Slashdot Mirror
Adelphia's Cable Modems Compromised
texus writes "The Adelphia PowerLink Cable Modem Internet Service Provider, that serves 5.5 million customers nation wide, was found to be vulnerable of a major security flaw that allows cable modem subscribers to spy on each others traffic, as well as the ability to modify other users internet packets in realtime. The severity of a potential attack could allow a malicious subscriber to gain access to the customers private activity on the net, as well as the capabilities to hijack connections, intercept SSL/SSH/VPN encrypted sessions, hijack and poison dns servers, and perform a Denial of Service on the entire subnet. The advisory on BugTraq officially states that it didn't seem like Unix machines that logged onto the network were affected, but reports from other Adelphia subscribers indicate that this was inaccurate and Unix users are vulnerable as well."
3/4 of my family uses them, I've got to go spread the word...
Thank $DEITY is do Linux on dialup, for once!
C|N>K
took a couple times to load, so just in case the server is flaking out and about to ban /. reffers...
Problem Description:
A certain set of subnets on Adelphia's Powerlink network are treated as a HUB/SWITCH and therefore allow cable modem subscribers promiscuous monitoring of the subnet, and arp poisoning (man in the middle) attacks. Upon finding this flaw, it seems to only affect windows users dhcp requests, as for *nix it hands off an entirely different subnet ip address that is not vulnerable. This doesn't stop one from booting into *nix and manually configuring their ip to be on the vulnerable subnet. To review, with arp poisoning, one can do a tremendous amount of malicious activity on a subnet, from DoS'ing the network, to hijacking DNS servers, and even attacking/cracking SSL/SSH/VPN negotiations. Promiscuous mode, one can passively monitor all traffic on the subnet, obtaining private information, including logins/passwords, and private email.
Vulnerable Subnets:
please contact security@invisiblenet.com for info regarding specific subnets.
Solution:
The solution is varying on how the cable networks topology is handled, and arp poisoning, as we know is not a completely solvable issue without a physical/virtual separation of Layer 3 from Layer 2 in the OSI Model. For promiscuous mode, don't have the network in HUB mode.
A vast warehouse of porn and spam doesn't really need a lock, now does it?
Given that they're teetering on the edge of existance, most of the good people have long since fled.
I've being trying to find a competent person at Adelphia so I can get my cable internet service working. It's been weeks and they can't figure out why there's no return path for my signal. If they can't get that right, cable modem misconfiguration issues shouldn't be surprising either.
I'm beginning to question my decision to move from IDSL to cable.
Sheesh....
Don't anthropomorphize computers, they don't like it.
It's nice to see that the computing industry as a whole is following Micro$oft's example and taking security "so seriously".
On any cable network, ARP spoofing is available, not just in this example. It is quite easy for someone to do this.
ARP poisoning has been around since...well...ARP! Its really easy to do and I'm surprized that it hasnt made more of a storm than it really deserves. Hopefully this story will bring to light the problem a bit more.
There are patches out there for linux that will secure the ARP table, I wrote one but there are better and I dont remember what they are called but search...you will find.
*envisions some enterprising individual hijacking every packet on his cable network* Wow...yeah, that's a bug and a half...hopefully all that's needed is a firmware update.
------- "From bored to fanboy in 3.8 asian girls" ----------
Does someone want to explain to me how they can intercept SSL connections? I thought the whole point of encryption and secure protocols was that we need not fear sniffing and man-in-the-middle attacks...
TCP: Why the Internet is full of SYN.
Wow. I work in the second highest level of network support at Adelphia and I had no idea. Of course, there's just three guys or so that deal with the actual modems and their boot files. I'm going to point this out to the higher ups and see what can be done, methinks.
Yes, this is bad for a variety of reasons.
However, this is nothing magical, from the initial bugtraq description it sounds like just plain ole' arp snooping. Which means for encrypted, authenticated traffic (SSH/VPN/SSL), it's only going to work if the user ignores the security warnings because of the wrong keys, or the keys themselves have been stolen (a whole other ball of wax).
ARP poisoning can allow you to re-route someones traffic. Lets say I re-route your traffic through my machine upon detection of SSH/SSL host key request and give you a host key that I crafted, when you initiate an SSH/SSL connection you are now using a bad host key from my machine and not the real host. I could have the ability to decode that traffic now.
I have adelphia (I'm very happy with the service... 3Mbps downloads most of the time) but I like many others run through a router because I thought the normal operation of cable broadband is that anyone in your "loop" was essentially on the same subnet and could sniff packets, etc. at will. Is this really anything new?
You mean that packets sent out over the Internet might be subject to interception?? The horror.
