About a year ago I left a cable modem and internet service (Time Warner) at an apartment I was moving out of while my friend continued to stay there. I had configured the thing in a manner I thought to be fairly secure -- strong password, no broadcast, etc.. One day the internet goes down and my friend doesn't know what to do. She calls the ISP and asks them what's wrong. They say they can't release any information about the service to her without my permission, so I suddenly get a three-way call explaining that my friend and the ISP representative are on the line and I need to give my authorization to access the account information. Being the person I am, I attempt to troubleshoot things over the phone before giving out any sort of account credentials. Eventually, I ask her to log into the router configuration page. She doesn't know the password and the first one I gave her doesn't work. The representative chimes in "That's fine -- I can just change it from here."
I was furious. Time Warner had left a backdoor in all their modems that gives them administrative access to my private connection. And yes -- she did alter the password remotely. She didn't seem to think there was anything wrong with this. I tried googling for relevant information, but wasn't able to find anything more than speculation at the time.
Of course they can. The way DOCSIS is designed, your cable company has full access to your modem; your modem receives configuration data via TFTP from them and in most cases the firmware can only be updated over the coax interface. In fact, it's very rare that there's any configuration you can change on the DOCSIS modem side of things at all, even on the most expensive modems.
Lately cable companies have been pushing these hybrid modem/router combinations with things like wifi support built in. From a consumer standpoint, this seems very convenient, but the cable companies do this because it makes it easier for then. If you call up with an issue with "your Internet," they can remotely diagnose it and reset your modem/router. Make no mistake; they have more control over these than you do.
If you want to stop your ISP from having administrative access to your "private connection" (I assume you mean your wifi), then don't put the modem and the router in the same box. There's no other way around this.
Were you able to get your firmware upgraded? My understanding is that firmware upgrades can only be done over coax (there's certainly nothing on the web interface), but Time Warner Cable will not upgrade your firmware; so if you need a firmware upgrade you're pretty much out of luck.
>Time Warner had left a backdoor in all their modems that gives them administrative access to my private connection
Yes, their modems. On the connection that they provide for you.
A cable modem is considered CPE (customer premise equipment), meaning it is part of the infrastructure a telco uses to provide you with connectivity. Usually they own it, but in any case they have full control over it, as they should - it's part of their network. They may choose to delegate some configuration via a web GUI, but that's at their discretion -it's theirs to administer.
Business telecom has a formalized notion of a demarc (demarcation point), the place where the telco network ends and yours begins. AT&T owns and is responsible for the fiber/T1/POTS lines as they come through the wall, as well as the CPE (often a large rackmount Cisco router) to which it connects. Their contract is to provide connectivity on specific ethernet ports/fibre GBICs/whatever of that CPE. Whatever happens downstream of those ports is your problem, and whatever happens upstream is their problem.
Both sides will treat this connection as hostile - you'll have your own NATing router up and the telco's router, if it even has a configuration interface listening on your NIC, won't let you in. It would be inappropriate for AT&T to have any sort of access to the router you own and inappropriate for you to attempt any sort of access to AT&T's CPE.
Time Warner has been shifting recently towards placing WiFi on their side of the (logical) demarc. Which makes sense, since most people would rather not be responsible for administering any infrastructure - they just want Time Warner to deliver them WiFi. It sounds like you have this kind of setup, in which case Time Warner's access is not "backdoor" but "building owner" - you're renting a room.
If you'd prefer, you can (have them) turn off their WiFi, go buy a nice wireless router, and connect it to the modem. In this case Time Warner is providing you with a connection on an ethernet port; the device you've plugged in is your own (your side of the demarc) and they have no right to touch its configuration, nor are they responsible for it working correctly.
EDIT: The obvious analogy that would have simplified much of this is that a cable modem is like an electrical meter.
Even when you "bring your own modem" ISPs tend to demand exclusive control while it's in service. It really is intended to be part of the ISP's network rather than yours, so while (unlike a rental unit) you could walk away with it and take it to another provider, sell it, run your own copper infrastructure, etc. you usually still can't modify the settings of existing connection.
