I was furious. Time Warner had left a backdoor in all their modems that gives them administrative access to my private connection. And yes -- she did alter the password remotely. She didn't seem to think there was anything wrong with this. I tried googling for relevant information, but wasn't able to find anything more than speculation at the time.
Lately cable companies have been pushing these hybrid modem/router combinations with things like wifi support built in. From a consumer standpoint, this seems very convenient, but the cable companies do this because it makes it easier for then. If you call up with an issue with "your Internet," they can remotely diagnose it and reset your modem/router. Make no mistake; they have more control over these than you do.
If you want to stop your ISP from having administrative access to your "private connection" (I assume you mean your wifi), then don't put the modem and the router in the same box. There's no other way around this.
Yes, their modems. On the connection that they provide for you.
A cable modem is considered CPE (customer premise equipment), meaning it is part of the infrastructure a telco uses to provide you with connectivity. Usually they own it, but in any case they have full control over it, as they should - it's part of their network. They may choose to delegate some configuration via a web GUI, but that's at their discretion -it's theirs to administer.
Business telecom has a formalized notion of a demarc (demarcation point), the place where the telco network ends and yours begins. AT&T owns and is responsible for the fiber/T1/POTS lines as they come through the wall, as well as the CPE (often a large rackmount Cisco router) to which it connects. Their contract is to provide connectivity on specific ethernet ports/fibre GBICs/whatever of that CPE. Whatever happens downstream of those ports is your problem, and whatever happens upstream is their problem.
Both sides will treat this connection as hostile - you'll have your own NATing router up and the telco's router, if it even has a configuration interface listening on your NIC, won't let you in. It would be inappropriate for AT&T to have any sort of access to the router you own and inappropriate for you to attempt any sort of access to AT&T's CPE.
Time Warner has been shifting recently towards placing WiFi on their side of the (logical) demarc. Which makes sense, since most people would rather not be responsible for administering any infrastructure - they just want Time Warner to deliver them WiFi. It sounds like you have this kind of setup, in which case Time Warner's access is not "backdoor" but "building owner" - you're renting a room.
If you'd prefer, you can (have them) turn off their WiFi, go buy a nice wireless router, and connect it to the modem. In this case Time Warner is providing you with a connection on an ethernet port; the device you've plugged in is your own (your side of the demarc) and they have no right to touch its configuration, nor are they responsible for it working correctly.
EDIT: The obvious analogy that would have simplified much of this is that a cable modem is like an electrical meter.
One of my cable installers told me that rate limiting is done in the cable modem, so people would run pirate firmware that eliminated the artifical limits and run at the natural limit of the connection. People had fun with this for a while until the network engineers figured it out, and now people exceeding the speed limit get their connections shut down pretty quickly. But anyway, it makes sense the the cable modem really isn't the customer's to control.
I own and control my own wireless router because I want to play with things like DD-WRT, use OpenDNS, etc., but I see the cable modem as no different from the utility box down the street.
With cable modems, does/can the provider push firmware?
The last I heard about it the different levels of service (bronze/silver/gold they were at the time, 5/10/20Mbit/s) are just based on the MAC the modem sends on this initial config/handshake. When I moved from 20 to 50 I was told to reboot the modem and it came up will an all new shiny more craptastic than ever web interface as well as setting it's WAN port to 50Mbit/s
The provider is able to change the settings through two primary methods.
1. DOCSIS configuration file - this is the file your modem downloads when it comes online and includes settings like your speeds (Upstream/Downstream service flows) and it also includes the SNMP settings (used for #2).
2. SNMP - The MSO can also remotely monitor and change your modem via SNMP. There is a large number of DOCSIS MIBs that every cable modem must support in order to get certified and there are also vendor specific MIBs that a modems manufacture will add to support specific features of that modem.
Without SNMP it would be very difficult to maintain a cable network. Other types of access networks have similar features.
I don't know why exactly it worked out that way, but the telephone system is designed to deal with consumer electronics and the coax cable system is not.
It didn't used to be - until the federal government busted AT&T's monopoly, it was illegal to connect non-AT&T equipment to the AT&T network, at least electrically. This is why in old movies you see people dialing ISPs by hand with a phone and then setting the handset down on a cradle - the cradle was the modem, and it interfaced with the telephone network acoustically. The demarc (at least as we know it today) was presumably introduced after the government told AT&T they had to let people have their own networks, rather than considering everything up through the phones to be part of the telco network.
The demarc for your DSL is the modem. If you provide your own modem you still are subject to AT&T's rules. You cannot legally connect to sensitive national infrastructure (like the phone network) without the provider being responsible for your access.
