Welcome to Free Anonymous Internet World

SAMUEL KOO [email protected] JIHONG YOON [email protected]

Who Are We?

dual5651
Residing in Seoul, Republic of Korea Undergraduate of Konkuk University Main focus of study in Windows

rootkit technique and reverse engineering Teakwon-v team member Interests include ERP and hacking

gotofbi
Residing in Vancouver, BC, CANADA Student of BC Institute of Technology Main focus of study in binary packer

scheme. Taekwon-v team member Interests include embedded system and reverse engineering

Agenda

Why do it? DOCSIS Status of ISPs in Korea

Hacking the cable modem

Cable Network Sniffing

Cable Modem Security

Question and Answer

Why Do It?
Its easy! Its free! You can do it in anonymity! It is not wellknown in Korea!

DOCSIS
DOCSIS - Data Over Cable Service Interface Specification is an international standard developed by CableLabs and contributing companies. DOCSIS defines the communications and operation support Interface requirements for a data over cable system. It allows additional high-speed transfers to an existing CATV system.

Maximum synchronization speed :

Version DOCSIS
Downstream Upstream

EuroDOCSIS
Downstream Upstream

1.X
2.0

42.88 Mbit/s
42.88 Mbit/s

10.24 Mbit/s
30.72 Mbit/s

55.62 Mbit/s
55.62 Mbit/s

10.24 Mbit/s
30.72 Mbit/s

3.0 4 Ch
3.0 8 Ch

+171.52 Mbit/s +122.88 Mbit/s

+343.04 Mbit/s +122.88 Mbit/s

+222.48 Mbit/s
+444.96 Mbit/s

+122.88 Mbit/s
+122.88 Mbit/s

Maximum synchronization speed

Components of DOCSIS :
CM (Cable Modem) CMTS (Cable Modem Terminal System) BackOffice Services (DHCP, TOD Server, TFTP Server)

DOCSIS Overview

DOCSIS Roadmap
DOCSIS Version Service Broadband Internet Tiered Service VoIP Video conferencing Commercial Services Entertainment Video Consumer Devices Cable Modem VoIP Phone(MTA) Residential Gateway Video Phone Mobile Devices IP Set-top Box O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O 1.0 1.1 2.0 3.0

As you can see, an upgrade from DOCSIS 2.0 to DOCSIS 3.0 does not automatically result in a security upgrade.

Hacking the Cable Modem

Key aspect:
Arresting criminal will be very hard Trace will only reach up to the node SNMP-port of cable modem is opened insecurely
By sending an SNMP packet, an attacker can achieve

many things

Up/Down

stream

rate

limited by

Maximum rate can be manually changed

All network streams are shared insecurely

All packets in the node are sniffable

Status of ISPs in Korea

Internet Service Provider Name S company L company 3rd Party ISP SNMP Port opened Yes Yes Potentially CFG Spoofing Yes Yes Potentially MAC Vendor code 00:50:D4 (JOHONG) 00:04:BD(Motorola) 00:02:00(Net&Sys) 00:C0:B1(Genius) .

I recently tested four large ISPs in Korea, and the results show that they were all vulnerable. Therefore, I hypothesize that other 3rd party ISP may be as potentially vulnerable.

Hacking the Cable Modem

Arrest criminal process

Customer Database 2) Trying to find a.b.c.d from DHCP log
1) Please tell me who had a.b.c.d when 2008 / mm / dd

3) Matching MAC customer is aa:bb:cc:dd, We have the customers info since we lent him our modem. Ha Ha Ha Ha Ha!!

ISP

4) Criminals name is xxxx The Address is yyyy

Hacking the Cable Modem

If Criminal use hacked cable modem

Customer Database

2) Trying to find a.b.c.d from DHCP log

1) Please tell me who had a.b.c.d when 2008 / mm / dd

3) Matching MAC is de:ad:be:ef, It is not from our customer ! Who the hack is that?