One of my cable installers told me that rate limiting is done in the cable modem, so people would run pirate firmware that eliminated the artifical limits and run at the natural limit of the connection. People had fun with this for a while until the network engineers figured it out, and now people exceeding the speed limit get their connections shut down pretty quickly. But anyway, it makes sense the the cable modem really isn't the customer's to control.
I own and control my own wireless router because I want to play with things like DD-WRT, use OpenDNS, etc., but I see the cable modem as no different from the utility box down the street.
Time Warner wants nothing to do with my (own purchased) cable modem beyond allowing me to use it. The vendor will only provide firmware patches to cable operators, and Time Warner won't touch my modem to help get the firmware upgraded.
All the cable modems I've used (UK) have always downloaded a an image over TFTP on boot. As I understand it they can come up with a very minimal loader and reach out for their config to the local "node" for configuration, and this can include new firmware. On the support line they're adamant that you reboot the things before proceeding past the IVR. Which makes sense.
The last I heard about it the different levels of service (bronze/silver/gold they were at the time, 5/10/20Mbit/s) are just based on the MAC the modem sends on this initial config/handshake. When I moved from 20 to 50 I was told to reboot the modem and it came up will an all new shiny more craptastic than ever web interface as well as setting it's WAN port to 50Mbit/s
The provider is able to change the settings through two primary methods.
1. DOCSIS configuration file - this is the file your modem downloads when it comes online and includes settings like your speeds (Upstream/Downstream service flows) and it also includes the SNMP settings (used for #2).
2. SNMP - The MSO can also remotely monitor and change your modem via SNMP. There is a large number of DOCSIS MIBs that every cable modem must support in order to get certified and there are also vendor specific MIBs that a modems manufacture will add to support specific features of that modem.
Without SNMP it would be very difficult to maintain a cable network. Other types of access networks have similar features.
DSL is provided over a POTS ("plain old telephone service") line. The demarc for POTS, at least in my neighborhood, is a grey box on the side of your house, well upstream of your DSL modem.
I don't know why exactly it worked out that way, but the telephone system is designed to deal with consumer electronics and the coax cable system is not.
It didn't used to be - until the federal government busted AT&T's monopoly, it was illegal to connect non-AT&T equipment to the AT&T network, at least electrically. This is why in old movies you see people dialing ISPs by hand with a phone and then setting the handset down on a cradle - the cradle was the modem, and it interfaced with the telephone network acoustically. The demarc (at least as we know it today) was presumably introduced after the government told AT&T they had to let people have their own networks, rather than considering everything up through the phones to be part of the telco network.
The demarc for your DSL is the modem. If you provide your own modem you still are subject to AT&T's rules. You cannot legally connect to sensitive national infrastructure (like the phone network) without the provider being responsible for your access.
In reality, there was actually a prior decision which I can't seem to find right now where AT&T refused to allow people to put plastic privacy guards over the mouth piece on the grounds that it would damage the phone network. Ludicrous, but sensible from an economic standpoint.
I had a problem of DNS poisoning on my router + modem for a long time even though remote access was disabled and my computers were clean. The DNS entries kept changing to bad ones (even after a factory reset). I ended up switching the modem to bridge mode and using a router of my own to resolve the problem.
That is very common with provider issued equipment. Anything you get from your ISP should be considered their equipment rather than yours and your's should assume therefore that they maintain some sort of control over it. For serving very non-technical home users this is actually an advantage.
Over here when you are BT's FTTC setup through any ISP the vDSL modem that hangs off your master socket (which can do more but is used in this arrangement to simple pick up the connection from the phone line and provide PPPoE on the ethernet port) is very definitely BT/OR's: they tell you not to mess with it, people who want to mess with it have to use hacks to get access to the UI (which is otherwise locked off), and if you plug something else in at that point you are officially not supported. If the router that you plug in to that came from your ISP then that is their's (usually you have to return it when you leave).
If you buy your own router (or "make" your own, people who have a small Linux machine on 24/7 for various things just set that up to talk PPPoE directly and skip the router altogether, neatly avoiding the limits of many "consumer grade" units (shoddy IPv6 support for instance) without shelling out for a much better device) only then do you truly have control of security at that point in the topology. But some ISPs won't support you if you don't use the provided router (though if you know enough to purchase your own router you might not find such an ISP's tech support much help anyway).
