ARRIS shouldn't be given a year embargo, either. They're the same company who've known since 2016 about hardware issues which cannot be corrected in software in the Intel PUMA chipsets, yet they still to this day sell devices with them. They don't care about fixing things - they care about selling things.
AT&T U-verse I couldn't bring my own modem, and I understand that they're not a DOCSIS network either.
Some folks smarter than myself figured out how to mimic the ONT handshakes or some such that they could use their own devices. IIRC, they were pulling the certs from the ATT box.
ATT then came in and installed new stuff at the station to not allow that anymore. I don't remember all the technical details, but that's what I found when I spent an hour or so researching how to get rid of their awful box. In short, you can't...and even if you manage to, it won't be for long.
> No, it's when they port you over to a new splitter in your neighborhood's PFP cabinet seems to be what I'm following. Then you will be connected to a different OLT port at the CO(central office) that supports XGS-PON as well as standard GPON.
> Older Gateways will work on the newer OLT gear. But the 10Gbps XGS-PON will only work on the newer OLT ports. This newer port has an added management layer to support 10Gbps which needs authentication on top of the certs needed by both GPON and XGS-PON.
That's good to know. They already dragged their feet getting fiber available in my area (fiber laid 13 years before service was available). Hopefully they'll drag their feet with this "upgrade" too.
Not true. I have multiple business locations using customer owned surfboards.
Might be a requirement for static addresses but it's not for business service in general.
If you don't have a static IP with Comcast Business it makes it awfully hard to run a mail server, but then you can indeed use your own cable modem.
> I'm guessing a workaround is to use a 3rd party router and block traffic to 192.168.100.1 which is the IP of the management UI when in modem only mode, presumably the external IP can still be retrieved in modem only mode
> If it's still active in modem-only mode, it essentially precludes use of these routers entirely for any sensitive comms.
> The web interface is still available in bridge mode with Liberty Global's Arris modems, yes.
> Just tried it on my device in modem-mode and it does indeed still expose the snmpGet endpoint. As suggested above, i've firewalled all traffic to 192.168.100.1 on my own firewall.
Also, in many cases there is a specific that the "modem" listens on, serving a web interface that allows switching back to "router" mode. This also wouldn't be possible with a "pure" modem (as it shouldn't have any concept of the IP layer).
Though now that I’m thinking of it, are you sure it uses IP? It’s not as if they can’t use other layers.
I can't imagine this is different else where so it's likely the replying comment above yours is incorrect.
Source: I was previously a network engineer for a national Telco.
Other sources: DOCSIS 3.0 registration info: https://volpefirm.com/docsis-3-0-cable-modem-registration/
Only the owner of a given MAC OUI is able to create a certificate covering MACs under it that will be accepted by the CMTS.
Though I believe it's since changed, my last interaction with DOCSIS was 4-5 years ago. I seem to recall there's a captive portal involved now but previously it was solely MAC.
I have always been able to view the management page for my Arris/Motorola Surfboard modems.
Although as of a few weeks ago, WOW has announced bandwidth caps, so I have to rescind my former glowing recommendation. Le sigh.
Long story short, their was tons of regional providers, they were brought up by one of two players which basically devided the country into being served by either NTL or Telewest, NTL and Telewest then merged becoming NTL:Telewest, who then brought Virgin Mobile (an MVNO in the UK) to become a 4 way provider (TV, Phone, Internet and now Mobile). Virgin Media are now owned by a US conpany, Liberty Global iirc)
Neither NTL nor Telewest allow consumer owned equipment onto their cable internet network, heck I remember Telewest only authing one consumer device mac address to be connected to their modems at the start of their cable internet rollout (so if you wanted to use your own router conencted to the modem, you would either have to give Telewest the mac address of the router or set the mac address of the WAN port to the mac address of the computer that was initially conencted to their network (which was the quickest option, you could never get them to swap it instantly over the phone, but could doing business hours over telewests newsgroups as their engineers would hang out their, which used to be the quickest way to get your line serviced if their was ever an issue), a practice telewest did drop before they merged with NTL. NTL never had such a policy iirc, but I only lived in an NTL area for a couple of years).
Their modem secuirty has never been "great". For the longest time (since creation till only a few years ago) you were able to get free internet if you cloned the mac address of someone elses modem but used it in a differnt area, mac addresses that could be captured by any modem (provisioned or not) connected to the network. So there used to be mac swapping forums where X would scan and log their area can trade with Y who would to the same in theirs (used to be handy when they had "fair usage" trottling enabled, used your download limit for the day, swap your mac and get a new limit, or if you wanted to run a 2nd/3rd/4th modem, but that would be naughty... So I never did such a thing. IIRC: Modem cloning is still possible today, but you need to get the certs from a provisioned modem, so its not as simple as just sniffing mac address from the cable line as other modems register on the network).
