of MITM attacks. The attacker now also has access to your LAN, which is usually trusted by all devices on it.

> You become vulnerable for all sorts of MITM attacks. The attacker now also has access to your LAN, which is usually trusted by all devices on it.

Good points; these two issues are quite different.

You could stop the network-access problem by putting an extra router (a secure one) between the modem and your local network, but that wouldn't save you from MITM.

You mean you're not using end to end certificate based encryption for all your applications these days?

And all the pushback we get from people here that DoH/DoT is a bad thing.

Not all applications are, and there are specific automated downgrade attacks for encrypted comms that force some back to plaintext. Giving outsiders access to your internal network is rarely a good idea.

You're implying we shouldn't bother with firewalls

It's not my applications, but applications that auto-update over unencrypted HTTP. Also, IoT devices with software built by the lowest bidder.

Many or most devices don't support this and the average consumer isn't capable of doing it himself.

For most home users, the NAT on their router is also their firewall. It's akin to saying that it doesn't matter if someone can open your front door as they will only get access to the entrance hall...

> the worst they can do is shut off your internet

I can imagine just a couple of more things about having complete control of the only internet gateway most of us have at home.

I see your point, but the vast majority of people who own a modem, have no idea that a private key does not refer to the one under their doormat.

And even if the worst thing is shutting off peoples internet, I fail to see how, at this scale, it is not at least a tiny issue?

I haven't read the full report, but, the PoC[1] and the explanations I have seen before seem to indicate one has to be on the "local" side of the cable modem to run the exploit. That is, it doesn't seem like this is exploitable remotely.

That is, the attacker either needs to have been allowed to connect to your WiFi (either through another vulnerability or voluntarily) or attached a cable to your WiFi router or your cable modem.

This is not impossible (not even requiring reliance on the fact that Google, Apple, and Microsoft among them have pretty much everyone's WiFi passwords[2]), but a wave of attacks based on this is much less feasible than if they could be carried en masse on the internet.

[1]: https://github.com/Lyrebirds/sagemcom-fast-3890-exploit/blob...

[2]: https://tourkick.com/advice-tips-howto/myth-busting-windows-...

This is incorrect. It's accessed with websockets, that can be run from any webpage, so all you'd have to do is follow a malicious link.

From the article:

> Accessing the Endpoint

> The endpoint, which serves a tool called spectrum analyzer, uses a websocket for communication with the graphical frontend displayed in a browser. Whereas CORS would restrict access to such an endpoint for HTTP requests, websocket is not protected by this protocol. Therefore, it is up to the server to verify the relevant request parameters added by the browser. Because these parameters are never inspected by the cable modem, the websocket will accept requests made by javascript running in the browser regardless of origin, thereby allowing attackers to reach the endpoint. It should be noted that the exploit is not limited to run in a browser. Any place where running code can reach an IP on the local network, can be used to exploit Cable Haunt.

Thank you for correction. Voted your comment up.

> That is, the attacker either needs to have been allowed to connect to your WiFi (either through another vulnerability or voluntarily) or attached a cable to your WiFi router or your cable modem.

no you just have to visit a malicious link, through dns rebinding any local attack against a router can be done remotely.

Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact