, Newsbytes 2002-03-14
When his cable modem service seemed to slow almost to a crawl last spring, Matthew Hallacy did like most people and complained to technical support at his Internet service provider, AT&T Broadband.But after the sluggish performance persisted for weeks, Hallacy, a Minnesota-based software engineer and networking expert, decided to take matters into his own hands: he hacked his cable modem.
"Tech support told me it wasn't their fault and the service was going as fast as it could. So I downloaded the specs for the modem off the Web and started poking around to see if that was true," said Hallacy.
It wasn't long before Hallacy, 21, devised a trick for modifying an obscure configuration file used by the service to control the settings in his 3Com cable modem.
A few tweaks later, Hallacy's $50-per-month service, which had been downloading data at a poky 75 kilobits per second (Kbps), was sweetly humming along at much brisker speeds in both directions.
According to Hallacy, he hacked the modem just to prove that AT&T's network management, and not his modem, was the performance bottleneck, and he immediately changed the settings back.
But after successfully testing his technique for friends on other cable modem services - and studying further the specifications for DOCSIS, the standard interface used by most cable modem manufacturers - Hallacy decided he had uncovered a bona fide security vulnerability.
This week, Hallacy submitted a description of his technique to two e-mail discussion lists run by SecurityFocus.com that are read by thousands of computer security aficionados.
Hallacy's message detailed how to trick a DOCSIS-compliant cable modem into divulging its secret configuration file, and how to edit the file's binary data using a free, open-source software program.
According to cable experts, Hallacy's trick is not new, and similar techniques involving what are called TFTP servers have previously been anonymously published on the Web.
But the description by Hallacy may be the most specific ever posted to such a public forum. And experts said his claim that not only AT&T but also some Comcast and Time Warner cable systems are vulnerable, may spur operators to make changes to their networks - or risk similar poking and prodding by other networking gurus.
AT&T Broadband spokesperson Andrew Johnson said the company takes potential security issues seriously but was still investigating Hallacy's report and had no immediate comment on his claims.
In an interview today, Hallacy claimed that changes to the configuration file could do more than just remove the bandwidth caps put in place by cable operators to manage their precious resources.
According to Hallacy, a savvy network programmer could change his configuration file to intercept all data from other users on the attacker's local area or "node".
"I or somebody like me could sit down in front a cable modem on AT&T's network and have something like that running in less than half an hour, and AT&T probably would never notice it," he claimed.
In some instances, the technique could potentially be exploited even to take control of a cable ISP's gateway computers, alter their network routing, and shift large amounts of traffic to a specified destination, Hallacy claimed.
Officials from CableLabs, the nonprofit industry consortium that developed DOCSIS, said the modem standard includes several mechanisms, including something called "shared secret keys," that enable cable operators to prevent users from making the sorts of modifications claimed by Hallacy.
"The problem is real, but it's not because of a flaw in the specification," said Rouzbeh Yassini, a senior CableLabs executive.
"When it's raining, some people decide to walk in the rain without an umbrella," Yassini added, referring to cable operators who may have neglected to configure their networks properly.
According to 3Com spokesperson Kim Sullivan, the big network equipment maker discontinued its consumer cable modem business last summer.
"We currently do not have a product that is affected by the threat" described by Hallacy, she said.
A Motorola representative noted that a forthcoming engineering change from CableLabs will require cable modem vendors to implement a technique for preventing subscribers from changing the modem's config file, and that Motorola intends to implement the change.
Dave Ahmad, moderator of the Bugtraq security mailing list, said he did not immediately approve Hallacy's submission because it described "how to evade (cable operators') service restrictions" and because he was "not sure what the benefit was to the community. Who is at risk if the information is not made public?"
Ahmad posted his comments, along with Hallacy's advisory, in a message Tuesday to the Vuln-Dev list, which published a pared back version of Hallacy's report on Monday.
Hallacy said he debated the morality of publishing his hacking instructions, but finally decided to do so as "a little bit of a smack in cable companies' direction. People are exploiting this. It's one of the reasons there's not enough bandwidth on some nodes, and they need to fix it."
Hallacy's original submission to Bugtraq is at http://online.securityfocus.com/archive/82/261454 .
CableLab's DOCSIS specs are online at http://www.cablemodem.com/specifications.html .
Reported by Newsbytes, http://www.newsbytes.com .