Here in the UK, we have always been limited to the modem the cable company provided, which remained their property (both were often uncollected by the company when a customer left, so you could easily find old modems on ebay for pennies on the pound, which just happened to have thier unsigned firmware (and mac addresses) on SPI flash if you wished to tinker with them), which for 99% of the UK was fine, as it was common (and still is) to just used what ever device was issued to you. Atleast with ADSL/VDSL in the UK you are free to use what ever device you wanted (except for Sky, they used to be PITAs about getting the auth details to run your own modem, but once you did and aslong as your modem supported their auth (which isn't the auth used by most of the xDSL providers in the UK) you were free to use your own equipment, just "unsupported" so if you had issues on your line, it was best to connect their modem to the line before calling customer services.
Five months later I sent it off for recycling because i'd heard nothing. Two months after that they asked for it back and then charged me £80 for not having it anymore.
Never heard from them again.
BT do the same these days with their hubs (or at least were planning to, dunno if they changed their minds after the backlash), BTs excuse is to reduce electronics waste. Not that we’re going to reuse the gear themselves more that they would recycle it.
BE (before they were brought out by o2) would send you out a “cat trap” modem on the condition you returned it if you left (so they could give it to ant or customer as a cat trap) but didn’t really give a crap about the primary modem.
Here's the list with modems affected by the hardware bug you mentioned: https://www.badmodems.com/
If I understand the DNS rebinding attack reference correctly, you could be running the VPN software on your desktop/laptop and still have your IP revealed by your ISP router.
Mediocre home appliances or (as in this case) ISP CPEs can easily deanonymize you.
One solution is to use proxy servers or per-app VPNs (without local network access) instead of a system-wide VPN, and effectively partition applications into trusted and untrusted ones.
Security is not their priority.
Quick! Let's outlaw poverty, violence, theft and coercion, and we're good!
I think they now only ask for the X, Y, and Zth characters, but they used to ask for the whole thing
Having no rules means you have a maximum search space. However, a general audience means that the top X% (lets say 70 to be arbitrary) are going to be in a very small search space... An English word with maybe some numbers substituted in for a letter or two.
OTOH, having password rules means that you eliminate the smallest areas of the search space, so every password resides in a restricted version of the larger space. Fewer possible passwords, but all at a larger complexity to guess.
Then, there are password rules like "no special characters" or "maximum length of 10 characters" which are fantastically stupid and lazy, and only serve to make brute forcing them that much easier.
"A Network Slug, or "Slug", is a transparent layer 2 firewall running on a device with only two interfaces."
"A Slug has no IP address, cannot be reached on the network, and does not increment IP TTL."
So, for instance, I have a port 22 slug that I can insert anywhere in the physical chain of a network that passively, and silently, blocks all traffic except for TCP 22.
You could clamp down further and restrict it to port 22 and your specific VPN endpoint IP.
Foolproof ? Perhaps not - but a huge piece of defense-in-depth that makes the use of a (port 22) VPN much safer.
IMO the safest way to access a VPN is from a VM which is restricted to that VPN. Like whonix, but using a VPN instead of Tor.
In theory, deep integration into the OS (like Tails does for Tor) could work, but is much easier to get wrong, especially if you want direct network access for other applications.
(Only talking about VPNs used for hiding your IP. Tunneling into a company network via VPN is a very different use-case)
Just need to make sure host applications don't see the network interface provided by the VPN gateway, so they don't accidentally leak it (linking it to your real IP). A typical example are browsers when using WebRTC.
The only way (in theory) someone could figure out my IP from this setup is A) if they have a jail escape (unlikely) or B) if I screw up my firewall config and accidentally let some packets through that aren't going straight into the VPN (plausible)
This way all I need to do is tag packets on whichever device they come from and they only go out via that interface.
I also have separate Wi-Fi SSIDs for each of those so changing my exit node is as simple as choosing a different one.
Wonder why issues like this are so common - do they just de-prioritize vulnerabilities reported by researchers to death?
If you’re in modem only mode, block HTTP traffic to 192.168.100.1 outbound from your firewall just to be sure.
Seems relatively low impact, but still pretty bad. Not surprising from VM given the quality of their firmware.
I've been blocking traffic to RFC1918 ranges (all of them) that attempts to egress the WAN interface for just as long.
It's almost like I knew that eventually, someone was going to find a vulnerability in their web panel, and I wanted to make sure it wouldn't be exploitable.
Oh wait, I didn't know. It's just common sense.