Proprietary software, firmware and hardware ultimately means you don't own the stuff you use. Goes on at all levels and people interiorise it to the point that they will take it as a given and justify uses that are not truly justifiable. ISPs do not need this kind of policy to operate, regardless what you'll read in this thread.
Interesting. Reminds me of the hack I did on a (mandatory) modem/router forced on AT&T users. They had a bunch of problems with it, so one day I got fed up after the millionth disconnect and cracked it open. Got a serial root shell by using the "magic !" command (completely randomly discovered) and dumped the source to the web UI(in Lua/haserl). From there found the equivalent of a SQL injection vulnerability and used it to gain a remote root exploit.
Most annoyingly, AT&T put out a firmware update some months later that closed the exploit, but didn't fix any other problems. So, I found another more intrusive/permanent exploit. Still waiting on them to patch it next heh. But now they are actually putting out some updates that actually fix problems too at least. Hopefully user uproar will continue to drive them to fix more problems
U-Verse High Speed Internet service uses this type of modem (this is the "U-Verse" service that is a traditional ADSL type service, not their IPTV VDSL stuff -- it used to not carry the U-Verse name). I'm stuck with it at my extended family's summer home since there's no other service available. It's been incredibly flaky. Since the default configuration won't allow me to set the modem to respond to ICMP and we physically unplug electronics other than the modem when we're not there, I've run out of ways to monitor it remotely from my home two hours away (thereby eliminating the possibility of getting a monthly credit for every month this thing has been flaky).
I've had service techs out for the last two years trying to make it more reliable, but the biggest problem has been "proving" that the service has been down, and very frequently. Now I can get my local nagios instance graphing the terribly reliability. That should get ammunition to request monthly statement credits, hopefully increasing their motivation to fix the wiring in the area (everyone in this small town that has U-Verse complains about the reliability of the connection).
I hacked my Fritz!Box (yeah, a bad name for a german router) and I'm entirely sure that it has a backdoor integrated too. That's why I wiped and flashed it with an alternative image. That and the Telecom's Speedport router are the most popular routers by far in Germany. And both have backdoors, I know that other router manufacturers also integrate backdoors from a source who works at such a company. A friend can also verify the fact, because a different employee told him the same. Also it's public that the ISP can upgrade, modify, flash and disable features remotely. My friend's router has wifi, but their provider disabled it remotely within the firmware (it even has an antenna) and his ISP wants him to pay 5€/m to re-enable wifi.
I really wonder why nobody complained about that earlier. Also the interesting thing here is that for a very long time, you weren't allowed to use a different router than the one provided by your ISP. Which enforced their surveillance monopoly.
Here's an article about reverse engineering the backdoor in D-Link routers using IDA:
Most likely your ISP is using a technique like TR-069. This enables them to push settings for voip/TV, and in your friends case wifi. A lot of DSL providers are starting to use this for less intrusive (?) goals like measuring noise and attenuation at the clients end once a day, so they can adjust the speed accordingly.
AVM is a very nice company and you should not accuse them without proof. They actually provide an option to disable TR-069 in the page "Provider Services" ("Allow automatic configuration by the service provider" and "Allow automatic updates"). If you don't have this option you could try installing the original firmware from avm.de.
Maybe you are still able to flash the modem with the original firmware from , and configure it yourself?
> AVM is a very nice company and you should not accuse them without proof.
You shouldn't accuse anybody without proof. But since this is Hacker News I'll disagree with the first part of that sentence. AVM is probably the least hacker-friendly company I've ever come across. For example, they're so hell-bent on violating the GPL that they've taken it to court (and lost) .
Please provide evidence for the alleged backdoor in AVM Fritz!Box routers. Being sure is not convincing … I don't see why you had to hack an AVM router either – you can easily install other firmware and Fritz!Box routers can be directly bought anyway.
