Theft of Service via Cloning
DOCSIS Security – If only cloning your favorite pet was as easy as cloning a MAC address on a cable modem. There are dozens of websites out there giving subscribers or hackers step by step instructions on how to clone a MAC address. Each cable modem, regardless of brand, is uniquely identified by its Cable Modems ID, or MAC address – short for Media Access Control. This address is programmed into a writable memory address of the hardware in the cable modem, and is associated with a specific user account.
What is MAC Address Cloning? It is changing the MAC address on a cable modem so that it matches the address of some other cable modem, ideally one that has been provisioned on the cable system. It is difficult to change the physical MAC address in hardware, so often the process of cloning is accomplished by emulating a new MAC address in software. Whether the MAC address is altered in the hardware or in software it is still called cloning.
Why clone a MAC address? In order to have a cable modem register with the CMTS it must get an IP address from a DHCP server. Before the DHCP server will give the cable modem an IP address it will first check with a server to see if the MAC address of the cable modem is allowed to be on the network, if the subscriber has paid their bill and what speed service the subscriber should receive. So if someone has a cable modem that they have not purchased service for, then their MAC address will not be in the database. So they may look for a MAC address that has paid for service, such as their neighbor, clone that address onto their cable modem, and then start getting free service.
As you might have guessed cloning a MAC address is easy enough that even a cave man can do it or at least someone motivated. However, securing a DOCSIS network against simple cloning is reasonably straight forward. I have been in many systems where even basic steps have not been implemented. Usually due to lack of understanding of the possible solution and the importance of it. Turning on BPI+ is such a solution, as I have discussed these topics in past posts and at SCTE lectures. Turning on BPI+ is an easy solution but that does not mean it is a mindless exercise. In order for it to work properly the correct steps need to be followed. Contacting the vendor or an expert in the field might be your best bet.
So why should cable operators care about cable modem MAC address cloning? Lost Revenue and Legal Liability. Plain and simple.
Securing a DOCSIS network against advanced cloning that includes knowledge of security certificates is much more difficult and requires secondary fraud detection systems offered by in-house or third party vendors specializing in such detection methods. Large MSO’s usually have in-house solutions and a team of experts working on this issue. Smaller to mid size cable operators should consider third party applications such as Incognito or Intraway (full discloser I have done a blog post on Intraway but was not compensated for my review). One size does not fit all systems so shopping around and finding the best fit for your company is advisable. Find personnel internal or external to your organization to review your system needs vs. the applications available on the market in order to get the best solution.
In serious cases of cloning, a hacker may clone more than one cable modem in order to get large amounts of bandwidth to their home. More than one hacker forum has users discussing multiple cloned modems in operation at the same time. This enables them to have the modems online without uncapping the modems, which may raise a re-flag in some systems and as discussed in the previous post. The person doing the cloning is then able to achieve higher bandwidths by having multiple cable modems online rather than one cable modem with unlimited speeds. In the end the impact to the DOCSIS network is the same – over utilization by one person. Lost revenue to the cable operator and loss of network capacity. Rouge users like this on your network will throw a big monkey wrench into any capacity planning efforts you are undertaking too.
So if you have not been concerned about theft of service via MAC address cloning before, perhaps its time to take a second look. Something that I covered in my first article on this topic was the less tangible concerns of illegal and illicit activities which could occur over a cloned cable modem not sanctioned by a cable operator, but nevertheless still on the network. If the cable modem is a cloned modem of another subscriber and the illegal activities are traced back to the innocent subscriber, the next step of a good attorney, FBI, HLS, etc is to determine if the cable operator took the proper steps to protect its network. A subscriber cannot do anything to prevent cloning of their cable modem, only the cable operator can. The take away is to make sure you are doing enough to protect your network.
Upcoming events can be seen under Broadband Events. Previous events can be seen under the blog.
- If you watch on youtube please hit the subscribe button!
- Let us know what you think and remember to share!
- You can find slides at the bottom of the page and some on slideshare.
- Find out about events or articles by following us on Twitter, LinkedIn or Facebook too.
Also available on iTunes, Google Podcasts, Spotify, vurbl see podcasts “get your tech on”.
With BPI+ 99% of MAC Address Cloning is stopped. Any customer still give service for 1.0 modems ? Only the have to worry about this.
I’ve another issue in my mind, let’s say i have modem MAC A and i’m online. My friend know my MAC A and configures MAC A in his system and keeps sending Initial Ranging packet to CMTS. In this case all CMTS(CISCO,MOTO) just reset the modem(my Modem which is original one) and process my friend’s ranging packet. His intention is not to access DOCSIS service just want my modem to go offline and disturb me.
Does any CMTS right now gives solution for this ? What do you think a good solution for this ?
-Santo.
Hi Santo,
You raise a very good point. Coning can cause problems for other cable modem users of the cloned MAC. I don’t have a good solution because it depends upon how the cable operator is approaching security in their network. If thy have proactive measures in place, then there is a possibility that the legal cable modem service could be impacted. It is more likely that the CMTS will recognize the legal cable modem as being on a specific port and also having a specific timing offset, so in the ideal case the legal modem will stay online while the cloned modem be rejected. But this is only if anti-fraud measures are in place.
-Brady
Hello Brady,
What about when some cable modems connect to the network without even being provisioned?. We have 3 cases where the MAC addresses weren´t clones because they don’t exist in our database. We currently have implemented in our CMTSs BPI+, tftp enforce and even dynamic shared secret, the last two are configured with the “mark only” option, and that’s how we were able to notice the rogue modems.
We are running some tests with the “reject” option for this cases and see what happens.
The main issue for me is to know how they bypass all the security and even without being in our provisioning system database are able to get operational.
Regards!
Hi Danilo,
It sounds as if you have taken good fundamental steps to prevent basic hacking, but as I have mentioned, a good hacker will be able to circumvent the standard systems you have in place. Some things that I would start asking you as a client would be are you using Cisco CNR or Incognito as your provisioning system? What CMTS and IOS are you using? What are your CMTS “deny” and “allow” settings? SNMP settings? Is there any access to your CMTS admin ports via public IPs? Etc.?
There are many easy ways to gain access to the DOCSIS network other than provisioning. You need to start identifying and plugging those holes. Feel free to contact me if you want a consult.
-Brady