Slashdot Mirror
Security Focus on Cable Modem Uncapping
Anonymous Coward writes "Cable modem uncapping allows broadband customers to boost their bandwidth to 6 or 7 times what they're paying for, by spoofing their modem's TFTP client into downloading a hacked DOCSIS configuration file. Kevin Poulsen at SecurityFocus reports that a new underground program called OneStep makes the process easy and fun for the whole family. Broadband companies are cutting off the uncappers that they catch, but things could get out of control soon."
The download isn't too bad, what I pay for my motorola surfboard cable modem and charter pipeline access isn't unreasonable, but the upload is ridiculously low... it's capped at 15k or something, while I'm paying for 128 uploads. I'm gonna do this while I still can (before sommmmebody gets sued) :)
..here in Holland. A fellow UPC-customer wrote a program called FuckUPC; uploadmax was uncapped and went from 16KBps to 300KBps! UPC applied a patch and doesn't seem to work anymore. So maybe the fun is over before you know it. If a lot of people are going to use it, providers will find out in the end. As far as I can see, the program is basically the same as FuckUPC(?):
-ARP your own IP adress with MAC of cablemodem
-ARP private IP (10.10.10.1) with MAC of cablemodem
-Set your gateway as 10.10.10.1
-Redefine routing table (netmask 255.255.255.0)
Seems pretty straightforward..
You do not exist. Go away.
As far as I'm informed, Cable is a shared medium as for xDSL isn't. This means that with your cable modem you get the full bandwith unless you "restrict yourself".
DSL (Digital Subscriber Line) is not a shared medium: you are the only one that uses it up to the switch. So the switch is responsible for cutting you down. Client side security (okay, capping in this case) has never been a good security.
Anyway, even if I am wrong (which I doubt), I wouldn't uncap my DSL modem. Okay, I have the lowest possible rate where I live, but it's enough for all our family member to surf simultaneously at acceptable speeds.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
The Motorola scheme is based on a bad implementation that should never have passed certification in the first place. Read Cable-Modems.Org for some slightly more in-depth/serious information.
You are correct.
To be more specific, each cable modem in your neighborhood receives and sends all data that goes through your neighborhood.
Each cable modem has a timeslice to pay attention to data being sent to it. When receiving, there are multiple way of multiplexing, be it giving each modem on the network a timeslice to send a burst, or frequency division multiplexing
Unless you want to see how easy it is to produce convicing and very elaborate documentation of a fundamentally flawed exploit.
For those who won't bother reading the link (most of you), the exploit is this:
It looks really pretty until this last point, where it enters the realms of fantasy. The people who wrote the docsis spec aren't idiots. Cable modems will not look on the ethernet side for a TFTP server. TFTP'ing is done just after the cable side network discovery (so you have to have the cable side plugged in when you reset) and the modem knows which side is cable and which is ethernet. No, pinging the modem's ethernet IP from the PC doesn't help. It's just not that stupid; it knows that it has two interfaces, and it knows which one is which.
So go ahead and try this. You won't damage your modem, because it will simply ignore your TFTP server. What will happen is that you'll spend a couple of hours following the steps, getting all excited, then getting increasingly frustrated as you just can't get that last step to work. Rest assured, you're not doing anything wrong, other than following the instructions of a delusional wannabe hacker with a tiny amount of network knowledge and a real problem dealing with reality.
If you were blocking sigs, you wouldn't have to read this.
First: No. Same goes for the Euromodem Cable standard which is also ATM based.
Second: It should not work on properly designed DOCSIS Cable Modems either. A cable modem should not accept tftp uploads and config from anywhere but its cable interface which is not available to the casual hacker.
Third: It will not work on properly configured newer DOCSIS 1.1 and later networks either.
Here is why:
First: In DSL the speed is largely controlled by the DSLAM. Some modems do some minimal QoS and capping but it is hardly ever used. No need to.
Second: design fault. Typical of telco manufacturing. No comment needed. Can be fixed by a single software upload which the provider can trigger on any software upgradeable modem. As a result it will no longer be possible to uncap it.
Third: You can hog bandwidth in an unlimited fashion only on a DOCSIS 1.0 and incorrectly configured newer networks. DOCSIS 1.1 introduced the concept of a transmit map. The cable modem termination system tells you when you can transmit and when you cannot (it can also slice bandwidth exactly on per consumer/application basis). As a result a properly configured 1.1 or newer network should have no need for CPE capping. Of course, US has a boatload of non-docsis proprietary networks so dunno about these.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Ok after sniffing around IRC (including the said hackers channel) and various boards this secret "underground" program the securityfocus guy quotes doesn't exist , its vapourware.
what does exist is a kludge of tftp servers,query utils and glorified DOCSIS editors that with 20minutes and a *lot* of messing about you can change your config settings and then only until the ISP check your modem (automated) via SNMP , deny this and your cut off, accept it and it will detect your hacked config and cut you off...permanently
so you are screwed either way.
not to mention that most of the cable modem companies are using MD5 hashes to validate the config files integrity (MIC (Message Integrity Check)), other than a severe hardware hack your not going to crack much with this verification.
i came accross tco-iso's website quite a while ago and after a few visits over the months it seemed to of ground to a halt when they realised that MD5 was involved, they even mentioned the possibility of brute forcing the hash which raised a smile from a few of us.