That's what I did, I flashed it with a custom firmware (that was after I got aware of the backdoor). I've not "reverse-engineered" the base image of my own router like in the article above, because that's a lot of work. I've worked on an awful lot of routers, hubs, switches of all sorts, enterprise and consumer. Have been network administrator for a large global company and I think that I can trust my sources.
What the new user "blablablaat " mentioned is obvious, I'm not stupid to make something like this up. Of course I have no "Provider Services" or anything remotely similar enabled, but it's still possible to connect to the router and take control over it according to my source and I've seen it back then, when I asked for him/her to show it. Now why, do you expect me to prove that? A security researcher, is more qualified than me to create the convincing report you're asking for, sorry. You can feel free to do it yourself too, if you want. It's not my intention to spread rumors or FUD, but to make you at least aware of that your router ain't secure.
i think it's kinda convenient for companies that they can now blame the nsa for everything. i really think a lot more companies put backdoors into their software without external pressure(sometimes not intentional, just because of laziness or stupidity)
I agree, there are also some laws that force ISPs to do things they don't feel comfortable with. I know it's not entirely their fault.
I've heard of some cases that ISPs tried to stop by going to court, like permanent-storage of all data, but lost the case. It's not just the NSA btw. in Germany there is the Bundesnachrichtendienst (BND), which translates to "Federal Intelligence Service"
This is not surprising. It's a calculated risk to make a product just good enough. Development resources invested in retail wireless gear is minimal. I've worked on firmware for high-confidence industrial wireless gear used in mines. Most of them fall over under load, run obsolete+unpatched code and/or reboot randomly. Retail customers will tend to just put up with it and not return the product before the merchant's return grace period.
It's a totally different attitude when the intended market is enterprise: it's assumed that if a product causes a failure, the vendor is going to receive escalating, unpleasant phone calls until it's resolved.
Mining is a dangerous industry with its own specialist regulators and standards bodies.
Equipment failure that can kill people should be taken more seriously than equipment failure that leads to less serious consequences.
The thought of wireless gear in mines is pretty scary! I used to build / test equipment for a sub-contractor of Joy Mining and communication between the devices was carried by inch thick cables with nikel-plated machined steel connector shells. Pit props at the cutting face can be active devices that walk forward as the face is cut, and the coordinate that forward movement. Designing user interfaces is tricky, and designing a UI that should prevent death or huge financial costs if misused is probably hard.
There is. Mostly 460 and 900 MHz packet modems that only speak UDP. It's for telemetry data and data between trucks. As of 2000, there were working prototypes of both an anti-collision system and fully autonomous driving / grading.
Not the industrial ones. They're unit tested ad-nauseum, subjected to crush and environmental testing. You can run over the units with fully-loaded haul truck, the cases are cast steel. They also retail for $10k USD a piece.
This backdoor is a software backdoor - there may be hardware backdoors too. Hardware backdoors are much, much harder to find as there is no real way to track one down without trying to reverse the actual hardware itself, and that is close to impossible.
So while we can confirm there is a software backdoor in this router, we can't confirm if any other router does or doesn't have a hardware one.
If supported, I like Tomato (prefer the shibby variant) is my fav, a large number of routers are supported... I've been using and recommending a couple asus models.. RT-N12, RT-N16 and RT-N66(U/R) ... Been pretty good hardware (stock firmware sucks though).
Note: Tomato is imho a bit nicer than DD-WRT, but not as good for tweaking as OpenWRT (which I use on my office routerstation pro).
They don't have to provide the sources forever...
Seemingly the model in question (WAG200G) is originally from 2007.
Excerpt from the GPL  (paragraph 6b):
"You may [...] Convey the object code in, or embodied in, a physical product [...], accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License [...]."
* Guy sees service running on 32764 and thinks that's quite odd
* Gets very frustrated at useless forum posts from people with no clue
* Downloads a copy of the firmware from the (horrible) modem-help.co.uk
This is where it gets interesting:
First off, a program called Binwalk is used. This is a combo of a really cool python script, the libmagic database (if you've used the file utility in 'nix you've used it) and some C to deal with some compression types.
