Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adelphia's Cable Modems Compromised

Posted by CowboyNeal on from the leaving-the-door-open dept.

texus writes "The Adelphia PowerLink Cable Modem Internet Service Provider, that serves 5.5 million customers nation wide, was found to be vulnerable of a major security flaw that allows cable modem subscribers to spy on each others traffic, as well as the ability to modify other users internet packets in realtime. The severity of a potential attack could allow a malicious subscriber to gain access to the customers private activity on the net, as well as the capabilities to hijack connections, intercept SSL/SSH/VPN encrypted sessions, hijack and poison dns servers, and perform a Denial of Service on the entire subnet. The advisory on BugTraq officially states that it didn't seem like Unix machines that logged onto the network were affected, but reports from other Adelphia subscribers indicate that this was inaccurate and Unix users are vulnerable as well."

9 of 182 comments (clear)

  1. Hmmmm... by MattCohn.com · · Score: 5, Informative

    took a couple times to load, so just in case the server is flaking out and about to ban /. reffers...

    Problem Description:

    A certain set of subnets on Adelphia's Powerlink network are treated as a HUB/SWITCH and therefore allow cable modem subscribers promiscuous monitoring of the subnet, and arp poisoning (man in the middle) attacks. Upon finding this flaw, it seems to only affect windows users dhcp requests, as for *nix it hands off an entirely different subnet ip address that is not vulnerable. This doesn't stop one from booting into *nix and manually configuring their ip to be on the vulnerable subnet. To review, with arp poisoning, one can do a tremendous amount of malicious activity on a subnet, from DoS'ing the network, to hijacking DNS servers, and even attacking/cracking SSL/SSH/VPN negotiations. Promiscuous mode, one can passively monitor all traffic on the subnet, obtaining private information, including logins/passwords, and private email.

    Vulnerable Subnets:

    please contact security@invisiblenet.com for info regarding specific subnets.

    Solution:

    The solution is varying on how the cable networks topology is handled, and arp poisoning, as we know is not a completely solvable issue without a physical/virtual separation of Layer 3 from Layer 2 in the OSI Model. For promiscuous mode, don't have the network in HUB mode.

  2. not all that new... by Anonymous Coward · · Score: 4, Informative

    ARP poisoning has been around since...well...ARP! Its really easy to do and I'm surprized that it hasnt made more of a storm than it really deserves. Hopefully this story will bring to light the problem a bit more.

    There are patches out there for linux that will secure the ARP table, I wrote one but there are better and I dont remember what they are called but search...you will find.

  3. Re:Sniff SSL Connections?!? by gregsv · · Score: 4, Informative

    They can sniff the session, but all they will get is meaningless rubbish unless they can decrypt it. This is nearly impossible to do when using 128 bit SSL encryption.

  4. Re:ARP poisoning by Anonymous Coward · · Score: 5, Informative

    ARP poisoning can allow you to re-route someones traffic. Lets say I re-route your traffic through my machine upon detection of SSH/SSL host key request and give you a host key that I crafted, when you initiate an SSH/SSL connection you are now using a bad host key from my machine and not the real host. I could have the ability to decode that traffic now.

  5. Re:Guess What by Subcarrier · · Score: 4, Informative

    On any cable network, ARP spoofing is available, not just in this example. It is quite easy for someone to do this.

    Depends on the equipment. Some cable routers allow only a limited number of IP address to MAC address mappings per modem and refuse to override an ARP table entry in the cable router with a different IP address once it has been created. Packets that do not have MAC and IP addresses matching the entries for the modem session get dropped.

    --
    "I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
  6. Not credible by hagbard5235 · · Score: 5, Informative
    This doesn't sound credible to me. In a Cable Network the CM ( Cable Modem ) receives on a downstream frequency band and sends on an upstream frequency band to the CMTS ( Cable Modem Termination System). The spec requires the CM CMTS system to act as a bridge. It is NOT hubbed. You can listen on your ethernet port until you're blue in the face and you will only see your own traffic and the broadcast traffic on the network. Period. Ever.

    Now, this does not rule out ARP spoofing, but the only really interesting ARP to spoof would be the one for the default gateway on the network. Since the gateway for the network is living on the CMTS and since any ARP request must pass through the CMTS before getting to our spoofer, I would expect the spoofed replies to arrive after the legitimate ones from the CMTS. Additionally, I would not be surprised to find out that the CMTS suppresses attempts to ARP spoof it's addresses ( and if it doesn't now, it will in the near future ).

    1. Re:Not credible by Frater+219 · · Score: 4, Informative
      The spec requires the CM CMTS system to act as a bridge. It is NOT hubbed.

      Bull pickles. I recently got Adelphia cable modem service myself. First thing I did, practically, was to plug the cable modem into my Mac OS X box and run "tcpdump" on it, to see whether or not they had secured the local network against sniffing. Sure enough, I could not see any of the other customers' actual traffic -- but I certainly could see:

      • DHCP requests (but not responses)
      • ARP requests for the gateway's IP address
      • ARP requests by the gateway for customer IP addresses
      • IGMP

      It seems pretty trivial that someone with the right mildly altered software could easily set themselves up as a DHCP server and hand out fake gateway information, or as an ARP-poisoning proxy. Good reason to check your network settings for suspicious things if you use DHCP.

  7. I guess Adelphia really does suck by yack0 · · Score: 5, Informative

    Adelphia sucks. I guess in more ways than one now.

    Please, don't mod this down as a troll, it isn't, it may be blatant advertisement for a sucks.com web site, but it's not a troll ;)

    j

    --
    -- There is no sig line, only Zuul.
  8. FROM AN ADELPHIA USER: by autocracy · · Score: 4, Informative
    Yes, this vulnerability does exist. I re-posted it to adelphia.security-issues as soon as I recieved it from Bugtraq (7 PM Eastern, on the 12th). So it's been almost 48 hours. No word from Adelphia has been recieved by me yet. For details on the vulnerability: Hooked directly to the cable modem, I can see packets flying around in the same manner as if I were on a switch. It's like a really wide-spread LAN. I've even been able to identify certain users of the subnet I'm on (some guy who lives by a popular ice-cream place uses Adelphia. I know this 'cause his name is also on his car's license plates). Whether or not the use of tools such as Ettercap work I can't confirm (Re: I'm not willing to confirm). I've started calling Adelphia's NOC, but they're really not dealing with this very well...

    More info as I get it...

    --
    SIG: HUP