Hacking cable modems the later years
-
Upload
nullbyte-security-conference -
Category
Technology
-
view
363 -
download
39
Transcript of Hacking cable modems the later years
![Page 1: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/1.jpg)
Hacking Cable Modems
The Later Years
Bernardo Rodrigues
@bernardomr
![Page 2: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/2.jpg)
Disclaimer
Opinions are my own, unless hacked.
In that case, hacker's
This is not a talk about Theft of Service
![Page 3: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/3.jpg)
$ whoami
Web, Forensics & Junk Hacking
CTF Player
https://w00tsec.blogspot.com
![Page 4: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/4.jpg)
Cable Modem – Vendors
![Page 5: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/5.jpg)
Cable Modem: Models
![Page 6: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/6.jpg)
Cable Modem Hacking Timeline
1997 ( … ) 2001 2003 2004 2006 ( … ) 2009 2010
Technology
DOCSIS 1.0TechnologyDOCSIS 2.0
Firmware
Book
SIGMA by TCNiSO
Tool
BlackCat Programmer by Isabella
Hacking The Cable Modem by derEngel
FirmwareHaxorware R27 by Rajkosto
Legal
DerEngel (Ryan Harris) arrested
TalkDEFCON 18 Hacking DOCSIS For Fun and Profit
Talk
DEFCON 16Free Anonymous Internet Using Modified Cable Modems
TalkDEFCON 16Sniffing CableModems
TechnologyDOCSIS 3.0
![Page 7: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/7.jpg)
2011 2012 2013 2014 2015
Talk
NullByte ConHacking Cable Modems: The Later Years
Firmware
ForceWare v1.2 by mforce
HOPE 9The ARRIStocrats: Cable Modem Lulz
Talk
TechnologyDOCSIS 3.1
w00tsecUnpacking Firmware Images from Cable Modems
Blog Post
Console Cowboys Arris Cable Modem Backdoor - I'm a technician, trust me
Blog Post
InfiltratePractical Attacks on DOCSIS
Talk
Cable Modem Hacking Timeline
![Page 8: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/8.jpg)
DOCSIS
Data Over Cable Service Interface Specification
Network Overview:
![Page 9: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/9.jpg)
DOCSIS 3.0 Features
Channel Bonding (Upstream and Downstream)
IPv6 (inc. provisioning and management of CMs)
Security (?)
Enhanced Traffic encryption (?)
Enhanced Provisioning Security (?)
![Page 10: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/10.jpg)
Channel Bonding
![Page 11: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/11.jpg)
DOCSIS: Provisioning
Acquire and lock the downstream frequency
Get upstream parameters
Get an IP address
Download modem configuration via TFTP
Apply the configuration and enable forwarding of
packets
![Page 12: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/12.jpg)
DOCSIS Network Overview
![Page 13: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/13.jpg)
DOCSIS SEC
Encryption and authentication protocol in DOCSIS
BPI (Baseline Privacy Interface) in DOCSIS 1.0
BPI+ in DOCSIS 1.1 and 2.0
SEC (Security) in DOCSIS 3.0
![Page 14: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/14.jpg)
DOCSIS SEC
Digital certificates (VeriSign/Excentis)
Uniquely chained to the MAC address of each
cable modem
CMTS allowing Self-signed certificates
Legacy test equipment
Cable modems that do not support BPI+
![Page 15: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/15.jpg)
DOCSIS: Provisioning
![Page 16: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/16.jpg)
DOCSIS: Config File
Downstream
Upstream
Bandwidth cap
ACL’s
TFTP Servers
SNMP community
![Page 17: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/17.jpg)
DOCSIS: Config File
![Page 18: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/18.jpg)
DOCSIS: Config File
DOCSIS specification:
CMTS generates a Message Integrity Check (MIC)
Hash: Number of parameters, including the
"shared secret"
Incorrect MIC: CM registration fail
DOCSIS 2.0: MD5
DOCSIS 3.0: New MIC hash algorithm (MMH)
![Page 19: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/19.jpg)
DOCSIS: Config File
![Page 20: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/20.jpg)
Cable Modems
binwalk
![Page 21: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/21.jpg)
Cable Modems
binwalk + capstone
![Page 22: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/22.jpg)
Cable Modems
Shell access
![Page 23: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/23.jpg)
Cable Modems
Shell access
![Page 24: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/24.jpg)
Cable Modems
Bad authentication
![Page 25: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/25.jpg)
Cable Modems
XSS, CSRF, DoS
![Page 26: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/26.jpg)
Cable Modems
Default Passwords
![Page 27: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/27.jpg)
Cable Modems
Backdoors
![Page 28: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/28.jpg)
Cable Modems
Backdoors in the Backdoors
![Page 29: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/29.jpg)
Cable Modems
Backdoors
![Page 30: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/30.jpg)
Hacked Firmwares
Not Certified by CableLabs
Backdoors (legit modems too)
Closed source (legit modems too)
Enable factory mode (legit modems too)
Change MAC and Serial (legit modems too)
Certificate Upload
Force network access (ignore unauthorized
messages)
Floods DHCP server with packets
repeatedly until get an IP address
Disable & Set ISP filters (ACLs at modem level)
Specify config filename and TFTP server IP
address
Force config file from ISP, local TFTP or
uploaded flash memory
Disable ISP firmware upgrade
Get & Set SNMP OID values and Factory mode
OID values
Upload, flash and upgrade firmware
Dual Boot
![Page 31: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/31.jpg)
Hacked Cable Modems
![Page 32: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/32.jpg)
Hacked Cable Modems
![Page 33: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/33.jpg)
Reversing Cable Modems
![Page 34: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/34.jpg)
Reversing Cable Modems
RAM Start Address
![Page 35: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/35.jpg)
Firmware Types
Signed and compresed (PKCS#7 & binary)
Compressed binary images
RAM dump images (uncompressed & raw)
![Page 36: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/36.jpg)
Firmware Structure
![Page 37: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/37.jpg)
Firmware Structure
![Page 38: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/38.jpg)
Firmware Upgrades
![Page 39: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/39.jpg)
Firmware Upgrade
Authenticate originator of any download
Verify if the code has been altered
Digitally signed (Root CA)
![Page 40: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/40.jpg)
Firmware Downgrade
![Page 41: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/41.jpg)
Firmware Upgrade
![Page 42: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/42.jpg)
Phisical Protection
![Page 43: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/43.jpg)
Phisical Protection
0DAY?
![Page 44: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/44.jpg)
Phisical Protection
![Page 45: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/45.jpg)
SPI
Serial Peripheral Interface Bus
SCLK : Serial Clock (output from master).
MOSI : Master Output, Slave Input (output from master).
MISO : Master Input, Slave Output (output from slave).
SS : Slave Select (active low, output from master).
