Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Focus on Cable Modem Uncapping

Posted by chrisd on from the a-new-way-to-go-to-court dept.

Anonymous Coward writes "Cable modem uncapping allows broadband customers to boost their bandwidth to 6 or 7 times what they're paying for, by spoofing their modem's TFTP client into downloading a hacked DOCSIS configuration file. Kevin Poulsen at SecurityFocus reports that a new underground program called OneStep makes the process easy and fun for the whole family. Broadband companies are cutting off the uncappers that they catch, but things could get out of control soon."

16 of 484 comments (clear)

  1. Fun? Yes. Legal? Questionable by ObviousGuy · · Score: 5, Insightful

    Just because technology allows you to do something, does not mean that it is also legal.

    --
    I have been pwned because my /. password was too easy to guess.
  2. lovely by zAmb0ni · · Score: 5, Funny

    and they will be totally suprised when their cable company cuts them off at their knees:

    http://www.dslreports.com/forum/remark,3155491~r oo t=attbi~mode=flat

    --

    -zAmboni
    Team Ars Technica Lamb Chop

  3. Like it matters... by zAmb0ni · · Score: 5, Funny

    Give me something that I can actually use like...

    A program that will cap my CS ping at 10ms.
    A program that gets rid of my horrible packet loss.
    A program that gives me reliable service without downtime every other day.
    A program that will uncap my 1GB/mo limit on usenet download
    A program that gives me customer service who knows what they are talking about.
    A program that gets rid of my horrible Comcast service and gets my old (more reliable, lower priced, higher bandwidth, more featured) Mediaone service.

    --

    -zAmboni
    Team Ars Technica Lamb Chop

  4. Re:Property vs Service by redgekko · · Score: 5, Insightful
    True, you are within your rights to do whatever you want to the cable modem itself if you own it... HOWEVER, the moment you attach it to a leased cable line, you are most likely violating the provider's TOS/AUP/FAP/EULA that you agreed to be legally bound to when you subscribed.

    Here's another example: you may own your telephone handset, AND it may even be legal to modify it for the purpose of phone phreaking (maybe...DMCA?), but once you plug it into a live phone jack, you've surely committed a crime.

    Summary: It's not about how you handle your equipment, it's where you have permission to stick it.

    --
    Slashdot: rejecting tech news in favor of rubber band guns since 1997.
  5. Re:Allows? Not really, it's a bug by kapzer · · Score: 5, Informative

    The Motorola scheme is based on a bad implementation that should never have passed certification in the first place. Read Cable-Modems.Org for some slightly more in-depth/serious information.

  6. detection by service provider by Eric+Smith · · Score: 5, Insightful
    The article suggests that service providers detect this by querying the modem at the customer end using SNMP. If that's true, a better[*] hack would be to modify the firmware to uncap the bandwidth regardless of what the MIB variables say. In other words, let it report back via SNMP exactly what the service provider sets the cap to, but have the modem disregard that variable.

    People have done much more amazing hacks than that on DVD players, such as the Apex AD600A, despite the use of a non-standard microprocessor. Hacking the firmware of a cable modem should be quite simple by comparison.

    That's the sort of reverse-engineering I used to do quite often, but now I get little opportunity due to the DMCA. It doesn't seem like service provider or cable modem vendor can use the DMCA to ban reverse-engineering of the cable modem, since the features in question aren't involved in copy protection. But the trend seems to be to sue first and try to justify it later.

    Eric

    [*] Better in the sense of being less detectable. I'm not suggesting that doing this is legal or ethical.

  7. Re:Easy to catch by Jah-Wren+Ryel · · Score: 5, Interesting

    Don't forget video conferencing. Being capped at 15KB/s limits you to some pretty ugly video quality. I want to use my cable modem to do video conferencing with family and friends around the country. Right now it is one step away from intolerable and usually not worth the effort.

    --
    When information is power, privacy is freedom.
  8. Unused bandwidth can never be recovered... by weave · · Score: 5, Interesting
    I understand the rationale for caps but I wish it was implemented with a bit more imagination and skill. Cable modem bandwidth usage has peak and off-peak hours. At 6am on a Sunday morning it's practically dead while Tuesday at 7pm it's heavy. So why can't they uncap or raise the cap during off peak hours so someone that wants to download three ISOs of redhat 7.3 could program their box to grab it early Sunday morning? All that bandwidth they are saving during off peak hours is wasted. It's not like they can apply it back during peak usage.

    This would also encourage off peak usage. It'd be far better to squeeze out that 2 gig download quickly when it has no real impact on others versus taking hours due to a cap during peak.

    I'm guessing you just can't reprovision the cable boxes that quickly and dynamically everywhere, but damn, it makes sense and I still don't understand why caps aren't implemented using some QOS type service at the head-end anyway...

    1. Re:Unused bandwidth can never be recovered... by weave · · Score: 5, Insightful
      I've gotten some e-mail basically saying this would be useless because most users aren't savvy enough to know how to shift their usage around, but by the cable companies own admission, the bulk of bandwidth is used by a small portion of subscribers. I put it to you that these same subscribers are the ones who would know how to shift their usage around via programattic means.