ISP

4) Sorry, We can`t find who it is

Hacking the Cable Modem

Working process of DOCSIS Gathering information

Diagnostic web page DHCP grabbing SNMP scanning

Modifying the cfg file

DOCSIS Cfg Edit

Changing the cfg file

FORCE TFTP IP
Fake DHCP Hacking Firmware

Hacking the Cable Modem

Working process of DOCSIS

1) Modem scanning the frequency in 91000000Hz to 440000000 Hz

2) Broadcast DHCP Discover packet 3) Read cfg name from DHCP ACK packet

4) Download cfg file from TFTP server 5) Limit the upload , download speed as written in cfg file

Hacking the Cable Modem

DHCP Grabbing

DHCP ACK is broadcast packet

Cfg file name written in Boot File filed Server Identifier is TFTP Server IP

Hacking the Cable Modem

Wireshark

By using bootp.dhcp filter, we can analyze DHCP packet in wireshark.

Cfg file name, TFTP Server IP remark in DHCP ACK packet

Hacking the Cable Modem

Configuration Grabber

By programming a sniffer, you can catch DHCP packets.

Cfg file was downloaded into my computer automatically

Hacking the Cable Modem

SNMP Scanning

Cabel modems SNMP port is open in Korea Usually community string is public or private Community string is written in cfg file By sending SNMP packet, attacker can control

the modem and obtain useful information

(e.g., Firmware Overwrite, Modem reboot, Read useful information)

Hacking the Cable Modem

NET-SNMP

Version 2
OIDs :

Community name

IP

OID

Hacking the Cable Modem

SNMP Cfg Admin

By using a SNMP Scanning program (such as SNMP Cfg Admin), an attacker can obtain useful information. Examples include System description, Configuration file name, bandwidth, Firmware name, TFTP Server, Time Server, and MAC address.

Hacking the Cable Modem

VultureWare DOCSIS Config File Editor

ISPs from Korea dont do integrity checks (HMAC-MD5) for cfg file Hacker can change Frequency, Speed, etc

Hacking the Cable Modem

Force TFTP IP Concept:

Cfg file can be forced without using DHCP

Requirements can be achieved by sending SNMP packets Numerous TFTP server programs for Windows

Korean CMTS does not check MD5

Hacking the Cable Modem

Sequence of normal Cable Modem registration:
DHCP Server(a.b.c.c)

TFTP Server(a.b.c.d)

Cable Modem Attacker(e.f.g.h)

CMTS(a.b.c.f)

Hacking the Cable Modem

Sequence of hacked Cable Modem registration:
DHCP Server(a.b.c.c)

TFTP Server(a.b.c.d)

Cable Modem Attacker(a.b.c.d)

CMTS(a.b.c.f)

Hacking the Cable Modem

Which OIDs are used for hacking?

1.3.6.1.2.1.69.1.4.5.0
To figure out what the current cfg file name is for cable modem.

1.3.6.1.2.1.10.127.1.1.3.1.3.1

1.3.6.1.2.1.10.127.1.1.3.1.5.1
To check Up/DownStream speed of cfg file

1.3.6.1.2.1.69.1.4.4.0
To read TFTP Server IP of cable modem

1.3.6.1.2.1.69.1.1.3.0
To reboot cable modem

Hacking the Cable Modem

1) Read cfg file name :

2) Check upload & download bandwidth before hacking :

3) Type ipconfig /all to know, what is the ip of my computer :

Hacking the Cable Modem

4) Run your own TFTP Server :

5) Read TFTP IP of Cable modem :

6) Download cfg file from TFTP Server :

Hacking the Cable Modem

7) Modify cfg file :

Network Access Control : 0 means network access is not permitted 1 means network access is permitted Maximum Number of CPEs : Givend IP Maximum ~stream Rate : Maximum bandwidth

-> 0 means unlimited speed.

Hacking the Cable Modem

8) Set attacker computer IP as TFTP Server IP:

9) Reboot cable modem :

Hacking the Cable Modem

Hacking modem firmware
Most famous modem SB5100,SB5101 made by Motorola
IP
192.168.100.1

OS VxWorks , eCos

RTOS (Real Time Operating System) x86 or MIPS flavor Unix-like UI

Ways to communicate with modem Parallel JTAG USB JTAG Serial Cable

Hacking the Cable Modem

SB5100

SB5101

What is the difference between SB5100 and SB5101? Chipset : Broadcom BCM3348 Broadcom BCM3349 OS : VxWorks eCos

Hacking the Cable Modem

Memory map of cable modem :

32kb 32kb

Boot Loader Parmenent NonVol

BootLoader area contains BootLoader Parmenet NonVol area contains all settings. Ex) MAC Address, Cfg file Image0 area contains firmware image