Last night I had my first outage with Adelphia in a year. It's been solid and reliable. At least here in Southern VA... May be I'm just lucky? -As far as Security, I use smooth wall. Don't think this will protect me from poison arp, but you should see my IDS log files!
Julius Caesar - Act I, Scene i: "What mean'st thou by that? Mend me, thou saucy fellow!"
The Openbsd project is humilated!
Unless your using a router your essentially on one very large LAN. Everyone on your node would be able to sniff packets from everyone else until your traffic hits the CMTS. This is why weird things like having the hostname and workgroup left as the standard pc manufacture name can cause your internet to slow down.
Well, I'm an Adelphia subscriber and I haven't noticed any problems so f
You're kidding/trolling right? At the university where I work Windows 2000 machines are constantly being hacked for things like DoS attacks, pirated video servers, etc. The actual user typically does not find out until the IP is tracked down by the victim and the school is notified (usually including the threat of a lawsuit)...
It doesn't even take any particular incompetence of the network admins. _Any_ shared internet service that runs unencryped is always going to be vulnerable. It's only a hacked flash away. Security updates like this are just a little taste of the truth of surfing through a shared 'net connection.
This is just one of the reasons why I suggest to people I know that they buy DSL. Better security, assuming competent admins.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
I mean, everyone in the neighborhood's signals are transmitted over the same cable circuit. Anyone could snoop on other people's packets.
Repeal the DMCA!
Now, this does not rule out ARP spoofing, but the only really interesting ARP to spoof would be the one for the default gateway on the network. Since the gateway for the network is living on the CMTS and since any ARP request must pass through the CMTS before getting to our spoofer, I would expect the spoofed replies to arrive after the legitimate ones from the CMTS. Additionally, I would not be surprised to find out that the CMTS suppresses attempts to ARP spoof it's addresses ( and if it doesn't now, it will in the near future ).
It seems to only affect windows users dhcp requests, as for *nix it hands off an entirely different subnet ip address that is not vulnerable. This doesn't stop one from booting into *nix and manually configuring their ip to be on the vulnerable subnet.
Does anyone else find that funny? Windows users are vulnerable to a security flaw by default (as usual). But, (if they feel left out) Unix users can configure their box to be vulnerable too!!
using System.Awesome;
Did you know that your land line and cell phone calls can be tapped? Or that clerks in any of the institutions to whom you give your credit card numbers could steal them--or worse--*sell* them for profit! *shudder*
Your car, for instance, can be bugged and tracked by a Nav positioning satellite so that the baddies will know where you are every minute of the day! I could go on, but now I think you see...it's *horrible*!
Now, with 100% less rudeness than smoothwall!
IPCop
Well, on /. we frequently see some trolls that consider themselves so smart and experienced to say some enormities. And, I'm already seeing some saying the usual: "And so what? That's just another /. newsfud". Please, while /. is well fudded, there are things you should keep the mouth shut and think a little before saying something.
The submission shown here may look, partially innocent for house wifes and the common guy in the street. They have lived with so many hacks, virus and trojans, that there is not much to worry about that. Unfortunately, many people do not know that such silly big providers also support someone who is not so simple and humble like your personal computer. They may be segments of corporate networks, departments that are too remotely located, that it is far cheaper to link them to some provider, rather than spending money to create an isolated channel. You may understand this, and still think that the biggest problem for the majority is the fact that information can be stolen. Correct rationale, if we consider the "majority", but again, bullshit. The big problem can be one or two clients of this provider. Clients that, if something goes wrong there, no one of us may have time even to say "shit". And no one will care to put you in a shinny wooded coffin. The best you may expect is a few tons of concrete and a mixture of chemicals so that your body quickly decomposes... Or that your body is quickly turned into ashes...
The problem between big providers and such clients, is that, being a provider with reputation, dimension and emphasis, clients tend to forget some simple rules of the trade. They think that this huge provider does his homework and maintains a minimal level of protection. Meanwhile, these same clients, do not only forget to check the security of such links, but also forget about isolating such channels from their own critical sectors of activity. In the result, a malicious hacker may break-in in minutes into some critical zone. This may be a control station of some distribution system, an industrial zone, or the control room of the corporate network.
Such situations happen and happen too frequently to consider it mere incidents. Thankfully, many of these break-ins are made by people who still have the shoulders in their head. Thankfully, breaking into the majority of corporate networks still demands some art and skills. However, this situation may change, if we all start considering that such problems, like the one described on the submission, are mere "features" that one may live with. If you consider that it should be that way, then don't be admired to see some big factory dropping tons of shit into the air or water. Don't be admired that suddenly a whole communication network goes fool and even 911 doesn't work in the middle of some critical situation. Don't be admired that your company produces things that blast or short-circuit at first use. Don't be admired that the lights go off every 5 minutes and all your home electronics are burning out. These are not stories taken from the hat. These are very concrete scenarios of real holes found somewhere around.