As far as connecting equipment, that significantly predates divestiture. Most people point to Carterfone as the salient decision that changed this: http://en.wikipedia.org/wiki/Carterfone
In reality, there was actually a prior decision which I can't seem to find right now where AT&T refused to allow people to put plastic privacy guards over the mouth piece on the grounds that it would damage the phone network. Ludicrous, but sensible from an economic standpoint.
EDIT: Found it, 1956 Hush-a-phone: http://en.wikipedia.org/wiki/Hush-A-Phone_v._United_States
In short, Telecom is complicated, the demarc is important and you don't own any part of the network from the modem on up.
Source: I am a telecom junkie and I work at 2600hz, the open source telecom company.
You might be surprised at how much a provider support rep can see with this. Here's two screenshots from Cisco's product to give you a idea: http://images.newsfactor.com/images/super/larger-12-ClearAcc...
Moral of the story: Use the most basic cable/dsl modem that they'll give you, make it as close to bridge mode as you can, and use your own router.
Over here when you are BT's FTTC setup through any ISP the vDSL modem that hangs off your master socket (which can do more but is used in this arrangement to simple pick up the connection from the phone line and provide PPPoE on the ethernet port) is very definitely BT/OR's: they tell you not to mess with it, people who want to mess with it have to use hacks to get access to the UI (which is otherwise locked off), and if you plug something else in at that point you are officially not supported. If the router that you plug in to that came from your ISP then that is their's (usually you have to return it when you leave).
If you buy your own router (or "make" your own, people who have a small Linux machine on 24/7 for various things just set that up to talk PPPoE directly and skip the router altogether, neatly avoiding the limits of many "consumer grade" units (shoddy IPv6 support for instance) without shelling out for a much better device) only then do you truly have control of security at that point in the topology. But some ISPs won't support you if you don't use the provided router (though if you know enough to purchase your own router you might not find such an ISP's tech support much help anyway).
Not really a backdoor, just remote administration.
Now combine that with the typical user's tendency towards password reuse...
Most annoyingly, AT&T put out a firmware update some months later that closed the exploit, but didn't fix any other problems. So, I found another more intrusive/permanent exploit. Still waiting on them to patch it next heh. But now they are actually putting out some updates that actually fix problems too at least. Hopefully user uproar will continue to drive them to fix more problems
I've had service techs out for the last two years trying to make it more reliable, but the biggest problem has been "proving" that the service has been down, and very frequently. Now I can get my local nagios instance graphing the terribly reliability. That should get ammunition to request monthly statement credits, hopefully increasing their motivation to fix the wiring in the area (everyone in this small town that has U-Verse complains about the reliability of the connection).
I really wonder why nobody complained about that earlier. Also the interesting thing here is that for a very long time, you weren't allowed to use a different router than the one provided by your ISP. Which enforced their surveillance monopoly.
Here's an article about reverse engineering the backdoor in D-Link routers using IDA:
PoC Available: http://pastebin.com/vbiG42VD
Most likely your ISP is using a technique like TR-069. This enables them to push settings for voip/TV, and in your friends case wifi. A lot of DSL providers are starting to use this for less intrusive (?) goals like measuring noise and attenuation at the clients end once a day, so they can adjust the speed accordingly.
AVM is a very nice company and you should not accuse them without proof. They actually provide an option to disable TR-069 in the page "Provider Services" ("Allow automatic configuration by the service provider" and "Allow automatic updates"). If you don't have this option you could try installing the original firmware from avm.de.
Maybe you are still able to flash the modem with the original firmware from , and configure it yourself?
You shouldn't accuse anybody without proof. But since this is Hacker News I'll disagree with the first part of that sentence. AVM is probably the least hacker-friendly company I've ever come across. For example, they're so hell-bent on violating the GPL that they've taken it to court (and lost) .
Why can't this be done on the DSLAM?
That's what I did, I flashed it with a custom firmware (that was after I got aware of the backdoor). I've not "reverse-engineered" the base image of my own router like in the article above, because that's a lot of work. I've worked on an awful lot of routers, hubs, switches of all sorts, enterprise and consumer. Have been network administrator for a large global company and I think that I can trust my sources.
What the new user "blablablaat " mentioned is obvious, I'm not stupid to make something like this up. Of course I have no "Provider Services" or anything remotely similar enabled, but it's still possible to connect to the router and take control over it according to my source and I've seen it back then, when I asked for him/her to show it. Now why, do you expect me to prove that? A security researcher, is more qualified than me to create the convincing report you're asking for, sorry. You can feel free to do it yourself too, if you want. It's not my intention to spread rumors or FUD, but to make you at least aware of that your router ain't secure.
