Scribd
Upload
2K views88 pages

Hacking Cable Modems

This document summarizes the history and techniques of hacking cable modems. It discusses the timeline of cable modem hacking from the late 1990s to present day, covering early firmware modifications, talks at hacking conferences, and tools released. It provides an overview of the DOCSIS protocol and features like channel bonding and encryption. Methods for analyzing and hacking cable modems like firmware extraction, shell access, and bypassing authentication are described. Solutions discussed include ISP practices and potential improvements to vendor security practices.

Uploaded by

Anonymous tBL1suX
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2K views88 pages

Hacking Cable Modems

This document summarizes the history and techniques of hacking cable modems. It discusses the timeline of cable modem hacking from the late 1990s to present day, covering early firmware modifications, talks at hacking conferences, and tools released. It provides an overview of the DOCSIS protocol and features like channel bonding and encryption. Methods for analyzing and hacking cable modems like firmware extraction, shell access, and bypassing authentication are described. Solutions discussed include ISP practices and potential improvements to vendor security practices.

Uploaded by

Anonymous tBL1suX
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Hacking Cable Modems

The Later Years

Bernardo Rodrigues
@bernardomr
Disclaimer

Opinions are my own, unless hacked.

In that case, hacker's

This is not a talk about Theft of Service


$ whoami

Web, Forensics & Junk Hacking

CTF Player

[Link]
Cable Modem Vendors
Cable Modem: Models
Cable Modem Hacking Timeline
Book
Hacking The
Cable Modem Talk
Firmware by derEngel DEFCON 18
Technology SIGMA by Hacking
Talk
DOCSIS 1.0 TCNiSO DOCSIS For
DEFCON 16
Technology Fun and
Free Anonymous
DOCSIS 2.0 Profit
Internet Using Modified
Cable Modems
1997 () 2001 2003 2004 2006 () 2009 2010

Technology
DOCSIS 3.0
Talk
Legal
DEFCON 16
Sniffing Cable DerEngel (Ryan Harris)
Modems arrested

Firmware
Haxorware R27
Tool by Rajkosto
BlackCat Programmer
by Isabella
Cable Modem Hacking Timeline

Blog Post
Firmware Console Cowboys Talk
ForceWare v1.2 Arris Cable Modem NullByte Con
by mforce Backdoor - I'm a Hacking Cable
Technology technician, trust me Modems: The
DOCSIS 3.1 Later Years

2011 2012 2013 2014 2015

Blog Post
Talk w00tsec Talk
HOPE 9 Unpacking
Firmware Images Infiltrate
The ARRIStocrats: Practical Attacks
Cable Modem from Cable
Modems on DOCSIS
Lulz
DOCSIS

Data Over Cable Service Interface Specification

Network Overview:
DOCSIS 3.0 Features

Channel Bonding (Upstream and Downstream)

IPv6 (inc. provisioning and management of CMs)

Security (?)

Enhanced Traffic encryption (?)

Enhanced Provisioning Security (?)


Channel Bonding
DOCSIS: Provisioning

Acquire and lock the downstream frequency

Get upstream parameters

Get an IP address

Download modem configuration via TFTP

Apply the configuration and enable forwarding of


packets
DOCSIS Network Overview
DOCSIS SEC

Encryption and authentication protocol in DOCSIS

BPI (Baseline Privacy Interface) in DOCSIS 1.0

BPI+ in DOCSIS 1.1 and 2.0

SEC (Security) in DOCSIS 3.0


DOCSIS SEC

Digital certificates (VeriSign/Excentis)

Uniquely chained to the MAC address of each


cable modem

CMTS allowing Self-signed certificates

Legacy test equipment

Cable modems that do not support BPI+


DOCSIS: Provisioning
DOCSIS: Config File

Downstream

Upstream

Bandwidth cap

ACLs

TFTP Servers

SNMP community
DOCSIS: Config File
DOCSIS: Config File

DOCSIS specification:

CMTS generates a Message Integrity Check (MIC)

Hash: Number of parameters, including the


"shared secret"

Incorrect MIC: CM registration fail

DOCSIS 2.0: MD5

DOCSIS 3.0: New MIC hash algorithm (MMH)


DOCSIS: Config File
Cable Modems

binwalk
Cable Modems

binwalk + capstone
Cable Modems

Shell access
Cable Modems

Shell access
Cable Modems

Bad authentication
Cable Modems

XSS, CSRF, DoS


Cable Modems

Default Passwords
Cable Modems

Backdoors
Cable Modems

Backdoors in the Backdoors


Cable Modems

Backdoors
Hacked Firmwares

Not Certified by CableLabs Disable & Set ISP filters (ACLs at modem level)