These things do not happen now so frequently because Internet is in its very early age (and still many people, like engineers, do not trust it). But some of these holes are already there, waiting right around the corner for the first maniac script kiddie (yes, there are already holes that such lamers may exploit). If we keep this mood, of not caring about security, we will have all guarantees that something will seriously go wrong in the future.
Adelphia sucks. I guess in more ways than one now.
;)
Please, don't mod this down as a troll, it isn't, it may be blatant advertisement for a sucks.com web site, but it's not a troll
j
-- There is no sig line, only Zuul.
Yeah, I so much wanted it to be over that this kind of public key encryption exploit didn't even register with me until recently. So you might have a bad key? We back off another step and add steps to authenticate they key ... then someone will figure out how to defeat that ... and so on.
The overall impression I'm getting of electronic "security" is a bit like Zeno's paradox -- you know, you keep getting closer to the target in ever-finer increments but never quite reach it. (The paradox we know has an underlying flawed premise. Unfortunately, I'm not convinced the encryption race is winnable.)
I'm assuming you mean that "Adelphia does not necessarily mean bad, people."
Cause it's quite obvious that Adelphia has had a whole horde of Bad People in it, who are of course under indictment, at least.
Yes, Adelphia can have some pockets of clue amongst the cable guys who poke and prod cluelessly at RF disrupting cable modems and put up insecure websites, et al. Glad to see you're in one of the clueful areas that hasn't (yet) been completely oversold).
j
-- There is no sig line, only Zuul.
For ssl, this is addressed by having the site present a certificate signed by an authority whose public key is compiled into the browser.
For ssh/vpn, you will receive warning that the key has changed (and your client may disconnect automatically), unless you've never connected to the particular host before. (Granted, people are pretty likely to just accept the new host key).
I'm not saying you're wrong about it being a threat, but let's be aware that there are ways to address it. At the very least, if you're establishing a vpn to your workplace and are warned that the key has changed, STOP right there are make a phone call before accepting the new key. And before connecting for the first time, transfer the key to the client by some other means if possible (even sending it by email would be pretty safe in practice)
Good, then maybe some hacker will get confused and intercept my Adelphia cable TV hookup and inject some decent fucking cable programming for a change!
Why would you stay with such crappy service? If it's comparable to 56k, leave and save some money.
I have confidence that we are not that stupid.
I wished to be so optimist like you... Unfortunately, while I have not seen anyone putting critical systems directly accessible through the Internet, there are enough "backdoor" channels to see very important things linked to Internet. Or corporate network so badly installed and maintained, that a small link to Internet will be enough to give huge problems to many people.
The NY Times link is a redirect to http://goatse.cx, which some people think should be modded as "Troll", when it is really just "Redundant" or "Offtopic" (though some may find goatse.cx "Interesting").
http://www.customers-of-adelphia.org/
There seems to be a rather large number of pissed off customers.
Only the State obtains its revenue by coercion. - Murray Rothbard
Have nothing to do with this. At Adelphia, like :) You should be ashamed. The
most companies, the UNIX admin types and the Network
admin types are constantly at odds with each other.
Finger pointing, etc. This is a great example of
attempting to deflect the blame onto those UNIX
admin types that admin the actual modems and
their boot files, instead of blaming Sam, your
network overlord.
UNIX admins that admin the services have nothing to
do with the network hardware they are connecting to,
or how they are configured as they don't own the
network or it's hardware.
One of the things I really hated about
Adelphia when I was there. In contrast, at
MindSpring, the network and UNIX admin type
guys all worked on the same floor together on
peachtree street and were treated as equals, and
encouraged to work together.
The most important thing any republican needs to know.
More info as I get it...
SIG: HUP
Outage? I, among nearly every other person I knew, kept disconnectnig repeatedly from the adelphia network last night.
I had recently set up a home network for a freind of mine, and he kept blaming the disconnects on me, until another freind called in and complained about disconnects while playing his MMORPG.
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
According to the DOCSIS 1.1 specification it is the responsibility of the cable modem itself to not pass other users traffic through, as cable internet is a shared medium like a hub. Some things will get through, though, since they are passed to a broadcast like DHCP, SSDP requests, and IGMP. I have Adelphia and can see these things coming in, as I should, but not other people's web traffic. Sounds to me that they posted something on BugTraq that is written up in a specification. Check out Cablelabs for the DOCSIS 1.1 specification.
