Slashdot Mirror
Security Focus on Cable Modem Uncapping
Anonymous Coward writes "Cable modem uncapping allows broadband customers to boost their bandwidth to 6 or 7 times what they're paying for, by spoofing their modem's TFTP client into downloading a hacked DOCSIS configuration file. Kevin Poulsen at SecurityFocus reports that a new underground program called OneStep makes the process easy and fun for the whole family. Broadband companies are cutting off the uncappers that they catch, but things could get out of control soon."
it's capped at 15k or something, while I'm paying for 128 uploads
15k is exactly what you are paying for. The speeds that describe your line are in kbit/s, and 128kbit/s turns out to be 16kByte/s.
m
As far as I'm informed, Cable is a shared medium as for xDSL isn't. This means that with your cable modem you get the full bandwith unless you "restrict yourself".
DSL (Digital Subscriber Line) is not a shared medium: you are the only one that uses it up to the switch. So the switch is responsible for cutting you down. Client side security (okay, capping in this case) has never been a good security.
Anyway, even if I am wrong (which I doubt), I wouldn't uncap my DSL modem. Okay, I have the lowest possible rate where I live, but it's enough for all our family member to surf simultaneously at acceptable speeds.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
The Motorola scheme is based on a bad implementation that should never have passed certification in the first place. Read Cable-Modems.Org for some slightly more in-depth/serious information.
You are correct.
To be more specific, each cable modem in your neighborhood receives and sends all data that goes through your neighborhood.
Each cable modem has a timeslice to pay attention to data being sent to it. When receiving, there are multiple way of multiplexing, be it giving each modem on the network a timeslice to send a burst, or frequency division multiplexing
Unless you want to see how easy it is to produce convicing and very elaborate documentation of a fundamentally flawed exploit.
For those who won't bother reading the link (most of you), the exploit is this:
It looks really pretty until this last point, where it enters the realms of fantasy. The people who wrote the docsis spec aren't idiots. Cable modems will not look on the ethernet side for a TFTP server. TFTP'ing is done just after the cable side network discovery (so you have to have the cable side plugged in when you reset) and the modem knows which side is cable and which is ethernet. No, pinging the modem's ethernet IP from the PC doesn't help. It's just not that stupid; it knows that it has two interfaces, and it knows which one is which.
So go ahead and try this. You won't damage your modem, because it will simply ignore your TFTP server. What will happen is that you'll spend a couple of hours following the steps, getting all excited, then getting increasingly frustrated as you just can't get that last step to work. Rest assured, you're not doing anything wrong, other than following the instructions of a delusional wannabe hacker with a tiny amount of network knowledge and a real problem dealing with reality.
If you were blocking sigs, you wouldn't have to read this.
First: No. Same goes for the Euromodem Cable standard which is also ATM based.
Second: It should not work on properly designed DOCSIS Cable Modems either. A cable modem should not accept tftp uploads and config from anywhere but its cable interface which is not available to the casual hacker.
Third: It will not work on properly configured newer DOCSIS 1.1 and later networks either.
Here is why:
First: In DSL the speed is largely controlled by the DSLAM. Some modems do some minimal QoS and capping but it is hardly ever used. No need to.
Second: design fault. Typical of telco manufacturing. No comment needed. Can be fixed by a single software upload which the provider can trigger on any software upgradeable modem. As a result it will no longer be possible to uncap it.
Third: You can hog bandwidth in an unlimited fashion only on a DOCSIS 1.0 and incorrectly configured newer networks. DOCSIS 1.1 introduced the concept of a transmit map. The cable modem termination system tells you when you can transmit and when you cannot (it can also slice bandwidth exactly on per consumer/application basis). As a result a properly configured 1.1 or newer network should have no need for CPE capping. Of course, US has a boatload of non-docsis proprietary networks so dunno about these.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Ok after sniffing around IRC (including the said hackers channel) and various boards this secret "underground" program the securityfocus guy quotes doesn't exist , its vapourware.
what does exist is a kludge of tftp servers,query utils and glorified DOCSIS editors that with 20minutes and a *lot* of messing about you can change your config settings and then only until the ISP check your modem (automated) via SNMP , deny this and your cut off, accept it and it will detect your hacked config and cut you off...permanently
so you are screwed either way.
not to mention that most of the cable modem companies are using MD5 hashes to validate the config files integrity (MIC (Message Integrity Check)), other than a severe hardware hack your not going to crack much with this verification.
i came accross tco-iso's website quite a while ago and after a few visits over the months it seemed to of ground to a halt when they realised that MD5 was involved, they even mentioned the possibility of brute forcing the hash which raised a smile from a few of us.
They point to their IRC channel for files but the *only* files that exist are just mirrors of the files their site links to, no "onestep" or 30mb files and certainly nothing special in the files (other than someone knows how to use a hexeditor on PD software)
some people dont understand how uncapping really works but i think speedguide's article seems to sum it up nicely.
Free Mac Mini
I've worked with both DOCSIS 1.0 and 1.1. The MAP MAC message is an integral part of both 1.0 and 1.1. It is not new in 1.1. The cable modem needs to specify a COS ( class of service ) during it's registration process to the CMTS ( cable modem termination system ) in both versions of the standard. The CMTS enforces the COS in both version of the standard. The only major changes I recall between 1.0 and 1.1 with regard to how COS was handled was the introduction of dynamic classes of service for cable modems to accomidate telephony services.
As per Merriam Webster Online:
Main Entry: monopoly
Pronunciation: m&-'nä-p(&-)lE
Function: noun
Inflected Form(s): plural -lies
Etymology: Latin monopolium, from Greek monopOlion, from mon- + pOlein to sell
Date: 1534
1 : exclusive ownership through legal privilege, command of supply, or concerted action
2 : exclusive possession or control
3 : a commodity controlled by one party
4 : one that has a monopoly
Let me know who else can provision a cable modem in a single cable provider community and I will retract my statment. Most communities have a local monoply for cable services. Aggregate these communities together and you have monopolies.
Unfortunatly, the FCC say that communities can not regulate broadband in the same manner they regulate cable. I will go a step further to state that most cable companies provide internet as an unregulated monoply in their respective communities.
My mother lives in a community with a large cable company and a city owned cable provider. The cable company is much more customer oriented and price competitive as they do not have a monopoly.
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â