Insecure Cable networks ?

Is it a common practice on cable network providers to leave access
to the cable modem/router management web UI wide open ?

Here is the scoop. I heard about it but didn't experienced it hands on
or seen myself until recently when I was testing one of the embedded
TCP/IP boards I produce which as many other IP gadgets has a mini
HTTP server which I access just typing the IP address of the thing.

In my home lab an IPv4 address on 10/8, not very uncommon I
screwed up and made a typo on the IP address and ended on a
different device web UI, an Ambit cable modem

Hmmm my modem is from Toshiba, I tried the default factory
password, it worked !!, not only that, this thing is several cities
hundreds of miles away from here .. ehhh ?

fired nmap, tried several 10/24 networks and just playing by hand
found hundreds of devices and every single one I tried default password
it worked, not only modems, also modem/routers and some with
integrated VoIP where if I wanted I would have been able to change
provisioning configuration, channel scanning, browse through the call
manager logs and see who's calling or being called, etc.

Isn't this a huge security hole ?

It wont take much for a kiddie to write a very simple script to drive
crazy the noc guys taking down pieces of the network here and there ...

If a grownup from TWC/RR wants to get more specifics feel free to
contact me.

Regards

it's very common for a CM to operate a web page, usually
http://192.168.100.1/ that offer the local user diagnostic
capabilities. it should not, however, provide administrative access.
that said, in some of the newer "gateway" style modems, some
administrative access to the to the CPE side can be made available via
the use of split configuration.

regards,
/steve

There are knobs on most models to restrict access to the GUI to:
- the LAN interface
- certain mgmt subnets.

Sounds like the MSO doesn't have things set up correctly.

Frank

<snip>

fired nmap, tried several 10/24 networks and just playing by hand
found hundreds of devices and every single one I tried default password
it worked, not only modems, also modem/routers and some with
integrated VoIP where if I wanted I would have been able to change
provisioning configuration, channel scanning, browse through the call
manager logs and see who's calling or being called, etc.

Isn't this a huge security hole ?

It wont take much for a kiddie to write a very simple script to drive
crazy the noc guys taking down pieces of the network here and there ...

If a grownup from TWC/RR wants to get more specifics feel free to
contact me.

Regards

Yes this is a huge security hole. Management networks should always be restricted to some extent and the fact that default passwords allow you into VoIP gateways provides an avenue for call fraud. At a very minimum the devices should restrict which addresses can talk to them (ie. management servers in the MSO) and passwords should be non-default.

Maybe you can consult with the local MSO?

Kind regards,
Truman

Yes this is a huge security hole. Management networks should always be
restricted to some extent and the fact that default passwords allow you into
VoIP gateways provides an avenue for call fraud. At a very minimum the
devices should restrict which addresses can talk to them (ie. management
servers in the MSO) and passwords should be non-default.

If I were them or involved in the operation of their network I should
start with an audit.

Obviously I didn't change or tried to change anything, the few cases I
tried to gain
access to some randomly selected devices/locations were just to
confirm that imho
there is a big exposure here.

For example, I found devices such as an integrated modem and wireless router
where if I wanted I would have been able to enable WiFi guest access or change
the existing WiFi configuration such as SSID, keys, etc.

Some modems don't seem to provide access via port 80, I didn't scan for any
other potential ports or back doors (such as SNMP ports,etc), they simple
show the message "Access to this web page is currently unavailable.".

The most popular/used device, just for the number of times I've got the same
interface for the few (less than a 100) IP I tried seems to be the Ambit modem,
the main page shows sort of general modem information, something like:

Cable Modem Information
Cable Modem : DOCSIS 1.0/1.1/2.0 Compliant
MAC Address : 00:1F:XX:XX:XX:XX
Serial Number : REMOVED
Boot Code Version : 2.1.6d
Software Version : 2.105.1008
Hardware Version : 1.20
CA Key : Installed

Gaining access to the modem is quite simple, on the left there is a frame that
has a Login link and says "Factory default username/password is"user" ", which
actually worked on all the ones I found and tried, on the right hand corner
there are two links one that says Modem and other that says Tools, if I
click on Tools I see at least two options, one that takes me to a form page to
change the password, and the other one to change the Frequency Scanning Plan.
Again I didn't try to change anything to confirm that it is actually
possible but I've
the hunch that it is possible.

Another case could be integrated modem/router with VoIP features such as
Motorola's SurfBoard, the standard management interface without even
login in to the thing provides plenty of information, don't know how useful but,
there is a link that says "Advanced" which requires you to enter a password,
don't waste much of your brain, the password is simply "motorola", with that
you get access to more information including MGCP Logs, I didn't analyze
the logs in detail but it didn't take much effort to find out that a guy was
being called by a collection department of Wells Fargo Bank from an
Oregon (503) number.

In another case I saw a log entry that could be interpreted as a dialed out
number.

In summary, I don't believe that any customer should have access to any
other customer device in such a way that you can alter the provisioning of
a service or snoop and see how the service is being used, this raises not
only security but privacy concerns.

I didn't use any scripts or tried any heavy tools or hacking, mine is a very
minuscule sample of what seems to be a widespread bad practice or
mismanaged network configuration.

Ryan thanks for your message, I checked and saw that you work for TWC
in the Albany area, but no offense, I've no problems to share more details
and cooperate, only if being contacted by a "grownup" honcho in charge
of networking/security.

I promise, I won't break anything ...

Cheers
Jorge