Slashdot Mirror

← Back to Stories (view on slashdot.org)

Time Warner Cable Modems Expose Users

Posted by samzenpus on from the protect-ya-neck dept.

eldavojohn writes "Wired is reporting on a simple hack putting some 65,000 customers at risk. The hack to gain administrative access to the cable modem/router combo is remarkably simple: '[David] Chen, founder of a software startup called Pip.io, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By simply disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router's configuration file. That file, it turned out, included the administrative login and password in cleartext. Chen investigated and found the same login and password could access the admin panels for every router in the SMC8014 series on Time Warner's network — a grave vulnerability, given that the routers also expose their web interfaces to the public-facing internet.' If you use Time Warner's SMC8014 series cable modem/Wi-Fi router combo, watch for firmware to be released soon that they are reportedly in the process of testing."

14 of 185 comments (clear)

  1. The only prudent thing to do with these things... by John+Hasler · · Score: 5, Insightful

    ...is to put them in bridge mode and use your own router (no matter who your provider is). Same with DSL modems. Even when they aren't misconfigured (deliberately or due to sheer incompetence) the firmware is usually buggy and limited.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  2. They need to act on this immediately! by Rogerborg · · Score: 5, Funny

    Presumably armed FBI agents are en route to neutralize notorious terrorist hacker David Chen even now. 50 years in Gitmo is too good for him.

    --
    If you were blocking sigs, you wouldn't have to read this.
  3. Related to Belgacom hack and 'ransom'? by Animaether · · Score: 4, Informative

    I wonder if this is the same 'hack' used to attack Belgacom.
    http://tweakers.net/nieuws/63200/belgacom-hacker-publiceerde-authentieke-inloggegevens-van-klanten.html

    For the curious, a quick recap in English...

    A hacker going by the name 'Vendetta', supposedly an American living in Belgium, got fed up with the monthly data cap (at Belgacom, figured out that there's a way to find the username/password for a modem by browsing to it (much as in this article), did that to a claimed several thousand (285,000) modems, and is threatening to release them slowly over time until November 30th as long as Belgacom keeps its monthly data cap.

    So far this hacker released 30 usernames/passwords, and they were found to be genuine.

    Belgacom contacted authorities, is investigating the claimed method of hacking, blabla.

    The modem in question with Belgacom is labeled a "B-Box2-modem".

  4. Re:The only prudent thing to do with these things. by milgram · · Score: 5, Insightful

    While I agree with you, the issue usually isn't the small percentage of technically savvy people who use this, but rather the majority of folks looking to "plug and play". These are the security gaps that allow zombie DDoS attacks to happen so easily, as they open up easy access to lot's of similarly configured boxes.

  5. the routers also expose their web interfaces to by Col.+Panic · · Score: 4, Funny

    the public-facing internet

    wait. what? why?

  6. Re: the routers also expose their web interfaces t by John+Hasler · · Score: 5, Insightful

    Convenience and incompetence. They want to be able to run scripts to update/reconfigure all the modems and this is the first method that occured to them. Being stupid, they didn't think it through.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  7. re: the summary by jlmale0 · · Score: 4, Informative

    My initial, gut response to this was sheer horror. They list exploit and target side-by-side! The only mention of a fix is that it's to be 'released soon', informing any malicious agents out there that now is the time to strike.

    Reading the Wired article, the right thing was done. Big company was sitting on their hands, and now that publicity has been made, they're starting to move.

    Wired did the right thing. But this summary, it's fear-mongering and bad journalism.

  8. Multiple-levels of incompetence by MobyDisk · · Score: 5, Insightful

    This isn't just a security vulnerability - those things happen. This is gross negligence. There are 3 simultaneous absolutely bone-headed things here:

    - PUBLIC facing web configuration? I have never, ever, ever, seen a router that did that. Not even cheesy home routers.
    - JAVASCRIPT is their security? That was dumb back in 1998, but who does that now?
    - CLEAR TEXT username/password? There was this great technique we used back in 1975 called hashing. Look it up. Why does it even write the username/password out anyway?

    This is one of those cases of just too many stupid things all at once for it to be a mistake.

  9. Still better than PLANET... by loutr · · Score: 5, Funny
    Some years ago, part of my tech support job was to set up PLANET ADSL modem/wifi routers. I quickly noticed that the admin login / password was embedded in most configuration pages. But not to worry, they had cleverly hidden them with this brilliant security technique :

    style="color:white;background-color:white"

    ...

    1. Re:Still better than PLANET... by TimeTraveler1884 · · Score: 5, Funny

      How stupid could they possible have been? It's easy (with the correct equipment) to extract white text on a white background. They should have used style="display: none"

  10. Re:Why wait? by TheRealMindChild · · Score: 4, Informative

    So you are saying I should go back to dial-up...? Because that is my only alternative. Thanks for doing my cost/benefit analysis of this situation for me! It is definitely better to have worthless internet than to just maintain my own router!

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  11. Re:The only prudent thing to do with these things. by TimeTraveler1884 · · Score: 4, Informative

    Initially I was a little confused about the cable modem not being in bridge mode and having an admin interface at all. After RTFA, this vulnerability is only for SMC router/modem combo devices from TW. There was no mention of the Motorola cable modem I have from TW. The Motorola cable modems are acting as a bridge already because my router gets the lease to the public IP.

    So apparently no worries regarding this vulnerability for me, but this certainly sucks for 65K other people.

  12. Re:The only prudent thing to do with these things. by Anonymous Coward · · Score: 4, Insightful

    Bridge mode is just that -- it's a connection between two separate networks. In this case, the TW box is connected to the Internet and is one point of the bridge. On the other end is your home network router, which acts as the other point of the bridge. Your network is physically separate from theirs, and joined by the single patch cable between the boxes.. This is usually how these things work anyways, even when it's all in one box. The difference here is that you're using two physical boxes to ensure the separation, which avoids absurd goofs like the one described in TFA.

  13. VErizon FiOS routers do something similar by 140Mandak262Jamuna · · Score: 4, Interesting

    I was very much worried when I got Verizon FiOS. The Verizon supplied router is actually a linux box that has a web server and it throws a username/password dialog to the WAN side. I was worried so much I had another old router behind the Verizon router and connected my machines to this second router. But the other router was old and it maxed out at 10Mbps and FiOS was delivering 20Mbps. So I did some googling. Found that Verizon has been shipping that kind of routers for more than 5 years and so far no hack has been found. So I removed my second line of defense. Looks like it is a prudent idea to buy a more capable modern router and protect the machines from possible future hacks.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact