Slashdot Mirror
Adelphia's Cable Modems Compromised
texus writes "The Adelphia PowerLink Cable Modem Internet Service Provider, that serves 5.5 million customers nation wide, was found to be vulnerable of a major security flaw that allows cable modem subscribers to spy on each others traffic, as well as the ability to modify other users internet packets in realtime. The severity of a potential attack could allow a malicious subscriber to gain access to the customers private activity on the net, as well as the capabilities to hijack connections, intercept SSL/SSH/VPN encrypted sessions, hijack and poison dns servers, and perform a Denial of Service on the entire subnet. The advisory on BugTraq officially states that it didn't seem like Unix machines that logged onto the network were affected, but reports from other Adelphia subscribers indicate that this was inaccurate and Unix users are vulnerable as well."
took a couple times to load, so just in case the server is flaking out and about to ban /. reffers...
Problem Description:
A certain set of subnets on Adelphia's Powerlink network are treated as a HUB/SWITCH and therefore allow cable modem subscribers promiscuous monitoring of the subnet, and arp poisoning (man in the middle) attacks. Upon finding this flaw, it seems to only affect windows users dhcp requests, as for *nix it hands off an entirely different subnet ip address that is not vulnerable. This doesn't stop one from booting into *nix and manually configuring their ip to be on the vulnerable subnet. To review, with arp poisoning, one can do a tremendous amount of malicious activity on a subnet, from DoS'ing the network, to hijacking DNS servers, and even attacking/cracking SSL/SSH/VPN negotiations. Promiscuous mode, one can passively monitor all traffic on the subnet, obtaining private information, including logins/passwords, and private email.
Vulnerable Subnets:
please contact security@invisiblenet.com for info regarding specific subnets.
Solution:
The solution is varying on how the cable networks topology is handled, and arp poisoning, as we know is not a completely solvable issue without a physical/virtual separation of Layer 3 from Layer 2 in the OSI Model. For promiscuous mode, don't have the network in HUB mode.
A vast warehouse of porn and spam doesn't really need a lock, now does it?
Given that they're teetering on the edge of existance, most of the good people have long since fled.
I've being trying to find a competent person at Adelphia so I can get my cable internet service working. It's been weeks and they can't figure out why there's no return path for my signal. If they can't get that right, cable modem misconfiguration issues shouldn't be surprising either.
I'm beginning to question my decision to move from IDSL to cable.
Sheesh....
Don't anthropomorphize computers, they don't like it.
It's nice to see that the computing industry as a whole is following Micro$oft's example and taking security "so seriously".
ARP poisoning has been around since...well...ARP! Its really easy to do and I'm surprized that it hasnt made more of a storm than it really deserves. Hopefully this story will bring to light the problem a bit more.
There are patches out there for linux that will secure the ARP table, I wrote one but there are better and I dont remember what they are called but search...you will find.
Does someone want to explain to me how they can intercept SSL connections? I thought the whole point of encryption and secure protocols was that we need not fear sniffing and man-in-the-middle attacks...
TCP: Why the Internet is full of SYN.
Wow. I work in the second highest level of network support at Adelphia and I had no idea. Of course, there's just three guys or so that deal with the actual modems and their boot files. I'm going to point this out to the higher ups and see what can be done, methinks.
Yes, this is bad for a variety of reasons.
However, this is nothing magical, from the initial bugtraq description it sounds like just plain ole' arp snooping. Which means for encrypted, authenticated traffic (SSH/VPN/SSL), it's only going to work if the user ignores the security warnings because of the wrong keys, or the keys themselves have been stolen (a whole other ball of wax).
ARP poisoning can allow you to re-route someones traffic. Lets say I re-route your traffic through my machine upon detection of SSH/SSL host key request and give you a host key that I crafted, when you initiate an SSH/SSL connection you are now using a bad host key from my machine and not the real host. I could have the ability to decode that traffic now.
I have adelphia (I'm very happy with the service... 3Mbps downloads most of the time) but I like many others run through a router because I thought the normal operation of cable broadband is that anyone in your "loop" was essentially on the same subnet and could sniff packets, etc. at will. Is this really anything new?
