Cable modem hackers conquer the co-ax
By Kevin Poulsen, SecurityFocus
Posted: 05/02/2004 at 22:31 GMT
A small and diverse band of hobbyists steeped in the obscure
languages of embedded systems has released its own custom firmware
for a popular brand of cable modem, along with a technique for
loading it -- a development that's already made life easier for
uncappers and service squatters, and threatens to topple long-held
assumptions about the privacy of cable modem communications.
The program, called Sigma, was released in its final version last
month, and has reportedly been downloaded 350 to 400 times a day ever
since. It's designed to be flashed into the non-volatile memory of
certain models of Motorola's Surfboard line, where it runs in
parallel with the device's normal functionality. It gives users
almost complete control of their cable modem -- a privilege
previously reserved for the service provider.
The project is the work of a gang of coders called TCNiSO. With about
ten active members worldwide, the group is supported by contributions
from the uncapping community -- speed-hungry Internet users who rely
on TCNiSO's research and free hackware to surmount the bandwidth caps
imposed by service providers, usually in violation of their service
agreement, if not the law. To them, Sigma is a delight, because it
makes it simple to change the modem's configuration file -- the key
to uncapping, and, on some systems, to getting free anonymous service
using "unregistered" modems. "I've known TCNiSO for two years now and
I've done a lot of things with their techniques," wrote a Canadian
uncapper in an e-mail interview. "Sigma is the greatest one I've
seen."
To make Sigma work, uncappers most commonly use a hardware hack
developed by TCNiSO that tricks the Surfboard into accepting the
custom code. Under an industry standard called DOCSIS (Data Over
Cable Service Interface Specification), cable modems only permit
changes to their internal programming that are sent down the pipe by
the service provider -- users are prevented, Xbox-style, from running
unapproved code, even on a modem they own.
But TCNiSO discovered that the Surfboard modem contains an
undocumented vestigial console port, through which the boot process
can be controlled. The group published a detailed tutorial for
tapping into the serial port, which involves opening the modem and
connecting two wires at particular points on the circuit board, then
routing them through an inexpensive chip that converts the signal to
RS-232 levels-- allowing the user to plug in a PC running a terminal
program. Users less handy with a soldering iron can purchase a
special conversion cable from TCNiSO's website to simplify the
process.
>From there, the user simply reboots the modem. A stream of text comes
down the port describing the boot process, which the user can
interrupt with a keystroke, then redirect by typing in a new boot
string. The modem can be told to boot from any FTP server -- in this
case, one running on the user's own PC, and serving up Sigma. Once
the new firmware is loaded, it becomes part of the modem, and the
process need not be repeated.
With Sigma installed, the cable modem lays exposed for what it really
is: a versatile computer in its own right. Built on a powerful MIPS
processor, the modem's native operating system is VxWorks, the same
OS used by the Mars rovers. Sigma unlocks that hidden capability --
users can "rlogin" to the modem and interact with a VxWorks shell, or
browse to a custom Web interface that sports easy-to-use and form
fields for executing commands, or changing parameters normally
controlled remotely by the service provider.
Eavesdropping Risks
While it's a boon to uncappers, the security implications of firmware
hacking go beyond mere bandwidth-boosting and theft-of-service. The
topography of cable modem networks typically puts between 500 and
1,000 homes in a neighborhood on the same circuit, their Internet
traffic all mingled on the same co-ax cable. Subscribers are
prevented from eavesdropping on their neighbors' traffic by their own
modem, which is programmed to only pass packets destined for them. By
building on TCNiSO's hacking technique, a malefactor could write
custom code to forward all the raw network traffic to their PC.
Outside security experts have generally dismissed any eavesdropping
threat on modern cable systems based on a belief that cable companies
are encrypting customer traffic, a capability built into all DOCSIS-
certified modems since 1999. But while encryption would indeed thwart
any eavesdropping attempt, in the most commonly-deployed version of
the DOCSIS standard, version 1.0, the encryption option is just that -
- an option, and one that's turned off by default. "The security has
to be there" in the modem, says Oscar Marcia, chief security
architect at for CableLabs, the industry group responsible for
DOCSIS. "But the [service provider] can decide when to turn it on."
And turning it on they are, Marcia says, but slowly, and in bits and
pieces, even five years after the option became available. "It's kind
of a gradual process... They want to make sure that they have all the
kinks worked out of their system." He adds that he expects the
process to accelerate as cable companies migrate to newer versions of
the DOCSIS specifications, where encryption is "on" by default,
instead of off.
