Hacking DOCSIS Cable Modem

Fundamental Precautions You  Should Take to Secure Your Network

I hope the title of this post caught your eye.  DOCSIS security holes are a serious problem, even if you are a major MSO (Multiple System Operator).  Look at this from the subscriber’s point of view, you have a coax cable coming into your house.  Your paying for some level of DOCSIS cable modem service and you just want to get a little more speed our of your modem.  If I’m already getting 12 Mbps, what is the difference if I up it to 20 Mbps?  Hey, who of us can honestly say we have never broken the speed limit?  Have you never driven 50 MPH in a 40 MPH speed zone?  Most people can self-justify a lot of small “law bending infractions”, but what hacker’s may not realize are the impacts they have on other users in the network.  Further there are hackers who do not pay for service at all and connect cloned modems to get free service.  Finally, with DOCSIS 3.0, uncapping modems could result in hackers accessing download speeds in excess of 150 Mbps+.  Depending upon what they are doing, this could have significant impacts on other services being offered to subscribers.

Recently a reader contacted me and said that theft of service, especially uncapping cable modems via hacking, was still impacting his network.  Not surprisingly, one vendor’s CMTS was able to ward off the hacker’s while another vendor’s CMTS was unable to prevent the uncapping and subsequent theft of service.  I will protect the vendor’s identities because I believe that the CMTS is the first line of defense.  Vendors have put into place very effective, CMTS specific techniques, such as Cisco’s TFTP-Enforce which prohibits a cable modem from registering and coming on-line if there is no matching TFTP traffic through the CMTS preceding the registration attempt.  But often individual techniques are “hacked” (such as in the TFTP-Enforce bypass method found on hacker sites).  What this indicates is that any reliance on a single point or method of hack-proofing your network WILL NOT WORK.  You must implement a layered approach consisting of a number of CMTS, DHCP, TFTP and potentially SNMP and Kerberos related methods.  The later would apply for MTAs and set-top boxes.  For now we will just focus on cable modems and the realm of CMTSs and DHCP/TFTP servers.  Here are is the bare minimum of what you should be doing:

CMTS Hacking Safety

Layer 2 vs Layer 3 – In a previous DOCSIS 3.0 post, I briefly discussed how a CMTS can be configured as either a Layer  2 or a Layer 3 device.  Consider your Layer 2 device to be a basic switch.  From a hacking standpoint, let’s look at it as a direct connection from the hacker’s computer to your network.  As we move up to a Layer 3 (router) configuration, we now have something that we can configure as a very rudimentary firewall, but the base configuration of any CMTS does not look like a firewall from a hacker’s point of view.  It is more like a speed bump.  So let’s make certain that we have enabled the basic security features within the DOCSIS specifications starting with the Baseline Privacy Plus Interface Specification (BPI+).

BPI+

BPI+ should be considered a MUST do in every DOCSIS network.  Why?  Because it protects subscriber data from being viewed by malicious users in addition to thwarting potential hackers by using 56-bit or 40-bit DES encryption (56-bit DES is standard).  There are two types of encryption under the BPI umbrella, BPI and BPI+.  BPI was first released in 1999 under DOCSIS 1.1.  This was rather weak encryption because it did not authenticate cable modems with unique certificates.  BPI was later enhanced to BPI+ which incorporates digital certificates issued by VeriSign Corporation which are uniquely chained to the individual MAC address of each cable modem.  For every cable modem’s MAC address there can be only on uniquely created digital certificate in existence.  VeriSign and vendors work closely together to ensure that the trust is not broken during the creation of the certificates and the manufacture of the cable modems.  Breaking this trust would be cause for a vendor to have all of their previous, current and future certificates revoked in addition to suffering significant financial penalties.  The result is assurance to the cable operator that enforcing BPI+ should ensure that a BPI+ verified cable modem is a paying customer.  How do hackers defeat this?  There are a couple of key ways:

  • The biggest hole in BPI+ is that cable operators turn on the “allow self-signed certificates” in their CMTS.  Why do they do this?  Because they are using legacy test equipment, outdated test equipment or non-conforming test equipment that does not support BPI+ certificates.  If your hand-held test equipment vendor cannot upgrade your equipment to BPI+, find a new vendor, because you are enabling hackers in your network to create their own self-signed certificates, install them in their own cable modems with “valid MAC addresses” sniffed from your network and steal your service.
  • Disable self-signed certificates and plug the hole
  • Another hole in BPI+ is that many systems still have old cable modems that do not support BPI+ and so operators will enable BPI+ in its most limited mode.  In this case, modems that support BPI+ will be required to register with BPI+, but modems that do not support BPI+ will register in BPI mode or with no encryption at all.  This is an open door once again for hackers.
  • Require “bpi-plus-enforce” on all CMTSs – this means only modems that support BPI+ will be able to register
  • Monitor “cloned MAC Addresses” across your network – a good hacker will still be able to clone a cable modem MAC along with its digital certificate, but this will show up on your CMTS logs.  Automatic monitoring of your CMTS logs for this event will rapidly identify this hacker and enable you to give him the boot.

