Security has the been a hot topic lately. As I’m writing this article I think about all of the recent events that we hear about impacting our daily lives such as:
These headlines are really quite scary. I’m certain that some, possibly many of you have experienced security issues first hand. Have you ever had to have your credit card replaced? Have you had your email compromised? How about identity theft?
These are serious and scary times we live in where breaking into our homes or businesses and taking personal and private property is something that can be done without ever physically entering a building. Why does this concern us? Because DOCSIS networks may represent a weak link the chain that a hacker is looking to exploit.
How is this possible? There are many motivations behind someone or some organization or Nation State that is targeting a person or company. It could be financial, personal, political or just for fun. In any event the attacker will look for a point of weakness. Two key points of weakness in our DOCSIS networks are the CMTS and the cable modems. As an industry we could use more dialog on securing our networks. This article is intended to bring awareness to the issue and open the dialog.
Let's talk about the cable modem and some issues we should consider. There are some well known and Internet documented exploits on name brand cable modems. As an example, look at Vulnerability Note VU#855836 from Homeland Security on how certain modems can easily be exploited by SNMP (simple network management protocol). This hack is not limited to the vendor listed in the vulnerability note. This is more widespread as documented on a number of hacker chat rooms. Further, the researchers who investigated this hack found that they could expose the password, SSID, WPA pre-shared key, WEP keys and, in the case of one modem, the username. This basically gives a hacker complete access your home or office network if you have one of the compromised modems running the legacy firmware. Take note and be sure you are running updated firmware and are staying on top of these knowledge base issues.
SNMP in generalis the number one way that hackers gain access into the DOCSIS network. Much of the time this is strictly for theft of service. However we can’t not always assume that is the case. In the config file that is downloaded to the cable modem there are typically two MIB strings. One that provides a read-only (RO) SNMP community string and another that provides a read-write (RW) SNMP community string. Often times administrators may find it convenient to use ‘public’ and ‘private’ as the default community strings. This is like using ‘password’ as your user password, offering little protection against hackers. It is very easy for hackers to guess these community strings and now they have access to read the data on your modem. To add one more layer of protection it is recommended to disable SNMP access at the cable modem and restrict access to IP addresses. This is done through access control lists (ACLs) on the CMTS and in the cable modem config file.
The CMTS is another point of significant opportunity for possible hackers. One of the most common issues that occurs is when a CMTS is left with a public IP address exposed for everyone to see. Sometimes this is done intentionally as the CMTS is directly connected to the network. Other times a CMTS may be temporarily connected to a public IP address for maintenance purposes. This means the CMTS becomes an opportunity for any hacker to attack it like any other computer. The most frequent occurrence are denial of service (DoS) attacks which result in the CMTS being hit with so much unwanted traffic that regular subscriber traffic is no longer able to traverse the CMTS.
There are some common steps and recommended best practices to securing your DOCSIS network.
For more, watch John Downey, Dan Hegglin, Brian Wilson and Brady Volpe’s Hangout on on DOCSIS security: https://youtu.be/UtB73mOQdWo or listen on iTunes https://itunes.apple.com/us/podcast/docsis-internet-security/id903366948?i=339882900&mt=2