I've heard of some cases that ISPs tried to stop by going to court, like permanent-storage of all data, but lost the case. It's not just the NSA btw. in Germany there is the Bundesnachrichtendienst (BND), which translates to "Federal Intelligence Service"
That's a pretty scary prospect. If its been 'known' and exploited since at least 2008. Poor form Netgear/Linksys.
It's a totally different attitude when the intended market is enterprise: it's assumed that if a product causes a failure, the vendor is going to receive escalating, unpleasant phone calls until it's resolved.
Equipment failure that can kill people should be taken more seriously than equipment failure that leads to less serious consequences.
The thought of wireless gear in mines is pretty scary! I used to build / test equipment for a sub-contractor of Joy Mining and communication between the devices was carried by inch thick cables with nikel-plated machined steel connector shells. Pit props at the cutting face can be active devices that walk forward as the face is cut, and the coordinate that forward movement. Designing user interfaces is tricky, and designing a UI that should prevent death or huge financial costs if misused is probably hard.
Not the industrial ones. They're unit tested ad-nauseum, subjected to crush and environmental testing. You can run over the units with fully-loaded haul truck, the cases are cast steel. They also retail for $10k USD a piece.
Note: Tomato is imho a bit nicer than DD-WRT, but not as good for tweaking as OpenWRT (which I use on my office routerstation pro).
I wonder if there is anyone still working in the GPL compliance department.
Excerpt from the GPL  (paragraph 6b):
"You may [...] Convey the object code in, or embodied in, a physical product [...], accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License [...]."
Seriously, nothing against a little humor in your slides. But making every seconds slide a meme reference gets annoying pretty fast :)
A well-placed meme for humour can be good, I agree.
And this didn't even have a talk.
* Guy sees service running on 32764 and thinks that's quite odd
* Gets very frustrated at useless forum posts from people with no clue
* Downloads a copy of the firmware from the (horrible) modem-help.co.uk
This is where it gets interesting:
First off, a program called Binwalk is used. This is a combo of a really cool python script, the libmagic database (if you've used the file utility in 'nix you've used it) and some C to deal with some compression types.
When binwalk works, it's pure brilliance. As you can see in the screenshot on slide 12, binwalk is able to detect strings and filesystems inside the firmware.
References to Texas Instruments and Telogy Networks would be a good starting point if you wanted to google for datasheets or some more background information
I haven't ever seen a reference to Igor Pavlov in a firmware binary before but his name popping up is a good indication that you might be hitting 7zip or LZMA compressed data - http://en.wikipedia.org/wiki/Igor_Pavlov_%28programmer%29
Squashfs is commonly used (and horribly broken) by manufacturers of modems and routers.
Luckily the author is able to extract the filesystem out by looking at the offsets printed out by binwalk - this doesn't always work!
Slide 13 is pretty typical when reversing modem firmware - someone thought they were being smart and broke the squashfs format. It looks like no one else will be able to replicate this as the source code for the modified format has been taken down (?)
It's possible the author is using the name of the folder in the last screenshot of slide 13 as a hint of what to do next, slide 14 and 15 are magic to me.
I think the author has changed the LZMA sourcecode to look for LZMA compressed data with a gzip header but this seems really strange to me
Slide 15 just shows the unsquashfs tool with what seems like sensible output (if you'd done something wrong at this point you might see huge numbers of inodes or a silly number of files and you'd have to go back to the compression and keep looking)
Now the author has a filesystem to look through - I would have used strings and grep instead of just grep at this point. He's grepping for the name of the service he found in the forum posts, I think.
From here he's used a very expensive program called IDA Pro (https://www.hex-rays.com/products/ida/support/orderforms/nam...) to help. You may also be able to use the objdump command or The Online Disassembler.
I have no knowledge of MIPS assembly so I'm unable to help you there - IDA provides some flow diagrams like you can see in slide 19. I'm not sure if the author annotated the fucntion names or if IDA was able to find them.
He identifies a buffer overflow and writes a small script to exploit it in slide 20 (I'd love some extra explanation of this if anyone can give it)
When the script is run it seems to dump the current configuration of the modem, but then it crashes or resets (slide 21)
The comments on slide 23 suggest that the code has jumped to the "restore_default" function - sorry, I don't understand this part. References to nvram would suggest it's going something to the config though, which would explain slide 21.