When binwalk works, it's pure brilliance. As you can see in the screenshot on slide 12, binwalk is able to detect strings and filesystems inside the firmware.
References to Texas Instruments and Telogy Networks would be a good starting point if you wanted to google for datasheets or some more background information
Squashfs is commonly used (and horribly broken) by manufacturers of modems and routers.
Luckily the author is able to extract the filesystem out by looking at the offsets printed out by binwalk - this doesn't always work!
Slide 13 is pretty typical when reversing modem firmware - someone thought they were being smart and broke the squashfs format. It looks like no one else will be able to replicate this as the source code for the modified format has been taken down (?)
It's possible the author is using the name of the folder in the last screenshot of slide 13 as a hint of what to do next, slide 14 and 15 are magic to me.
I think the author has changed the LZMA sourcecode to look for LZMA compressed data with a gzip header but this seems really strange to me
Slide 15 just shows the unsquashfs tool with what seems like sensible output (if you'd done something wrong at this point you might see huge numbers of inodes or a silly number of files and you'd have to go back to the compression and keep looking)
Now the author has a filesystem to look through - I would have used strings and grep instead of just grep at this point. He's grepping for the name of the service he found in the forum posts, I think.
I have no knowledge of MIPS assembly so I'm unable to help you there - IDA provides some flow diagrams like you can see in slide 19. I'm not sure if the author annotated the fucntion names or if IDA was able to find them.
He identifies a buffer overflow and writes a small script to exploit it in slide 20 (I'd love some extra explanation of this if anyone can give it)
When the script is run it seems to dump the current configuration of the modem, but then it crashes or resets (slide 21)
The comments on slide 23 suggest that the code has jumped to the "restore_default" function - sorry, I don't understand this part. References to nvram would suggest it's going something to the config though, which would explain slide 21.
Slide 26 shows an (hopefully LAN-side only) exploit that's able to enable the HTTP management interface of the modem and reset the password at the same time.
Final edit: I'm sorry for the formatting of this post. I'd love to collaborate with someone on a blog post about this exploit. I'm really just getting started with firmware reversing (and most of the time I don't get past the binwalk stage). My contact details are in my profile.
He doesn't actually exploit the heap overflow. He just sends messages as a normal backdoor user would, theres no authentication.
(He also greps for the string the server sent upon connection, but it's nowhere to be found. He then just greps for bind and filters for binary files only, to find all binaries that call bind (remember dynamic linking in the end comes down to strings..))
I walk through a similar process here , using binwalk to extract the source-code from a firmware image, then running the insecure router software in a QEMU VM. Although the purpose in the linked instructions is to repair a different Netgear exploit from October 2013 by modifying the insecure binary executable (see  for information on the technique).
It sounds like binwalk is a member of a family of programs referred to as file rippers. These used to be easy to find, but the "rip" keyword has been taken over by CD and DVD ripping software. They were commonly used to extract embedded files from demo scene demos, including .mod/.s3m/.xm/.it music and .flc videos.
Another good one to look at is QuickBMS - allows you to define a "script" and then feed it to the ripper. I guess it saves you time writing boilerplate code when trying to get at new/unknown file formats. The Xentax Game Research forum loves it - http://aluigi.altervista.org/quickbms.htm (blocked as Hacking/Internet by the corporate proxy here, so it's good)
Thank you for explaining my slides ;)
They were designed to be read by people who understand reverse engineering.
There is some errors in your comments, I didn't exploit anything, I just highlighted a vulnerability in the backdoor :D
People, if you are confused by memes, don't do RE :D
And for those who say I could have just written a simple text, well, text is not that simple to write especially when you're not a native english speaker :) and I had a lot of fun doing my draws
I don't think I get the whole thing either, but my impression is:
- Download image for modem firmware.
- Extract the filesystem from the image by hacking up an open source tool. This represents all the files on-disk on the modem.
- Search the file system for references to the suspicious port. Locate binary that listens on said port.
- Disassemble binary, figure out the protocol/format of messages it's expecting to hear on suspicious port.
- Brute force the effect of sending messages by sending messages to said port with the header it's expecting, and different permutations of payloads? (I'm not sure about this part, I might be making shit up)
- Using this brute forcing figure out what payloads do what and map out what this backdoor listener can do.
