Security Focus on Cable Modem Uncapping

Anonymous Coward writes "Cable modem uncapping allows broadband customers to boost their bandwidth to 6 or 7 times what they're paying for, by spoofing their modem's TFTP client into downloading a hacked DOCSIS configuration file. Kevin Poulsen at SecurityFocus reports that a new underground program called OneStep makes the process easy and fun for the whole family. Broadband companies are cutting off the uncappers that they catch, but things could get out of control soon."

Fun? Yes. Legal? Questionable

[ObviousGuy]

Just because technology allows you to do something, does not mean that it is also legal.

One fact remains: never trust the client

[jukal]

The way the bandwidth limiting has been done in these modems, is completely similar to telling 5 year old kids to take only one candy, and then go yourself watch football to another room (or as a fin, Icehockey) - when you return after the match you can be sure that there is no candies - or bandwidth - left.

IMHO, the operators were just asking for this. NEVER trust the client.

Re:One fact remains: never trust the client

[RollingThunder]

Actually, I like this. It gives the abusers enough rope to hang themselves, and they evidently ARE catching them.

This means you get to easily identify, then remove, the buggers who are screwing your bandwidth distribution and forcing you to spend tons in extra capacity. A minor short-term risk for long-term gain.

I have to say I also don't mind that some warez d00d may just finally learn that yes, there are consequences to your actions, even on the Internet.

Property vs Service

The article states the hack was done by changing files in your cable modem. Your cable modem.

They provide the service, I'll provide my equipment and make the decisions as to how I use it thanks.

Re:Property vs Service

[redgekko]

True, you are within your rights to do whatever you want to the cable modem itself if you own it... HOWEVER, the moment you attach it to a leased cable line, you are most likely violating the provider's TOS/AUP/FAP/EULA that you agreed to be legally bound to when you subscribed.

Here's another example: you may own your telephone handset, AND it may even be legal to modify it for the purpose of phone phreaking (maybe...DMCA?), but once you plug it into a live phone jack, you've surely committed a crime.

Summary: It's not about how you handle your equipment, it's where you have permission to stick it.

Oh wonderful

[olman]

This is just great. And I thought our cable service was overloaded as it was. Never to worry, thought, they do send cease&desist nastygrams to everyone who exceeds an arbitary download quota as it is. In any case, you'd think it'd not be that difficult to monitor the bandwith usage per node and ..

Actually this reminds me of the a**wipes who used to download pr0n with threaded ftp clients from within the student network. We had a shared 512kbit line and you can see where this is leading to. Ditto for download managers with "segment" support. I fully realize I'm using making the download even slower for everyone else by using Getright to have 4 independent connections.. Some people are just more equal than others, dammit!

Uncapping

[Dante_H]

Yeah, I uncapped my cable modem (in the UK, on Blueyonder) for a period. 500kbyte/sec transfers were fun, but then when I had a power cut I had difficulty respoofing the modem with the configuration file. Apparently the cable company disabled the process of the modem getting the file.

A friend of mine, who also uncapped his modem but for a longer period received a letter from the cable company saying "Someone in your household has illegally attempt to modify one of the devices supplied by Telewest. Please desist or your service will be permanently withdrawn" or something like that.

My cable connection ocassionally gets uncapped for random periods, and I don't notice until I start downloading something (e.g. larger driver file) and get 300kbyte/sec.

If more information was available for customers to see how much bandwidth cost the ISP, then perhaps our expectations could be realistically scaled. Is having an uncapped 3 hour period between 2am and 5am feasible? I could simply schedule large downloads for that period. At present, I may as well just download at peak times, which probably is more irritating to the ISP receiving calls about slow web pages, or somesuch.

Re:Uncapping

[arivanov]

Individuals tampering with telco equipment property of the telco are stupid.

Reasons:

First it is illegal. Almost anywhere in the world you are violating both laws dealing with property as well as telco regulations. Under both you are legible for both fines and jail terms. You may get some leaway due to the lack of precedent for cable equipment or internet equipment being treated under the telco regulations but this is for a time. This unfortunately is not a game where the user wins. I am not saying that I like it or not I am simply stating the facts.

Second: it is trivial to catch. The bandwidth limit is a parameter which can be polled using SNMP by the telco on regular intervals. I can scribble a perl script to do it in 5 mins. I would not expect someone in NTL to do this (noone with brains left) but there used to be people in Telewest capable of doing it in about the same time (or a bit more). In btw: to the extent of my knowledge that is what ATT does. So all cappers get caught. No exemptions.

This is a typical Darwin Award scenario. Everyone of us does something else illegal from time to time. Speeding is a good example. I break the speed limit from time to time. Everyone does. But I do not do it right in front of a speed camera which I know to be always loaded,perfectly operational and checked by the police for catch at regular intevals.

Re:Easy to catch

[ImaLamer]

Download speeds aren't the problem.

I think we all assume that the download is maxed or we don't care.