Modem Registration and Uncapping

We will assume now that you have adequately enforced BPI+ to the point that all modems on-line are valid in the provisioning system because only valid MAC addresses can pass the stringent tests that are part of BPI+ registration.  So your next major weakness is going to be in your provisioning system.  You see, now hackers will be forced into paying for at least basic data service.  Hey, this is at least a start.  You have some money coming in right?  Oh but wait.  If your IP network is not properly secured, these guys and gals are going to intercept the standard TFTP file your systems download to the cable modem during registration, alter the TFTP file and then configure their modem to download their modified TFTP file.  What will this do?  If all they are interested in doing is fast downloads, then they will max out the download and upload speed of their modem.  If your system is really open (meaning no PacketCable security), then they could even give themselves fast speed and guaranteed QoS (Quality of Service), which means that their traffic would have priority over everyone else.  This type of QoS is called a Static Service Flow as compared to the Dynamic Service Flows provided in a PacketCable environment.  A smart hacker with a Static Service flow is a serious issue in your network.  So what do you do?

Lets first look at the problem graphically:

DOCSIS Cable Modem Registration using On the Fly TFTP

Cable Modem Registration using OTF

The above diagram (click on it to get a better view) shows the DOCSIS cable modem registration process after ranging (for more information on ranging see DOCSIS 101_modem-registration).  Steps 2-4 shows where the DHCP server checks with the back-office server(s) to make certain that the cable modem sending the DHCP Discover message is a paying customer.  If so, then in step 5, the DHCP server continues its normal mode of providing IP addresses, options, etc.  In step 7, the cable modem requests the TFTP configuration file as normal.  Typically the TFTP server would just send the TFTP file directly to the cable modem without any encryption.  This is where hackers have a field day, intercept the file, modify it, etc. and then your happy hacker has an uncapped modem.  So what are you to do?

Well there are number of options.  The picture above shows one good example employed by the folks at Incognito who has a quite secure provisioning system for up to DOCSIS 3.0 and PacketCable Multimedia  (www.incognito.com).  The Incogito server does at least two things (that I am aware of):

  • It dynamically generates the configuration file On-The-Fly (OTF) and downloads it the cable modem.
  • It randomly generates  a 64-byte name (last time I checked the length was 64-ASCII characters), so the file name changes every time.

Why is this important?  Because one of the techniques a hacker will use is to is to substitute the TFTP download with their own local copy of their modified TFTP file.  The problem that now occurs is that the file the cable modem is asking for is completely different from the one the hacker originally obtained because the DHCP server generates a new file name each time.  The hacker will never be able to replicate a randomized file name.  So even though the file sitting on your TFTP server is call “silver.cm”, your DHCP server is setting a proxy for that file and telling your cable modem to fetch “kjdhie8&^$lsk(uej&$nmJHEuI8&^yhNM,>Lkhy6tGftRFgt%$rgbnM<.lkIJuy7” and the next time this sequence will completely change.  Pretty simple, but for the hacker its a real headache.

To add one more layer of security, you should always add your “shared secret” to every CMTS and use password-encryption.  Let’s assume that hacker is very good and has their own TFTP server and plans on loading in the TFTP file locally during registration, thus bypassing altogether the need for a TFTP file name that was causing them a problem with the Incognito TFTP server.  The shared secret is a simply a unique “word” that you put in the running-configuration of the CMTS.  You should keep this word private and limited to as few people as possible within your security team.  This is why I recommend encrypting it on the CMTS with the vendor specific password encryption.  Remember, your weakest link can also be those people internal to your network.

The DOCSIS specification requires that the CMTS generates a Message Integrity Check (MIC) based upon a Message Digest 5 (MD5) using a number of parameters, including the “shared secret”.  The MD5 is a one-way (non-invertible) hash—meaning that the input cannot be recovered from the output—and the output is considered unique for a specific input. If the MIC is not correct, the cable modem registration process fails and it will not be allowed to come on-line.  So if the hacker tries to modify the TFTP file and reboot the modem, it is mathematically unfeasible that the hacker will be able to generate a MIC that will pass the MD5 hash in the CMTS and the cable modem will fail CMTS registration, even the hacker is paying for some level of service.  This will force the hacker to go back to his/her standard level of service.

Summary

I have just touched on the basics of securing a DOCSIS network.  I am sure that many of your systems have security that vastly supersedes the recommendations I have provided here, in which case please feel free to provide comments and tips that other readers may learn.  At the same time, there are some basic fundamentals that I have seen overlooked in even big systems which open themselves to theft of service.  You have to no more than Google “hacking cable modems” to see a thriving network of individuals who are not just hacking, but are also profiting from providing the capabilities to others.  Although it is almost one year since Ryan Harris of TCNISO, one of the best known cable modem hacking sites, was arrested there are still numerous hacking sites and forums out there that have taken his place.  Secure your network externally and internally or expect that you will have theft of service and possibly worse.

Upcoming events can be seen under Broadband Events. Previous events can be seen under the blog.

  • If you are watching this on youtube please hit the subscribe button!
  • Let us know what you think and remember to share!  
  • You can find slides at the bottom of the page and some on slideshare.  
  • Find out about events or articles by following us on TwitterLinkedIn or Facebook too.

Also available on iTunes, Google Podcasts, Spotifyvurbl see podcasts “get your tech on”.

Spotify  Vurbl