Well, it is like a game that you can play with your eyes closed. Imagine that you close your eyes and then somebody gives you a large toy made out of LEGOs. And you figure out what this toy is, with your eyes closed! That's what he did.
I actually appreciate the humor, but I'm in the same boat where there's a good portion I'm just not wrapping my head around clearly. I'd love if someone made an annotated version with technical descriptions.
Because that totally solves this problem for my mom...
(No, not my mom specifically; I gave her a router with Tomato installed for, among other things, exactly this reason. But not everyone has a technologist for a son, let alone one who knows what he's doing well enough to install m0n0wall on a Soekris box, or even Tomato on an old WRT54G*.)
There is no purely technological solution for the masses. Actually solving the problem requires either a political revolution to make shipping backdoors like this criminal rather than a favor to the government, or educating users enough that they can protect themselves with the existing technological methods that are easy to deploy given basic computer literacy. It's not really clear which one is less impossible.
Even making it criminal won't work - don't you know the NSA and the government are above the law. They have government endorsed hackers who are known to be actively exploiting these systems... but if you, Joe Public, are caught doing this, you're thrown in jail under the Computer Fraud and Abuse Act. So even if it is made criminal, it'll only be criminal for you... if it's government mandated, however, it's fine.
No its not. Installing Tomato or DD-WRT is only very slightly more complicated than configuring your router with non-default passwords, and you really shouldn't be considered at all computer literate if you don't know how to take even the first step to secure your network.
Take orders on Kickstarter for "open source router".
You order the Soekris boxes on behalf of the crowdfunders. You image your chosen open source OS on blank CF cards, bundle the CF cards together with the Soekris boxes and ship these to the crowdfunders as the "open source router".
If you want to bring a solution to the masses out of the goodness of your heart and you are motivated, then nothing is stopping you.
I live in Czech Republic and my Zyxel from O2 has port 7547 open (Allegro RomPager 4.07) and you can't do anything about it. There is no editor on the installed linux version (cropped down linux, probably openWRT or something similar), no package manager no nothing.
If I flash the firmware warranty is void and I have no user/pass to re-enable the ADSL. So basically, my router is a hostile AP.
Given the fact that, it's a common pattern among ISPs in order to offer quick service - I firmly believe that ISPs do it for practical reasons - and end up killing your security, the best thing is to put the router in bridged mode and get a cheap custom-made router like carambola2 and install FreeBSD on it.
Disclosure: I donated one of these devices to Adrian Chadd in order for him to port FreeBSD on this device, which enabled me to use PF - my favorite firewall - but I have no affiliation otherwise with 8devices or FreeBSD.
> It's plausible that on a badly configured network this port could be exposed to the Internet.
It's also plausible that an attacker could find one of these in the local coffee house or any other place that offers public wifi and get at it from the internal side that way, or war driving for access points using weak passwords or WEP, or small office corporate networks with mischievous employees, or an attacker compromising a single PC on the LAN and then using this to change the DNS handed out by the router's DHCP and compromising the others, ...
Thankfully I have an older WNDR3700 and I remain unaffected.
However seeing mention of (and an implementation of) Dual_ECC_DRBG in the slides immediately gives me a lot of pause regarding the security of my router. I love memes more than the next guy but this guy really went out of his way to make this confusing to understand.
I bought a buffalo router pre-loaded with dd-wrt on it that I like and gives you most of the options that the stock dd-wrt build does. Otherwise I just buy anything that is dd-wrt compatible and flash it.
IDA Pro is awesomesauce, Wireshark for binaries. So much better than Turbo Debugger and ICEs in the olden days.
Just FYI it's no surprise that the IDA Pro wine torrent for OSX (magnet ...116a37) floating around out there has malware in it. Best to get it directly from a friend at a large shop. If you're a pentester or researcher, buy it obviously.
NSA/Government/Military mindset.... secrecy by obscurity. It's now "We'll just hide our backdoor, really, super well. No one will every find it. And we'll use our deep black VPN no one knows about....and hope no one notices."