![Page 46: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/46.jpg)
SPI
Identify the Model
![Page 47: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/47.jpg)
SPI: Datasheet
![Page 48: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/48.jpg)
SPI: Beaglebone
![Page 49: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/49.jpg)
SPI: Beaglebone
![Page 50: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/50.jpg)
SPI: Beaglebone
![Page 51: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/51.jpg)
SPI: GoodFET
![Page 52: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/52.jpg)
SPI: GoodFET
![Page 53: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/53.jpg)
SPI: GoodFET
![Page 54: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/54.jpg)
SPI: BlackCat USB
![Page 55: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/55.jpg)
SPI: BlackCat USB
![Page 56: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/56.jpg)
SPI: BlackCat USB
![Page 57: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/57.jpg)
NAND Flash
DumpFlash
https://github.com/ohjeongwook/DumpFlash
![Page 58: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/58.jpg)
Factory Mode
Administrative functions
Reflashing Firmware
Dumping keys
![Page 59: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/59.jpg)
Factory Mode
![Page 60: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/60.jpg)
SNMP Scanning
![Page 61: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/61.jpg)
SNMP Scanning
![Page 62: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/62.jpg)
SNMP ACL’s
![Page 63: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/63.jpg)
Bypassing SNMP ACL’s
https://github.com/nccgroup/cisco-snmp-slap
![Page 64: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/64.jpg)
Bypassing SNMP ACL’s
https://github.com/nccgroup/cisco-snmp-slap
![Page 65: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/65.jpg)
DOCSIS Encryption
Use of 56-bit DES
DOCSIS 3.0 adds support for AES
Never seen AES used (as of 2015)
Lack of use likely due to DOCSIS 2.0
support
![Page 66: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/66.jpg)
DOCSIS Encryption
![Page 67: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/67.jpg)
DOCSIS 3.1 Encryption: Worldwide
![Page 68: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/68.jpg)
DOCSIS 3.1 Encryption: China
![Page 69: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/69.jpg)
Problems with DOCSIS SEC
![Page 70: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/70.jpg)
Problems with DOCSIS SEC
![Page 71: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/71.jpg)
Problems with DOCSIS SEC
CMTS are not picking most secure
cryptographic algorithm supported by CM
Re-use of CBC IV in each frame
Required by specification
Identical packets will have identical
ciphertext
![Page 72: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/72.jpg)
Sniffing DOCSIS
MPEG packets like normal TV to encapsulate
data (ISO/IEC 13818-1)
https://github.com/gmsoft-tuxicoman/pom-ng
https://bitbucket.org/drspringfield/cabletables
MPEG Encapsulation: MPEG packets > DOCSIS
frames > ETHERNET frames > IPv4 > TCP
![Page 73: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/73.jpg)
Sniffing DOCSIS: Id the Victim
Sniff ARP traffic on downstream and collect
subnets
ICMP ping sweeps across subnets with various
packets sizes
Perform correlation between encrypted packet
sizes and sent ICMP packet length
Produce (MAC, IP) tuples
![Page 74: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/74.jpg)
Sniffing DOCSIS
![Page 75: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/75.jpg)
Sniffing DOCSIS
![Page 76: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/76.jpg)
Sniffing DOCSIS
ARP traffic is in the clear
IP registration occurs prior to
encryption/auth
Unless EAE enabled (Early Authentication
& Encryption)
![Page 77: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/77.jpg)
Sniffing DOCSIS
![Page 78: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/78.jpg)
Brazilian Criminals
![Page 79: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/79.jpg)
Brazilian Criminals
![Page 80: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/80.jpg)
Brazilian Criminals
![Page 81: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/81.jpg)
Brazilian Criminals
![Page 82: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/82.jpg)
Solutions: ISPs
Firmware Upgrades
Isolate DOCSIS network
ACL's
BPI+ Policy Total
TFTP Enforce
![Page 83: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/83.jpg)
Solutions: ISPs
DMIC - Dynamically generates config file
passwords (Can’t reuse)
Enforce EAE - Encrypts IP & DHCP process
Cable Privacy Hotlist (finds cloned modems)
![Page 84: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/84.jpg)
Solutions: Vendors
No more backdoors
FCC certification – Security
Open Source?
TPM, Smart Cards?
![Page 85: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/85.jpg)
Insecurity: Root Causes
Improperly configured CM/CMTS
Security flaws in CM/CMTS OS
Costs & Convenience
Backwards compatibility != Security
![Page 86: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/86.jpg)
Myths
Perfect Clones (Theft of Service)
"Nobody is innocent"
"Needs physical access“
"You need JTAG, SPI"
![Page 87: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/87.jpg)
Conclusion
The question remains:
Is DOCSIS a secure & viable communications
protocol?
![Page 88: Hacking cable modems the later years](https://reader034.fdocuments.us/reader034/viewer/2022042422/587960c41a28ab1e388b6333/html5/thumbnails/88.jpg)
R.I.P TG862 SN XXXXXXXX91344
2015
IN MEMORIAM