Could you give me the name of the movie? I could use a good laugh. I'm on the line waiting for adelphia tech support, so I might get one anyways.
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
I got both, In state college i was loosing my connection as well last night. And my connection is slow as hell a good chunk of the time. and their tech people are clueless and th billing department has inverted calenders.
It's funny. I like adelphia for their pipe to my house. Their mail service is shit. Their news is shit. Their support is shit. Call support to report a problem? Well, better know what to say if you had windows, because the techs there are clue-negative when it comes to *nix.
"What version of Windows are you running"
"X11R6 with the icewm front end, what difference does that make. I can ping the gateway but half the hosts after it die somewhere around hop 7. Problems in galveston?"
"whatwhatWHAT?"
Now adays I just call Tony down the local office. He's a funny guy. Always says "Well, we appreciate you, we like UNIX users on the network."
Nice way to show it.
The previous has been a secret message to my comrades.
Alow me to explain:
1. Adelphia recently declared bankruptcy. Their CEO was the Number 1 CEO in the whole US for taking insider loans. Above Tyco, Enron, or Worldcom. The crooked bastard took an insider "loan" for OVER a quarter BILLION dollars. His reason for the loan was "Unspecified personal business".
2. Their service sucks. I'm on the phone with their help desk at least once a month because the internet connection is down. Their tech support people are a bunch of brain-dead bozos reading from an "if: then" style troubleshooting manual - plus, it usually takes 45 minutes or more of waiting on hold to get through to a real human. Definitely some of the worst customer service in the industry.
3. They are not complying, or planning to comply with the federal regulation passed in October that prevents cable providers from forcing customer to purchase service "bundles" to get a particular channel. The regulation states that a cable provider must provide, upon the customers request, the premium channels they ask for in an a-la-carte style manner.
As an example, if I wanted to get the HBO channel at my house, Adelphia requires my to "upgrade" to their digital cable service for an additional $9.95 a month, plus $7/mo per TV (I have 3) plus pay $25.99 a month for the HBO bundle. Do the math - that equals a additional $57 per month just to get one premium channel. This practice is strictly forbidden by the recently passed legislation.
And to top it off, the lying bastards told me that they don't have the technology to provide a single premium channel (no bundles) to a home, and that they don't have the technology to send certain premium channels to their analog cable subscribers - that they must "upgrade" to digital cable. The reason that they are lying bastards is that I have a friend who used to get just HBO (w/o a bundle) to his analog cable home (back when they offered this option). He canceled that channel but they never turned it off for him. Right now today he gets a single premium HBO channel to his analog cable home.
My advice is to avoid this sleezy bunch at all costs - unless you like paying out the nose to support their insider lending (Yes, I know GWB thankfully just passed legislation making corporate insider loans illegal.) habbits and unfair business practices.
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
so can most older proprietary modems. it has to do with encrypting traffic from the modem to the CMTS, which I suspect creates some overhead. perhaps they're just being cheap? I'm on Cox.net, and if I go to webmail.cox.net it's an http not an https on the page where you submit your username and password. On the public internet this would be an issue but inside the cox.net network, you can't sniff your neigbors traffic because of the way the modems are setup (no I haven't tried, but if I did, am fairly sure what I could see I couldn't read).
;-)
if you want all the dirt on how these modems work, go see the documentation at Cable Labs , they're the people who certify the equipment.
Thee's a reason I call myself broadbandbradley, I couldn't think of a good handle
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
You obviously just don't know how to deal with tier1 tech support then. They're supposed to be cheap labor that read from scripts. If they don't follow the script, they lose their job, it's as simple as that. Trying to fuck them up to sound smart is just asinine.
Heheh. I called them regarding this, and the tech didn't seem to have any idea what was going on. She told me that "..you should be using a firewall service, which is provided on the installation CD you were given with your self-install kit.."
Ergh.
I need to find this mystical *NIX person who works in Buffalo.
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
The networks DHCP servers hand off unix boxen to a different subnet without the sniffing problem. So it's not because of Unix's design, but of the networks design.
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
So what if the user intercepts SSL/SSH/VPN traffic from hosts behind the cable modem? The entire purpose of those protocols is to prevent man-in-the-middle attacks, and encrypt traffic so that the security of the transport (as seen here as entirely untrustable) is no longer an issue.
This type of fear mongering is what drives daily stories on the front page of slashdot, and has become entirely too irritating to deal with.