You mean that packets sent out over the Internet might be subject to interception?? The horror.
On any cable network, ARP spoofing is available, not just in this example. It is quite easy for someone to do this.
Depends on the equipment. Some cable routers allow only a limited number of IP address to MAC address mappings per modem and refuse to override an ARP table entry in the cable router with a different IP address once it has been created. Packets that do not have MAC and IP addresses matching the entries for the modem session get dropped.
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
Well, I'm an Adelphia subscriber and I haven't noticed any problems so f
You're kidding/trolling right? At the university where I work Windows 2000 machines are constantly being hacked for things like DoS attacks, pirated video servers, etc. The actual user typically does not find out until the IP is tracked down by the victim and the school is notified (usually including the threat of a lawsuit)...
It doesn't even take any particular incompetence of the network admins. _Any_ shared internet service that runs unencryped is always going to be vulnerable. It's only a hacked flash away. Security updates like this are just a little taste of the truth of surfing through a shared 'net connection.
This is just one of the reasons why I suggest to people I know that they buy DSL. Better security, assuming competent admins.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Now, this does not rule out ARP spoofing, but the only really interesting ARP to spoof would be the one for the default gateway on the network. Since the gateway for the network is living on the CMTS and since any ARP request must pass through the CMTS before getting to our spoofer, I would expect the spoofed replies to arrive after the legitimate ones from the CMTS. Additionally, I would not be surprised to find out that the CMTS suppresses attempts to ARP spoof it's addresses ( and if it doesn't now, it will in the near future ).
It seems to only affect windows users dhcp requests, as for *nix it hands off an entirely different subnet ip address that is not vulnerable. This doesn't stop one from booting into *nix and manually configuring their ip to be on the vulnerable subnet.
Does anyone else find that funny? Windows users are vulnerable to a security flaw by default (as usual). But, (if they feel left out) Unix users can configure their box to be vulnerable too!!
using System.Awesome;
Did you know that your land line and cell phone calls can be tapped? Or that clerks in any of the institutions to whom you give your credit card numbers could steal them--or worse--*sell* them for profit! *shudder*
Your car, for instance, can be bugged and tracked by a Nav positioning satellite so that the baddies will know where you are every minute of the day! I could go on, but now I think you see...it's *horrible*!
Well, on /. we frequently see some trolls that consider themselves so smart and experienced to say some enormities. And, I'm already seeing some saying the usual: "And so what? That's just another /. newsfud". Please, while /. is well fudded, there are things you should keep the mouth shut and think a little before saying something.
The submission shown here may look, partially innocent for house wifes and the common guy in the street. They have lived with so many hacks, virus and trojans, that there is not much to worry about that. Unfortunately, many people do not know that such silly big providers also support someone who is not so simple and humble like your personal computer. They may be segments of corporate networks, departments that are too remotely located, that it is far cheaper to link them to some provider, rather than spending money to create an isolated channel. You may understand this, and still think that the biggest problem for the majority is the fact that information can be stolen. Correct rationale, if we consider the "majority", but again, bullshit. The big problem can be one or two clients of this provider. Clients that, if something goes wrong there, no one of us may have time even to say "shit". And no one will care to put you in a shinny wooded coffin. The best you may expect is a few tons of concrete and a mixture of chemicals so that your body quickly decomposes... Or that your body is quickly turned into ashes...
The problem between big providers and such clients, is that, being a provider with reputation, dimension and emphasis, clients tend to forget some simple rules of the trade. They think that this huge provider does his homework and maintains a minimal level of protection. Meanwhile, these same clients, do not only forget to check the security of such links, but also forget about isolating such channels from their own critical sectors of activity. In the result, a malicious hacker may break-in in minutes into some critical zone. This may be a control station of some distribution system, an industrial zone, or the control room of the corporate network.