It's the limited upload speeds that people want to get around. Now I know that the uploads are sometimes limited to reduce 'network collisions'... but low upload speeds are screwing real users.

You don't need to be hosting pr0n or warez. What if you want to put up a password protected mp3 server so you can listen at work, etc.

Remote desktops in XP - X11/VNC for linux users... there are real reasons.

Browse over to freshmeat and check out all the cool ass servers.

detection by service provider

[Eric+Smith]

The article suggests that service providers detect this by querying the modem at the customer end using SNMP. If that's true, a better[*] hack would be to modify the firmware to uncap the bandwidth regardless of what the MIB variables say. In other words, let it report back via SNMP exactly what the service provider sets the cap to, but have the modem disregard that variable.

People have done much more amazing hacks than that on DVD players, such as the Apex AD600A, despite the use of a non-standard microprocessor. Hacking the firmware of a cable modem should be quite simple by comparison.

That's the sort of reverse-engineering I used to do quite often, but now I get little opportunity due to the DMCA. It doesn't seem like service provider or cable modem vendor can use the DMCA to ban reverse-engineering of the cable modem, since the features in question aren't involved in copy protection. But the trend seems to be to sue first and try to justify it later.

Eric

[*] Better in the sense of being less detectable. I'm not suggesting that doing this is legal or ethical.

Re:detection by service provider

[Cato]

Ultimately, the provider can always monitor how much bandwidth you are using by looking at its own routers - you can't spoof this. Search for 'Cisco NetFlow' for one example of how to do this.

By making it more expensive for them to detect cable modem uncapping, you are probably just going to encourage them to disconnect uncappers rather than just warning them.

Re:Fun? Yes. Legal? Questionable

And just because something is illegal, doesn't mean it's wrong...

Americans, in particular, seem to have trouble with that one. Brainwashed, the lot of 'em...

You can't successfully legislate morality!

Re:Capped cable

[semeniuk]

You're right about websites, because they rarely have 'the big pipe' ... but newsgroups are a different story.

I easily hit the top advertised speed for my DSL service when I'm downloading from usenet ... and the more bandwidth I have, more educational material I can download from newsgroups (and there's tons of educational material there! :-))

Reaping the fruits of greed

[varn_ix]

Well, this is what you get if you are greedy. Instead of quietly opening the valve a bit more,
say, by a half (a fifty percent increase in performance is not bad by any standard, yes?),
they push for the skies. Skimming off the top goes unnoticed (or even tolerated) far longer
than just taking it all.

The tragedy of the Commons

[barberio]

Broadband internet useage is turning out to be a real life demonstration of the tragedy of the commons for some.

For those who have not studied Sociology, I'll summarise.

In a village, there is a common patch of land. General consences decreed that the land was free for any to graze their animals on. After a while, many people decided to graze as many animals as they physicaly could on the patch of land. Eventualy the commons becomes a muddy barran field due to over grazing. (Note, actualy, in large scale, this can, and has, turned grassland in to wasteland and even desert.)

The point is, many people have been saying 'Its the Internet, you paid for a connection, you have the right to use it to the full!' for so long. (ref, countless slashdot articles) Now people belive that bandwidth restrictions are artificial, that the cable companies are just trying to get as much money as they can. (Actualy, the Cable companies rent bandwidth in turn from companies which did speculative investment in laying high bandwidth cables. So if they need to increase bandwidth, they have to pay more.) This results in people asuming they have a right, and even a moral obligation, to take as much bandwidth as they can and 'share stuff'.

As another example, it would be wrong to take up two seats on an airliner when you only bought one ticket.

This scam is the equivelent of forgeing an airline ticket. Crude, and likely to end you up in hot water.

Re:The tragedy of the Commons

[barberio]

Which part of 'Bandwidth is a limited resource' and 'The companies have to pay more to get more bandwidth' did you fail to understand?

Sure the companies may suck, and may do bad things like that. But claiming that theft is of bandwidth is deminished in this way is going to backfire and potray those of us looking for 'internet fredom' as swindlers. As I said, the 'Hack the Planet' mentality is doing much more damage than good.

Re:The tragedy of the Commons

[m0i]

As another example, it would be wrong to take up two seats on an airliner when you only bought one ticket

Did you ever got bothered by anyone when you took the free seat next to you along with the one you were currently on? I don't think so. It's there, it's available, why not using it if you feel the need to? It's not exactly the same with bandwidth because there's a direct associated cost which is not the case with the free seat (it's likely it will travel with you whatsoever ).
Anyway, I think people just need to be explained things to accept the restrictions. Capping actually helps them having a better service overall, by protecting them from their abusing neighbours. I won't say that I don't find the up speed at 128kbps to be a bit slow, but I used to have 28.8k up so, why complaining in the first place? More is better?

Re:Unused bandwidth can never be recovered...