      Given half a chance, I don't believe most of us geeks are unreasonable. And if variable bandwidth caps were instituted that were raised or lowered based on demand, just like the compression level on a CDMA cell signal is manipulated based on cellular tower usage and capacity, you'd start to see a lot of tools written that would make shifting of bandwidth around available for average users too...

  9. Re:Is there anything like this for DSL? by arivanov · · Score: 5, Informative

    First: No. Same goes for the Euromodem Cable standard which is also ATM based.

    Second: It should not work on properly designed DOCSIS Cable Modems either. A cable modem should not accept tftp uploads and config from anywhere but its cable interface which is not available to the casual hacker.

    Third: It will not work on properly configured newer DOCSIS 1.1 and later networks either.

    Here is why:

    First: In DSL the speed is largely controlled by the DSLAM. Some modems do some minimal QoS and capping but it is hardly ever used. No need to.

    Second: design fault. Typical of telco manufacturing. No comment needed. Can be fixed by a single software upload which the provider can trigger on any software upgradeable modem. As a result it will no longer be possible to uncap it.

    Third: You can hog bandwidth in an unlimited fashion only on a DOCSIS 1.0 and incorrectly configured newer networks. DOCSIS 1.1 introduced the concept of a transmit map. The cable modem termination system tells you when you can transmit and when you cannot (it can also slice bandwidth exactly on per consumer/application basis). As a result a properly configured 1.1 or newer network should have no need for CPE capping. Of course, US has a boatload of non-docsis proprietary networks so dunno about these.

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
  10. onestep == vapourware by sh0rtie · · Score: 5, Informative


    Ok after sniffing around IRC (including the said hackers channel) and various boards this secret "underground" program the securityfocus guy quotes doesn't exist , its vapourware.

    what does exist is a kludge of tftp servers,query utils and glorified DOCSIS editors that with 20minutes and a *lot* of messing about you can change your config settings and then only until the ISP check your modem (automated) via SNMP , deny this and your cut off, accept it and it will detect your hacked config and cut you off...permanently
    so you are screwed either way.

    not to mention that most of the cable modem companies are using MD5 hashes to validate the config files integrity (MIC (Message Integrity Check)), other than a severe hardware hack your not going to crack much with this verification.

    i came accross tco-iso's website quite a while ago and after a few visits over the months it seemed to of ground to a halt when they realised that MD5 was involved, they even mentioned the possibility of brute forcing the hash which raised a smile from a few of us.

    They point to their IRC channel for files but the *only* files that exist are just mirrors of the files their site links to, no "onestep" or 30mb files and certainly nothing special in the files (other than someone knows how to use a hexeditor on PD software)

    some people dont understand how uncapping really works but i think speedguide's article seems to sum it up nicely.

  11. Re:Don't bother trying this... by sl956 · · Score: 5, Informative
    The people who wrote the docsis spec [cablemodem.com] aren't idiots. Cable modems will not look on the ethernet side for a TFTP server.
    The people who wrote the docsis spec aren't idiots, but the people who implemented it in some cable-modems are : some motorola cable-modems are looking on both sides (cable and ethernet) for a TFTP server. Yes it's stupid... but they do.
    I tried it 6 month ago (when my provider switched to DOCSIS), with great success.
    Nethertheless I don't do it anymore : capped cable is better than no cable at all...
  12. Re:Don't bother trying this... by Loiosh-de-Taltos · · Score: 5, Informative

    The SURFboard modems check both sides. The Nortel CM200's and RCA 105's up to the 235's (with USB, yay) also hit the ethernet if they cannot reach a CMTS across the cable.

    Interestingly, The CM100 (BayNetworks by Nortel) does not make that mistake.

  13. Re:Property vs Service by Gordonjcp · · Score: 5, Interesting

    Doesn't work that way. Consider this: The government provide the roads. I pay the government to provide roads, and they keep up their end of the bargain by giving me nice, long, straight motorways to drive on. However, the conditions of use, as it were, state that there's a maximum speed limit of 70mph on the motorway.

    Now, the government doesn't supply the car. I went out and bought the car. I have a Citroen, you may have a Ford, or a Vauxhall, or whatever you like. They're all *capable* of going faster than 70mph, but if I get caught doing that, I get a speeding fine, and points on my licence. I can't argue that "I bought the car, I paid for it, so I'll use it any way I want".

  14. What we really need by ZoneGray · · Score: 5, Funny

    See, they're going about this all wrong. What they really should do is develop a way to uncap your neighbors' cable modems. Then, they'll get tossed off the network and you can have it all to yourself.

  15. But I paid for unlimited access by Anonymous Coward · · Score: 5, Funny

    Just because they didn't realize I was going to steal from them shouldn't allow them to stop letting me steal from them.

    When I signed up for service, I knew this hack was available. That means when I signed up for service, I had every reason to believe that I would get unlimited bandwidth forever.

    When will these companies get it. They are going to piss so many thieves off that sooner or later they are only going to have paying customers that follow the rules, or aren't heavy enough users to worry about. And then what will they do, besides make money. I mean what good is a network that isn't crawling on its knees from all the MP3 and warez sites. Some people just don't get it.

    Someone buy these guys a ticket, so they can hop on the clue train.