Such situations happen and happen too frequently to consider it mere incidents. Thankfully, many of these break-ins are made by people who still have the shoulders in their head. Thankfully, breaking into the majority of corporate networks still demands some art and skills. However, this situation may change, if we all start considering that such problems, like the one described on the submission, are mere "features" that one may live with. If you consider that it should be that way, then don't be admired to see some big factory dropping tons of shit into the air or water. Don't be admired that suddenly a whole communication network goes fool and even 911 doesn't work in the middle of some critical situation. Don't be admired that your company produces things that blast or short-circuit at first use. Don't be admired that the lights go off every 5 minutes and all your home electronics are burning out. These are not stories taken from the hat. These are very concrete scenarios of real holes found somewhere around.
These things do not happen now so frequently because Internet is in its very early age (and still many people, like engineers, do not trust it). But some of these holes are already there, waiting right around the corner for the first maniac script kiddie (yes, there are already holes that such lamers may exploit). If we keep this mood, of not caring about security, we will have all guarantees that something will seriously go wrong in the future.
Adelphia sucks. I guess in more ways than one now.
;)
Please, don't mod this down as a troll, it isn't, it may be blatant advertisement for a sucks.com web site, but it's not a troll
j
-- There is no sig line, only Zuul.
When I run tcpdump on my household server (acts as the gateway for our LAN), I can see traffic destined for us, and ARP who-has messages from the CMTS. The ARP messages are Ethernet broadcasts that have to be bridged. If users at Adelphia can see all the traffic, and it's a DOCSIS system, something (probably the cable modem configuration file) is really screwed up.
Good, then maybe some hacker will get confused and intercept my Adelphia cable TV hookup and inject some decent fucking cable programming for a change!
More info as I get it...
SIG: HUP
Alow me to explain:
1. Adelphia recently declared bankruptcy. Their CEO was the Number 1 CEO in the whole US for taking insider loans. Above Tyco, Enron, or Worldcom. The crooked bastard took an insider "loan" for OVER a quarter BILLION dollars. His reason for the loan was "Unspecified personal business".
2. Their service sucks. I'm on the phone with their help desk at least once a month because the internet connection is down. Their tech support people are a bunch of brain-dead bozos reading from an "if: then" style troubleshooting manual - plus, it usually takes 45 minutes or more of waiting on hold to get through to a real human. Definitely some of the worst customer service in the industry.
3. They are not complying, or planning to comply with the federal regulation passed in October that prevents cable providers from forcing customer to purchase service "bundles" to get a particular channel. The regulation states that a cable provider must provide, upon the customers request, the premium channels they ask for in an a-la-carte style manner.
As an example, if I wanted to get the HBO channel at my house, Adelphia requires my to "upgrade" to their digital cable service for an additional $9.95 a month, plus $7/mo per TV (I have 3) plus pay $25.99 a month for the HBO bundle. Do the math - that equals a additional $57 per month just to get one premium channel. This practice is strictly forbidden by the recently passed legislation.
And to top it off, the lying bastards told me that they don't have the technology to provide a single premium channel (no bundles) to a home, and that they don't have the technology to send certain premium channels to their analog cable subscribers - that they must "upgrade" to digital cable. The reason that they are lying bastards is that I have a friend who used to get just HBO (w/o a bundle) to his analog cable home (back when they offered this option). He canceled that channel but they never turned it off for him. Right now today he gets a single premium HBO channel to his analog cable home.
My advice is to avoid this sleezy bunch at all costs - unless you like paying out the nose to support their insider lending (Yes, I know GWB thankfully just passed legislation making corporate insider loans illegal.) habbits and unfair business practices.
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
Any decently configured VPN won't just warn the user if the key changes -- it'll out and out refuse to work. Likewise, the server will also be verifying the client's key -- any change and thanks-for-playing but yer out.
For SSH, where folks really *do* ignore the issue, yes, this is a problem. A good VPN? No, absolutely not.
The problem with ettercap is that it allows for a man-in-the middle attack against ssh 1 implemenations. That includes seeing the cleartext data passing through....
Also... many routers/firewalls and access devices that have ssh only have ssh 1 capability.... so there goes that protection.... since ettercap can intercept those... (Yes... the fingerprint presented would not match.... but then how many would know to check the fingerprint?)
--
Time is on my side