The article seems to imply that certain subnets are misconfigured, and presumably those subnets have windows clients only on them, the unix clients being on other subnets. Whether this is intentional or accidental is not mentioned. If not many clients are involved, and there are far more windows clients than unix, coincidence seems possible. But maybe there are enough differences in windows and unix clients (SMB shares? NFS) that it makes sense to keep them on separate subnets.
Infuriate left and right
I have confidence that we are not that stupid.
I don't. We shouldn't be, but should and does are different things.
With such as "To keep your system secure, [paraphrased a bit] download the latest security patches". With the idea that a secure connection somehow secures the systems connected. IPv6, where every traffic light has its own ip address.
People are not built to always be looking at what they're exposing. Most people, that is.
Well, I can tell you that, before Adelphia bought out my local cable company, Prestige, I NEVER had so much as a single BOOTP packet outside of my own. Now, about 10% of the traffic I see is CONSTANT BOOTP requests from other customers all over the country. It is painfully obvious that Adelphia operates their network in HUB mode, when Prestige operated theirs in SWITCHED mode. You DO know what that means, right?
BOOTP traffic should never leave the private UVR segment; period. In fact NO broadcast traffic of ANY sort should be allowed to leave the private network segment at all.
So, don't give me that "it's an non-issue because it is TCP/IP" crap. It is an architectural issue that YOU guys need to clean up on your own network, otherwise, someone needs to do some network technician house-cleaning (all the way up to the CIO, if necessary) and send some people back to flipping burgers at McDonald's.
While we are on the subject of security, why aren't you guys doing something about all the sequential IP scans that are going on in your network right now? Why isn't someone cleaning up THAT mess. Let's see, according to the firewall, I have 4 different scans going on right now; it has been as high as 12.
That, and I have been having fits with your mail server (and, no, this isn't the first time, either; it happens so often, I just switch over to my own until you guys eventually finish reading your sendmail HOWTO and get it fixed).
I realize that with Adelphia being more or less in bankruptcy right now, customer support is not very high on your list of things to take care of (just like network engineering), but don't come in here and tell us that it is a fundamental problem outside of your control when it is NOT. Get control of your network and stop making excuses.
-SS "Teach the ignorant, care for the dumb, and punish the stupid."
heh i thought it quite considerate of Slashdot to include links to SSL/SSH and VPN sniffers right in the article... wouldn't want any script kiddie to actually have to google for em or anything :)
Any decently configured VPN won't just warn the user if the key changes -- it'll out and out refuse to work. Likewise, the server will also be verifying the client's key -- any change and thanks-for-playing but yer out.
For SSH, where folks really *do* ignore the issue, yes, this is a problem. A good VPN? No, absolutely not.
I doubt tech support will be able to do much. Reminds me of people who would call in and demand that I, not Bellsouth or ground technicians, put a DSLAM in their neighborhood, or they'd sue me.
You don't seem as if you're going to sue, but what do you think they can do? Press the 'Magic Button' and change their network infrastructure to be safer?
Escalate the call up to the president if possible. Tell him about it. And don't be technical. Nothing I hated more than someone calling up and acting all badass because they use Linux or some alternative operating system.
If your goal is to confuse the less informed, its obviously not to get legitimite help. In which case, go ahead, but don't complain about not getting any help when you have to explain what 'Megadin God icewn distro tcp/mp3 with OS2 kernal' is for three hours.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Sorry for responding more than once, but I just reread yer post came up with something more to add...
And before connecting for the first time, transfer the key to the client by some other means if possible (even sending it by email would be pretty safe in practice)
Ya know, it depends on what industry 'yer in.
I just recently ended up as sysadmin for a startup making medical software, and HIPAA makes some very specific requirements regarding how key exchange can be done -- not only is email out, but so is encrypted exchange not using hardware-token-based authentication.
Just allowing ssh or whatever to copy over the current key -- well, that's very, very out. Bonded courier, direct personal exchange, and telephone (where each party can verify the other's voice) are the only alternatives to going the hardware-crypto route. Anyone expecting to do a little ARP spoofing and pull a man-in-the-middle... well, let's say they're going to be disappointed.
I haven't checked Adelphia, but most Broadband ISPs are very up front about telling customers that there is absolutely no security provided by them. It's probably in the TOS, too. The only thing the ISPs block stuff for is performance tuning.
I've heard a number of stories about people finding Windows printers they didn't own when they got their cable modem connection...
An engineer who ran for Congress. http://herbrobinson.us
You WILL see ARP packets on your own private subnet, but these are your own and are OK.
You WILL see BOOTP/DHCP packets if you are using dynamic addressing, but again these are your own and are OK.
"These are not the packets you are looking for..."
-SS "Teach the ignorant, care for the dumb, and punish the stupid."