[weave]

I've gotten some e-mail basically saying this would be useless because most users aren't savvy enough to know how to shift their usage around, but by the cable companies own admission, the bulk of bandwidth is used by a small portion of subscribers. I put it to you that these same subscribers are the ones who would know how to shift their usage around via programattic means.

Given half a chance, I don't believe most of us geeks are unreasonable. And if variable bandwidth caps were instituted that were raised or lowered based on demand, just like the compression level on a CDMA cell signal is manipulated based on cellular tower usage and capacity, you'd start to see a lot of tools written that would make shifting of bandwidth around available for average users too...

Re:Unused bandwidth can never be recovered...

[warpSpeed]

That "setup fee" probably also covers the cost of buying or developing the program (and the hardware) that presents the enable button to that data entry person, and allows for the "quick" activation of the accounts. It will go to general overhead as well as a salary.

Owning a very small ISP, I agree with your first paragraph, the larger the comapany the more complacent they seem to be/get. I have to make the extra effort for each customer. It only takes one screwup and you lose a cusomer. The larger companies figure that the ROI for setting up something that takes care of a limited number of customers is not worth it, but they are wrong. You never know who is going to help or hurt your buisness in the future. Treat each customer right and one of them may bring in more buisness to you (and be loyal), treat one wrong and they may single handedly giving you are bad reputation by bad mouthing you to anyone who will listen.

Somewhere along the line the corperate bean counters get in the way and forgot that the customer is the one paying the bills.

So what's the problem?

[Restil]

Someone violates his TOS by uncapping his modem for the purpose of abusing his connection, gets caught in short order, and is banned from every abusing that internet provider again. I fail to see the problem here. The REASON these modems are capped in the first place are because of these very abusers. Granted, AT&T as well as other cable providers probably don't want to lose a bunch of customers, but the heavy warez/movie trading crowd they would happily do without as they tend to overuse their bandwidth allocation regardless, as well as creating potential legal liabilities.

This gives them an easy out. If they're able to detect an uncapped cable modem in a matter of hours after its been uncapped, then this is a great way to relieve yourself of a bunch of unwanted customers. And they don't even have to monitor bandwidth content. Just have to check the speed going over the physical maximum.

This should also be a wakeup call for parents who "share" their internet connection with their kids. Better let your children be aware that if ever they do something this foolish there will be serious hell to pay. PAY ATTENTION to what your children are doing. You don't know?? Then don't let them have internet access. When they turn 18, let them get their own account, and they can use or abuse it as they see fit.

Or if you REALLY need that extra bandwidth, pay for an account that provides for it. MOST companies, even cable providers have accounts that provide greater upstream bandwidth, but they don't cost $49, and they're rarely parts of a promotional deal.

-Restil

My uncap history

[rosewood]

Last weekend I tried this guy's surfboard hack and I ran into one big problem

The Docsis files are md5 signed and if I dont sign them, then I am SOL. I followed the steps, spoofed the tftp, wathced the modem grab the config - but yet my upload was still no better then 256kbits/second

As for the whole legality - All I am going to do is make my cable modem "up to 100x faster then 56k modem" because right now I am @ 3mbit/s and 256k/s. A 56k modem has a limit of 33.6 kbit/s for upload SO 100x faster is 3360 kbit/s second ... THATS A FUCKLOAD MORE THEN WHAT I HAVE. As for my download - well, 100x faster then 56k - well, we know its not REALLY 56 and I forget what it is but I never got better then 40kbit/s so lets go with that as the cealing - 100x faster is 4000 kbit/s. - I am CAPPED @ 3000/256 but yet if I were to hit their MAX of 100x faster I would have to be capped @ 4000/3360. I know 100x means if all the planets are alligned but its absolutely 100% impossible to get 100x more then a 56k. That is false advertising. I see no reason why I can not take my modem to what they advertise.

Discuss.

The difference between Morals and Ethics.

[Qrlx]

The reason they say "You can't legislate morality" is because morals are unique to each individual, a set of personal beliefs and guiding principles (or lack thereof.) Morals occur inside your head, you get to figure them out for yourself.

Ethics, on the other hand, is what (some) laws address, such as laws against murder and other examples in this thread. Ethics could perhaps be described as the loose framework of commonly shared beliefs among a society's members, a consensus of what's acceptable and unacceptable. Ethics probably play a big factor in an individual's morals, but they are only one part.

This is an important difference. Morals and ethics are completely different things. No congressman has even been rung up for poor moral behavior, only ethics violations.

The statement "You can't legislate morality" means that the law reflects a society's ethics, not an individual's morals. You can't force your moral beliefs on anyone but you can demand that members in a society adhere to a code of ethics. For instance, you can make racism illegal but you can't prevent anyone from having racist thoughts. You CAN make it illegal for them to lynch or burn crosses.

Similarly, when you run a red light late at night, or don't buckle your seat belt, that's your morals overriding society's ethics.

I think a better statement is "Legislation should have nothing to do with morality." Sadly, our current Attorney General, for one, believes that you CAN legislate morality. That leads us to the era of the Thought Police.