3000 Old Alabama Road Suite 119-434, Alpharetta, GA 30022-8555404-424-8202info@volpefirm.com

DOCSIS Security | Mac Address Cloning

Post 118 of 192

Theft of Service via Cloning

DOCSIS Security - If only cloning your favorite pet was as easy as cloning a MAC address on a cable modem.  There are dozens of websites out there giving subscribers or hackers step by step instructions on how to clone a MAC address.  Each cable modem, regardless of brand, is uniquely identified by its Cable Modems ID, or MAC address - short for Media Access Control. This address is programmed into a writable memory address of the hardware in the cable modem, and is associated with a specific user account.

What is MAC Address Cloning?  It is changing the MAC address on a cable modem so that it matches the address of some other cable modem, ideally one that has been provisioned on the cable system. It is difficult to change the physical MAC address in hardware, so often the process of cloning is accomplished by emulating a new MAC address in software. Whether the MAC address is altered in the hardware or in software it is still called cloning.

Why clone a MAC address?  In order to have a cable modem register with the CMTS it must get an IP address from a DHCP server.  Before the DHCP server will give the cable modem an IP address it will first check with a server to see if the MAC address of the cable modem is allowed to be on the network, if the subscriber has paid their bill and what speed service the subscriber should receive.  So if someone has a cable modem that they have not purchased service for, then their MAC address will not be in the database.  So they may look for a MAC address that has paid for service, such as their neighbor, clone that address onto their cable modem, and then start getting free service.

As you might have guessed cloning a MAC address is easy enough that even a cave man can do it or at least someone motivated.  However, securing a DOCSIS network against simple cloning is reasonably straight forward. I have been in many systems where even basic steps have not been implemented.  Usually due to lack of understanding of the possible solution and the importance of it.  Turning on BPI+ is such a solution, as I have discussed these topics in past posts and at SCTE lectures.   Turning on BPI+ is an easy solution but that does not mean it is a mindless exercise.  In order for it to work properly the correct steps need to be followed.  Contacting the vendor or an expert in the field might be your best bet.

So why should cable operators care about cable modem MAC address cloning?  Lost Revenue and Legal Liability.  Plain and simple.

Securing a DOCSIS network against advanced cloning that includes knowledge of security certificates is much more difficult and requires secondary fraud detection systems offered by in-house or third party vendors specializing in such detection methods.  Large MSO's usually have in-house solutions and a team of experts working on this issue.  Smaller to mid size cable operators should consider third party applications such as Incognito or Intraway (full discloser I have done a blog post on Intraway but was not compensated for my review).  One size does not fit all systems so shopping around and finding the best fit for your company is advisable.  Find personnel internal or external to your organization to review your system needs vs. the applications available on the market in order to get the best solution.

In serious cases of cloning, a hacker may clone more than one cable modem in order to get large amounts of bandwidth to their home.  More than one hacker forum has users discussing multiple cloned modems in operation at the same time.  This enables them to have the modems online without uncapping the modems, which may raise a re-flag in some systems and as discussed in the previous post.  The person doing the cloning is then able to achieve higher bandwidths by having multiple cable modems online rather than one cable modem with unlimited speeds.  In the end the impact to the DOCSIS network is the same - over utilization by one person.  Lost revenue to the cable operator and loss of network capacity.  Rouge users like this on your network will throw a big monkey wrench into any capacity planning efforts you are undertaking too.

So if you have not been concerned about theft of service via MAC address cloning before, perhaps its time to take a second look.  There is money and DOCSIS capacity that you may be loosing.  Something that I covered in my first article on this topic was the less tangible concerns of illegal and illicit activities which could occur over a cloned cable modem not sanctioned by a cable operator, but nevertheless still on the network.  If the cable modem is a cloned modem of another subscriber and the illegal activities are traced back to the innocent subscriber, the next step of a good attorney, FBI, HLS, etc is to determine if the cable operator took the proper steps to protect its network.  A subscriber cannot do anything to prevent cloning of their cable modem, only the cable operator can.    The take away is to make sure you are doing enough to protect your network.


Mr. Volpe has over 25 years of communications industry experience. He is focused on the cable and telecom industry with deep technical and business skills. Mr. Volpe is currently the president and chief technologist of the Volpe Firm and holds an MSEE with honors.

Twitter LinkedIn Google+ 

, , , ,