They point to their IRC channel for files but the *only* files that exist are just mirrors of the files their site links to, no "onestep" or 30mb files and certainly nothing special in the files (other than someone knows how to use a hexeditor on PD software)
some people dont understand how uncapping really works but i think speedguide's article seems to sum it up nicely.
Nice idea, they would be lucky if they could. But they' can't effictivly limit the upstream of a single customers over a shared media like cable. They could of course simply drop packets on their side but the cable would still be clogged up.
That's why uncapping cable modems is immoral: If you unlimit your rate you are stealing bandwidth from other users on your cable segment and lower the quality of their cable service.
Interestingly enough, this was featured on Slashdot before on January 6th
8 07 731
;)
http://slashdot.org/comments.pl?sid=25797&cid=2
Nobody seemed to give much of a damn back then, but I know I did
I work at a cable company, and I stress this exact point. It is a silly way to cap bandwidth in the first place, and it was crazy to ever be adopted. Maybe this is why Docsis is only an ad-hoc standard?
:)
The bad part is, the method of enforcing speeds employed by most (I stress MOST, you bet your ass that my methods aren't so easily fooled) cable operators has the same problem. They want to get your speed by SNMP query to your cable modem. Which again puts the trust in the client. While I haven't seen any SNMP faker hacks, I'm sure that they aren't too far behind. Another silly note is that most of those guys are comparing your speed to a list of approved speeds, not to a list of what customers bought what. This includes thier Business lines, which run over the same gear. You won't be able to sneak through with a 2meg/2meg pipe, but a 1.5meg/768k is a service they probobly sell, and would get right through thier checks.
The control method that you will see soon is called "shared secret", and is an encrypted passphrase-type method. Basicly, your cable modem gets a config file that has a key in it, which is basicly a signature of the bin file. It then generates a new passkey based on those two items, and send it to the CMTS. The CMTS verifies that it got a correct passkey, and then lets you connect. The encryption they used is junk, though, and there are efforts underway to break it. This is yet another dumb method that will only work for a short while!
What I will say is that there is a better way, and it is 100% effective. Your cable modem doesn't just "make up" a speed and magicly work, it has to register its rates with the CMTS. This is where the speed is truly controlled. While it isn't likely that Cisco will have a good method for capping individual users at the CMTS level, they are nice enough to tell you what speed someone is registered at. This is the method that I am using, and I *am* comparing speeds against what customers are paying for... So if you live in a town where you can get Imo's pizza, the square beyond compare, this is your warning!
On the flip side, once an abuser is identified, the info gets sent to marketing, and who knows what happens from there. We don't just pull the plug on abusers (yet).
Squash
Free Mac Mini
Sorry dude, no way is this going to work.
DOCSIS cable modems don't work point-to-point in that way, in order for them to function at all they are required to interact with a CMTS ( Cable Modem Termination System ), not to mention the fact that the downstream and upstream modulation schemes are sufficiently different ( 64 / 256 QAM vs QPSK/16 QAM ) in DOCSIS 1.x networks for this to be a non-starter.
Go check the DOCSIS specs at Cablelabs for a bit more detail on this. They are available for public download, you should check our the RFI ( RF Interface ) document first.
I've worked with both DOCSIS 1.0 and 1.1. The MAP MAC message is an integral part of both 1.0 and 1.1. It is not new in 1.1. The cable modem needs to specify a COS ( class of service ) during it's registration process to the CMTS ( cable modem termination system ) in both versions of the standard. The CMTS enforces the COS in both version of the standard. The only major changes I recall between 1.0 and 1.1 with regard to how COS was handled was the introduction of dynamic classes of service for cable modems to accomidate telephony services.
As per Merriam Webster Online:
Main Entry: monopoly
Pronunciation: m&-'nä-p(&-)lE
Function: noun
Inflected Form(s): plural -lies
Etymology: Latin monopolium, from Greek monopOlion, from mon- + pOlein to sell
Date: 1534
1 : exclusive ownership through legal privilege, command of supply, or concerted action
2 : exclusive possession or control
3 : a commodity controlled by one party
4 : one that has a monopoly
Let me know who else can provision a cable modem in a single cable provider community and I will retract my statment. Most communities have a local monoply for cable services. Aggregate these communities together and you have monopolies.
Unfortunatly, the FCC say that communities can not regulate broadband in the same manner they regulate cable. I will go a step further to state that most cable companies provide internet as an unregulated monoply in their respective communities.
My mother lives in a community with a large cable company and a city owned cable provider. The cable company is much more customer oriented and price competitive as they do not have a monopoly.
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â