Slide 26 shows an (hopefully LAN-side only) exploit that's able to enable the HTTP management interface of the modem and reset the password at the same time.
Final edit: I'm sorry for the formatting of this post. I'd love to collaborate with someone on a blog post about this exploit. I'm really just getting started with firmware reversing (and most of the time I don't get past the binwalk stage). My contact details are in my profile.
(He also greps for the string the server sent upon connection, but it's nowhere to be found. He then just greps for bind and filters for binary files only, to find all binaries that call bind (remember dynamic linking in the end comes down to strings..))
Another good one to look at is QuickBMS - allows you to define a "script" and then feed it to the ripper. I guess it saves you time writing boilerplate code when trying to get at new/unknown file formats. The Xentax Game Research forum loves it - http://aluigi.altervista.org/quickbms.htm (blocked as Hacking/Internet by the corporate proxy here, so it's good)
There is some errors in your comments, I didn't exploit anything, I just highlighted a vulnerability in the backdoor :D
People, if you are confused by memes, don't do RE :D
And for those who say I could have just written a simple text, well, text is not that simple to write especially when you're not a native english speaker :) and I had a lot of fun doing my draws
- Download image for modem firmware.
- Extract the filesystem from the image by hacking up an open source tool. This represents all the files on-disk on the modem.
- Search the file system for references to the suspicious port. Locate binary that listens on said port.
- Disassemble binary, figure out the protocol/format of messages it's expecting to hear on suspicious port.
- Brute force the effect of sending messages by sending messages to said port with the header it's expecting, and different permutations of payloads? (I'm not sure about this part, I might be making shit up)
- Using this brute forcing figure out what payloads do what and map out what this backdoor listener can do.
I Didn't see yalls response until I refreshed the page
"Mr. Guessing 2010" doesn't know shit about backdoor (superuser.com).
Many of Linksys' old DSL modems were manufactured by them, AFAIK.. and it seems many of the noted 'probably affected' models have a SerComm manuf'ed device for at least one revision of that model line
More probable SerComm manuf'ed devices are visible at the WD query link below..
(No, not my mom specifically; I gave her a router with Tomato installed for, among other things, exactly this reason. But not everyone has a technologist for a son, let alone one who knows what he's doing well enough to install m0n0wall on a Soekris box, or even Tomato on an old WRT54G*.)
You order the Soekris boxes on behalf of the crowdfunders. You image your chosen open source OS on blank CF cards, bundle the CF cards together with the Soekris boxes and ship these to the crowdfunders as the "open source router".
If you want to bring a solution to the masses out of the goodness of your heart and you are motivated, then nothing is stopping you.
If I flash the firmware warranty is void and I have no user/pass to re-enable the ADSL. So basically, my router is a hostile AP.
Given the fact that, it's a common pattern among ISPs in order to offer quick service - I firmly believe that ISPs do it for practical reasons - and end up killing your security, the best thing is to put the router in bridged mode and get a cheap custom-made router like carambola2 and install FreeBSD on it.
Disclosure: I donated one of these devices to Adrian Chadd in order for him to port FreeBSD on this device, which enabled me to use PF - my favorite firewall - but I have no affiliation otherwise with 8devices or FreeBSD.
It's a backdoor in the sense that it allows you to change settings on the modem with no credentials.
It's plausible that on a badly configured network this port could be exposed to the Internet. Anyone want to check Shodan?
It's also plausible that an attacker could find one of these in the local coffee house or any other place that offers public wifi and get at it from the internal side that way, or war driving for access points using weak passwords or WEP, or small office corporate networks with mischievous employees, or an attacker compromising a single PC on the LAN and then using this to change the DNS handed out by the router's DHCP and compromising the others, ...
Assuming GRC isn't out to decive me, can I assume that my router is fine?
Bill, using a Netgear router.
He's figured out many of their "encryption" methods. I've independently "cracked" most of the major ones as well, (including checksums/headers required to write back to the router).
They're all pretty broken. PRNG key streams, simple bit swaps, XOR, encryption against a static key, etc.
However seeing mention of (and an implementation of) Dual_ECC_DRBG in the slides immediately gives me a lot of pause regarding the security of my router. I love memes more than the next guy but this guy really went out of his way to make this confusing to understand.
At first I thought it was this, which has been known for a long time now:
Just FYI it's no surprise that the IDA Pro wine torrent for OSX (magnet ...116a37) floating around out there has malware in it. Best to get it directly from a friend at a large shop. If you're a pentester or researcher, buy it obviously.