What does it return in modem only mode? I've verified that <hubip>/snmpGet?oid=18.104.22.168.4.1.422.214.171.124.126.96.36.199.3.1 on my Hub 3 returns:
> "188.8.131.52.4.1.4184.108.40.206.220.127.116.11.3.1":"$xxxxxxxx" [public IP address encoded in hexadecimal]
but I can't currently test it in modem only mode.
$ ssh -L 127.0.0.1:1234:192.168.100.1:80 root@router
$ curl 'http://127.0.0.1:1234/snmpGet?oid=18.104.22.168.4.1.422.214.171.124.126.96.36.199.3.1'
If it allows some local addresses/hosts to be accessed, some information is always bound to leak I'd argue.
I suppose this is well-known to savvy users and sysadmins, but still thought it worth mentioning in the context if this more general router vulnerability. Some of the cheaper VPN services out there are very insecure anyway.
VM ones can be put in modem mode.
Am I correct in assuming that this means that I'm not exposed by the vulnerability described in the article?
Does this also affect the router when used in modem mode?
Two Years !! - Ja this just makes me mad !
Sure security issues happen to the best of them and us, but dammit being alerted to this and just ignoring it, tells you EXACTLY the level of competence of management and their commitment to YOUR data.
If I may add a few data points, I recently had a look at some of the ISPs in my country, just "basic level stuff". I'm by no means a PEN-Tester. This is what I found:
1. ISP A
1.1 CLIENT-Side Localstorage, no validation:
Thus if you are signed in, goto localstorage and change 'user-id:123' to 'user-id:456' - Congrats you are now logged in as user:456
1.2 All API's where you can pass in a user-id, did not check if you are allowed. Thus you can do "<broken-isp.com>/api/getuserinfo/<add-any-user-id>"
1.3 Same API, also brings back HASHED-PW and HASHED-PIN, I thought it was strange but what's the chance one can "crack" SHA on a PC these days, especially with 'proper' password libraries like bCrypt/Salt. Turns out there were NO SALTs added to hashed pw and it was SHA-256. Hashcat makes quick work of most passwords.
PS was also "funny" how they "HASHED" the PIN (4 digit value) that was also returned in API response. If you think hashcat is fast with passwords, you know how fast it is to test the hash-values for [0000-9999] :)
1.4 Time to respond: I managed to have a phone call with the CEO which at least sounded (I do think the response was 100% sincere) UPSET, WORRIED and asked that I send him all the info and recommendations I have.
Good response to a bad situation ! - Well done.
2. ISP B
2.1 Hmmm seems someone deployed a part of a .git folder to their website.. Only .git/INDEX and .git/HEAD were deployed but it was very easy to reconstruct the "commits/changesets" with something like GitTools and discovered part of the changesets was when they were doing lead generation via facebook and their CRM system. API keys were all hard coded and visible in changeset.(source code) Thus using the API keys one has access to their whole CRM it seems.
2.2 Company Response: Managed to track down CEO via LinkedIn, super nice guy and it's a BIG ISP. He was very upset about security and super thankful for my "responsible disclosure" he CC'd most of his exec-committee. CTO, InfoSec, COO and operations team. He's parting words. "I hope someday we can help you as well" ! Well done
3. ISP C
3.1 Wow they were/are just terrible.
They have unauthenticated AJAX calls for their “account-pages,billing details, router details”. You ONLY had to “guess” the account number (very predictable account numbering scheme)
3.2 Company Response:
Spent a few days tracking down their contact details. Managed to find their emails for CEO, COO, and a few other “CxO” people. I emailed them about the security on their site. Do they have an InfoSec team or where should I send the details to ?
He responded to send it to him (so we know the email address works). After sending proof and details of their complete lack of security I got zero response. After TWO weeks I followed up with the CEO and he only replied (send me your contact number, no phone call yet) but they did seem to fix the security issues only once I followed up.
Just goes to show that "responsible disclosure" can be a very misleading term...
I almost admire how mediocre they are - they do just enough to keep people on their service and because they've done the work of laying cable to all the houses in an area, there's little incentive for OpenReach to lay fibre in those areas.
I live in London and I can get Gigabit from VM (although only download, their upload is a pathetic 50Mb/s) so OpenReach has just left this area on crappy old copper phone lines and my alternative is <10Mb/s from DSL.
It sucks and I hate it and I have absolutely no choice in the matter. Thanks capitalism! ;)
Edit: Fun fact, VM is owned by Liberty Global, who have thus far rolled out IPv6 on their other ISPs using DS-Lite (where you get a routable v6 address, but your v4 address is behind Carrier Grade NAT). I saw this and decided to switch to VM's business service so I could get a static v4 address.... turns out they just connect normally over the residential network and then do a GRE tunnel to the other side of the country for the static addressing, and their crappy router will just randomly stop routing packets over the GRE tunnel after a couple of weeks, requiring a reset of the router.