960kb

Image 0

2MB 960kb Image 1

Image1 area contains firmware image

32kb

Dynamic NonVol

Dynamic NonVol area contains logged events

Hacking the Cable Modem

COM Port
Commonly usable Many useable resources Modem OS must support it

Hacking the Cable Modem

Parallel JTAG
Cheap Very slow Easy to make Schwarze Katze

Hacking the Cable Modem

USB JTAG
Expansive (about $60) Really Fast Difficult to make USBJTAG

Hacking the Cable Modem

Fireball

There is an Assembler for Cable Modem Firmware Hacker can build custom firmware for certain purpose

Hacking the Cable Modem

Sigma X2 Build-142

Hacked Firmware for Surfboard SB5100

Hacking the Cable Modem

Haxorware 1.0 rc6

Hacked Firmware for Surfboard SB5101

Speed Compare

Speed comparation

Hacking the Cable Modem

Moving Picture

Its Time to Sniff Packets

SAMUEL KOO [email protected] JIHONG YOON [email protected]

Hacking the Cable Modem

Inside a Modem

Tuner
Conprovide both upstream and downstream signals nects directly to the COAX outlet

Demodulator
A/D converter Demoluation Error correction

MAC
Extracts data from MPEG

CPU
Controls almost everything in the modem.

Downstream

What cable modems receive Frequency between 65MHz to 850MHz DOCSIS has 6MHz of bandwidth Euro DOCSIS has 8MHz of bandwidth Modulation 64QAM or 256QAM Continuous stream of data
Upstream signaling

...
65 MHz - 550 MHz 550 MHz - 850 and up MHz

5-65 MHz

Upstream

What cable modems transmit Frequency between 5MHz to 65MHz Modulation QPSK or 16QAM Transmit bursts of data in timeslots (TDM) Reserved and contention timeslots
Upstream signaling

...
65 MHz - 550 MHz

550 MHz - 850 and up MHz

5-65 MHz

Upstream Sniffing

Most cable modems are designed to receive the data between 65MHz to 850MHz Too many upstream channels to balance the load Modems OS is programmed to drop all frames which are not meant for itself

Why Sniffing is Possible?

The signal from CMTS is received by every cable modem in the same node Cable modem disregards all data that is not intended for itself Modems OS is programmed to drop all frames which are not meant for itself.

Cable network sniffing

Ways to access TV-Card

Linux The HD-5500 card is natively supported by Linux kernel It will appears on /dev/dvb/ The user able to communicate with Ioctl() Windows Many cards are supported Can be access with BDA (Broadcast Driver Architecture) interface DirectShow which is part of DirectX SDK supports TV functions

Cable network sniffing

BDA (Broadcast Driver Architecture)

Cable Modem Security

BPI: Baseline Privacy Interface
Methods for encrypting traffic between the cable modem and the CMTS at triple 56bit DES with 768/1024 bit key modulus

BPI+: Baseline Privacy Interface Plus

Implemented in Docsis 1.1 Specs (Backwards compatible) Introduces X.509 v3 (RSA 1024bit) digital certificates & key pairs Authentication based on certificate hardware identity; validated when modem registers with a CMTS

Certificates, Keys

& The

trust ri

Stored in the non-vol settings of a modems firmware Contains: Public, Private, and Root Keys, CM & CA Certificates DOCSIS Root CA signs manufacturer CA intermediate certificate, manufacturer signs CM certificate. CMTS parses and verifies CM certificate, an identity based on HFC MAC

DOCSIS Security Overview (BPI+)

test Internet

CM Authentication (X.509 Certificates) Key Management (RSA, Tri-DES)

Mfg Certificate ......

Digitally Signed by: DOCSIS Root

CM Certificate ......
Digitally Signed by: Mfg CA

abcdef

CMTS

Data Encryption (DES)

x$a9E!

PC

abcdef

TFTP Server Secure Software Download CM New CM Code ...... (X.509 Certificate)
CM Code File

Digitally Signed by: M

anufacturer

BPI+ CA Root Certificate

X.509 Certificate Stored in Non-Vol Public Certificate

BPI+ CM Certificate

X.509 Certificate Stored in Non-Vol Included Mac info

Cable Modem Security

Result of Enabling Baseline Privacy

Question and Answer

Thank you