Backdoors (legit modems too) Specify config filename and TFTP server IP
address
Closed source (legit modems too)
Force config file from ISP, local TFTP or
Enable factory mode (legit modems too)
uploaded flash memory

Change MAC and Serial (legit modems too) Disable ISP firmware upgrade

Certificate Upload Get & Set SNMP OID values and Factory mode
OID values
Force network access (ignore unauthorized
messages) Upload, flash and upgrade firmware

Floods DHCP server with packets Dual Boot


repeatedly until get an IP address
Hacked Cable Modems
Hacked Cable Modems
Reversing Cable Modems
Reversing Cable Modems

RAM Start Address


Firmware Types

Signed and compresed (PKCS#7 & binary)

Compressed binary images

RAM dump images (uncompressed & raw)


Firmware Structure
Firmware Structure
Firmware Upgrades
Firmware Upgrade

Authenticate originator of any download

Verify if the code has been altered

Digitally signed (Root CA)


Firmware Downgrade
Firmware Upgrade
Phisical Protection
Phisical Protection

0DAY?
Phisical Protection
SPI

Serial Peripheral Interface Bus

SCLK : Serial Clock (output from master).

MOSI : Master Output, Slave Input (output from master).

MISO : Master Input, Slave Output (output from slave).

SS : Slave Select (active low, output from master).


SPI

Identify the Model


SPI: Datasheet
SPI: Beaglebone
SPI: Beaglebone
SPI: Beaglebone
SPI: GoodFET
SPI: GoodFET
SPI: GoodFET
SPI: BlackCat USB
SPI: BlackCat USB
SPI: BlackCat USB
NAND Flash

DumpFlash
[Link]
Factory Mode

Administrative functions

Reflashing Firmware

Dumping keys
Factory Mode
SNMP Scanning
SNMP Scanning
SNMP ACLs
Bypassing SNMP ACLs

[Link]
Bypassing SNMP ACLs

[Link]
DOCSIS Encryption

Use of 56-bit DES

DOCSIS 3.0 adds support for AES

Never seen AES used (as of 2015)

Lack of use likely due to DOCSIS 2.0


support
DOCSIS Encryption
DOCSIS 3.1 Encryption: Worldwide
DOCSIS 3.1 Encryption: China
Problems with DOCSIS SEC
Problems with DOCSIS SEC
Problems with DOCSIS SEC

CMTS are not picking most secure


cryptographic algorithm supported by CM

Re-use of CBC IV in each frame

Required by specification

Identical packets will have identical


ciphertext
Sniffing DOCSIS

MPEG packets like normal TV to encapsulate


data (ISO/IEC 13818-1)

[Link]

[Link]

MPEG Encapsulation: MPEG packets > DOCSIS


frames > ETHERNET frames > IPv4 > TCP
Sniffing DOCSIS: Id the Victim

Sniff ARP traffic on downstream and collect


subnets

ICMP ping sweeps across subnets with various


packets sizes

Perform correlation between encrypted packet


sizes and sent ICMP packet length

Produce (MAC, IP) tuples


Sniffing DOCSIS
Sniffing DOCSIS
Sniffing DOCSIS

ARP traffic is in the clear

IP registration occurs prior to


encryption/auth

Unless EAE enabled (Early Authentication


& Encryption)
Sniffing DOCSIS
Brazilian Criminals
Brazilian Criminals
Brazilian Criminals
Brazilian Criminals
Solutions: ISPs

Firmware Upgrades

Isolate DOCSIS network

ACL's

BPI+ Policy Total

TFTP Enforce
Solutions: ISPs

DMIC - Dynamically generates config file


passwords (Cant reuse)

Enforce EAE - Encrypts IP & DHCP process

Cable Privacy Hotlist (finds cloned modems)


Solutions: Vendors

No more backdoors

FCC certification Security

Open Source?

TPM, Smart Cards?


Insecurity: Root Causes

Improperly configured CM/CMTS

Security flaws in CM/CMTS OS

Costs & Convenience

Backwards compatibility != Security


Myths

Perfect Clones (Theft of Service)

"Nobody is innocent"

"Needs physical access

"You need JTAG, SPI"


Conclusion

The question remains:

Is DOCSIS a secure & viable communications


protocol?
R.I.P TG862 SN XXXXXXXX91344

2015
IN MEMORIAM

You might also like