SecurityFocus asked four U.S. cable modem service providers if they
protected their customers with the encryption option. Comcast,
Adelphia, and CableVision's Optimum Online declined comment; a
spokesman for Time Warner's Road Runner service didn't return
repeated phone calls on the question. Comcast's terms of service,
however, acknowledges a risk of eavesdropping by "other subscribers,"
and Optimum Online's bluntly admits the company doesn't utilize
encryption: "All Subscriber's ethernet traffic ... will be reflected
by the cable Modem in an unencrypted form onto the cable network and
be subject to eavesdropping."
The architecture of cable modem networks likely prevents
eavesdropping of upstream traffic, liked typed passwords and credit
card numbers, and websites using SSL would be immune from passive
monitoring. "But downstream traffic is certainly visible to lots of
people if crypto isn't used," said AT&T security researcher Steve
Bellovin, in an e-mail interview.
The potential for spying and other mischief based on TCNiSO's
research is not lost on "DerEngel" -- the 23-year-old unemployed
programmer who heads the group. In an effort to be responsible, the
group programmed Sigma to block execution of the VxWorks functions
that change the modem's MAC address, a capability that could
otherwise wreak havoc on a network in the wrong hands. And on the
group's website, DerEngel offers to provide cable companies with a
tool to detect Sigma in use. "If you're going to make the crack,
might as well sell the glue," he says. So far, no one's taken him up
on the offer.
International Team
DerEngel says he and a friend began hacking cable modems three years
ago. Since then, the number of coders and researchers working on
TCNiSO projects has grown to ten, each with specialized skill sets,
hand-picked by DerEngel with the care of the roguish ringleader in a
caper movie assembling a team for a big score. He has a C coder and a
Windows programmer in Australia, a programmable memory expert in the
U.K., testers in Europe and Canada, and an assembly language coder in
Kentucky.
The latter is "Isabella," a 31-year-old programmer who coded Sigma
from her home near Louisville. Isabella scratches out a living doing
odd software and hardware jobs, like designing an electronic light
toy, or writing the embedded code that operates the ghosts and
goblins in a local haunted house attraction every Halloween. DerEngel
approached her online last year, after hearing she was good with an
assembler and might be interested in helping.
Underemployed and intrigued by the possibilities, Isabella wrote
Sigma in three months of days-long spurts of creativity. She doesn't
have cable modem service. "Everybody, it seems like, messes with PC-
based stuff, but nobody that I know does the embedded thing," she
says, explaining her interest in the project. "And Der is really
nice. Some people think he's kind of crazy, but I figured out how to
deal with it."
How crazy? When Isabella mentioned to DerEngel that she was looking
for a better MIPS assembler for the job, she expected him to suggest
one of the free programs already available. Instead, he wrote a new
one from scratch, filling it with features particularly useful to
firmware hacking. "He wrote a good assembler," she says. "Der was
determined to do it."
Indeed, the accumulated talent of the group's members has begun to
dwarf their raison d'être, and the coders seem to know it. DerEngel
is barely interested in discussing uncapping, and speaks instead of
the possibilities of writing plug-ins for Sigma -- extensible by
design -- that would transform the capabilities of the Surfboard,
turning it into a NAT box and a firewall. Isabella thinks they can
program the modem to tune to the channels used by the cable
companies' digital music feeds, which -- like TV programming -- share
the co-ax with the cable modem service. The hack might let the modem
send music to the user's PC, where it could be streamed in real time.
Ultimately, DerEngel and Isabella would even like to go legit, and
turn the group into a research shop for cable system providers, or at
least make a deal that allows TCNiSO to test their techniques in a
sanctioned laboratory setting. But after three-years as the
preeminent underground think tank for cable modem uncappers, DerEngel
is realistic about the future. "In this industry you can't be the
good guy and the bad guy," he says. "So I guess we have to hide for
now, for that reason, because everyone will perceive us as the bad
guys... I think they look at us as hacking something that we
shouldn't, instead of just interested in electronics and trying to
get better at what we do."
Of course, the cable industry has it's own impossible dreams, which
include preventing smart coders with lots of time and restless
passion from hacking the next generation of cable modems. "What
you're talking about only affects the DOCSIS 1.0 modems," says
CableLabs' Marcia of the Surfboard hack. The DOCSIS 1.1 and 2.0
specifications only accept firmware that's been digitally signed by
the cable company. "Once you move to a DOCSIS 1.1, and we already
have some cable operators deploying 1.1, this hack is not a viable
hack any more.... One mistake, and it turns the modem into a brick."
But DerEngel doesn't believe any cable modem is going to be immune
from customization, and he says his team is ready to prove it. "If
you have to, you can just change the [programmable memory chip] --
desolder it, put it back on there," he says. "As long as the customer
has the actual hardware in their hands, the customer will always be
able to change what he has."
---
* Origin: [adminz] tech, security, support (192.168.0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:04:19
