Time Warner Cable Modems Expose Users

eldavojohn writes "Wired is reporting on a simple hack putting some 65,000 customers at risk. The hack to gain administrative access to the cable modem/router combo is remarkably simple: '[David] Chen, founder of a software startup called Pip.io, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By simply disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router's configuration file. That file, it turned out, included the administrative login and password in cleartext. Chen investigated and found the same login and password could access the admin panels for every router in the SMC8014 series on Time Warner's network — a grave vulnerability, given that the routers also expose their web interfaces to the public-facing internet.' If you use Time Warner's SMC8014 series cable modem/Wi-Fi router combo, watch for firmware to be released soon that they are reportedly in the process of testing."

FAIL

[gzipped_tar]

According to TFA (my karma be damned), Web-based admin UI is enabled on these routers, not only for the LAN but for the whole fucking Internet. This must be the dumbest default setting ever.

Also in TFA...

Time Warner’s Dudley says the SMC8014 modem/routers are just a small portion of the 14 million devices its customers are using.

What's more? Gnome With the Ping of Death? ;)

Re: the routers also expose their web interfaces t

[drinkypoo]

I don't know if they're using DOCSIS, but I can't imagine they aren't. If I'm wrong, ignore the rest of this comment; but if they are DOCSIS modems, then they get their config file from the network every time you boot them. Even if they aren't DOCSIS modems, that's still the most reasonable way to configure them, and if they didn't do that they should be shot into orbit without a suit, or perhaps with one but on a rapidly decaying orbit and without heat shields.

Re:Why wait?

[SleepingWaterBear]

Be sure to tell Time Warner to "Abragofuckyourself" when they say you're tied into a contract by using the words "unfit for purpose" "gross criminal negligence" and "class action"

Unfortunately, in negligence cases the courts often look to the industry standard to decide what sort of precautions a company ought to take. Given that the industry standard is basically no security at all this might be a tough case. Also, to establish negligence you'd have to show some actual harm done - not just the potential for harm. "Unfit for purpose" might still get you out of the contract though.

Re:Why wait?

[L4t3r4lu5]

How about lobbying your congressman to get the monopoly given to Time Warner / AT&T / Comcast / Sprint or whatever split up as anti-competitive and not just taking a big rubbery one up the wrong'un?

Re:Multiple-levels of incompetence

[gEvil+(beta)]

- PUBLIC facing web configuration? I have never, ever, ever, seen a router that did that. Not even cheesy home routers.

Even the cheesy home routers have this as an option, but it's always buried deep in the 'advanced' configuration options, and it's ALWAYS disabled by default.

Not surprising

[ledow]

The Javascript thing isn't important - that's how the device operates because it's been told to and, in 99% of circumstances it's an internal-only device. My printer offers up a lot worse options. However, exposing that interface to the web is stupid, as are using standardised passwords.

The former is nothing but user-education and/or forcing them into a password from the factory (like a lot of wireless routers comes with WPA keys printed on the bottom of them).

For the latter, a lot of cheap ADSL modems/routers do this, it's hardly a shock. Some of them run telnet on ports 254/255 and the only way to get rid of it is to forward that port to a non-existent IP address. Yes, it's crap security. Yes, they should know better. But, additionally, it's their fault from day one and people have known about this for YEARS.

It would also pick up on *any* external security scanner (e.g. nmap, GRC.com's ShieldsUp!) and any competent person would be testing any new system with something like that anyway. I know I've always scanned whenever I've used a new connection, if only to find what proxy servers / port-blocking / port-forwarding are in place. And yet all my Internet connections have hard-coded DNS, the router acts as nothing more than a passthrough to a real firewall (usually Linux iptables, if only for decent, configurable NAT / port-forwarding) and anything vaguely suspicious on an external scan is investigated (my ISP offer port 139 filtering as default, for example).

If you didn't know about it, test it. If you haven't already disabled it, do so. If you're that worried, change the device. This type of problem has been around for YEARS, and only the bog-standard, password is 'password', home users would ever be hurt by it. I think it's disgusting that they are, but they are not the only ISP / modem / router that has these problems.

And to claim this is new/shocking is quite misleading - most router manufacturers have suffered from this since ADSL became mainstream. Even things like BT's HomeHub have had similar security problems over the years.

Re:Why wait?

[thepotoo]

Speaking as someone who has no option of anything other than dial-up, I can tell you that it most certainly is worthless.

Remember back in 1999 how it would take 15 seconds to load a page? Now imagine that every page has flash instead of pictures and most serves will decide to give you a timeout message if you take longer than 45 seconds to respond to a request. Youtube, torrents, the whole digital distribution revolution is totally useless.

I dare you, go back to dial-up for two weeks. Completely worthless Internet. Yeah, I've still got Internet at the library, but that doesn't allow me to get patches for my OS or watch Youtube, now does it?

VErizon FiOS routers do something similar

[140Mandak262Jamuna]

I was very much worried when I got Verizon FiOS. The Verizon supplied router is actually a linux box that has a web server and it throws a username/password dialog to the WAN side. I was worried so much I had another old router behind the Verizon router and connected my machines to this second router. But the other router was old and it maxed out at 10Mbps and FiOS was delivering 20Mbps. So I did some googling. Found that Verizon has been shipping that kind of routers for more than 5 years and so far no hack has been found. So I removed my second line of defense. Looks like it is a prudent idea to buy a more capable modern router and protect the machines from possible future hacks.

Re:Why wait?

[barzok]

The local monopolies aren't granted by your congressman, not even your state legislator. It's on a more local level, and usually done by people who have even less information than a congressman would have.

Even if this were viable, it'd take years to oust TW, open things up, and then get another ISP in town. My house is 1/4 mile from a Verizon building (I presume the main switching station for the town), and I can't get any high-speed offering from them - no DSL, no FiOS, nothing. My options are between TW and buying a land-line (which I don't presently have) and then setting up dial-up - significant extra cost for a massive step backwards in service.

Satellite is out too, mostly because of the trees, hill & house on top of the hill in my backyard. I'd have to put a 20 foot mast on top of my house.

Re:Why wait?

[commodore64_love]

That doesn't sound right. At 9.6 kbit/s it would take 8 minutes to load a single slashdot page. Even if you turned-off the java, CSS, and pics it would still requires over a minute to download. ----- Perhaps if you said 96k for your GSM that would be more realistic... about twice as fast as a dialup connection.

Have you tried Opera 10 with your modem? O10 uses compression to speed-up slow connections.