Cable Modem Security Holes (Summer, 1997) ----------------------------------------- By Sciri Note: All references to the specific Internet Service Provider affected have been censored and replaced with [ISP] due to the nature of this article. The advent of cable modems has opened up a wealth of security nightmares for Internet users in this area. Unfortunately, most of these users have never touched a UNIX machine and have no idea how packet transport works over wide area public networks such as the Internet. Because of this, hundreds of new Internet users may be at risk from extremely old security issues. In the past, virtually all home Internet users connected to their Internet Service Providers (ISPs) or colleges using standard modems and logged into UNIX or VMS shell accounts. Due to the fact that these shell accounts required at least a rudimentary knowledge of computers and networking, most users logging into these accounts had an understanding and respect for the Internet and its limitations. The majority of these users also understood the security issues at hand and took the proper precautions to safeguard their data. Over the past few years, UNIX and VMS shell accounts have been slowly phased out in favor of SLIP and PPP dialup connections. The advantage of this type of dialup protocol was that the Internet and its resources were now within reach of novice Windows and Macintosh users. The downside of this, however, was that many of these users didn't understand how the Internet worked and were ignorant of the dangers posed by sending confidential and private data over their connections. The introduction of cable modems and WebTV has created a whole new breed of novice Internet users who no longer need to know how to set up a modem connection and, in a lot of cases, no longer even need to know how to use a computer. This trend is pushing the commercialization of the Internet and most companies and ISPs seem to be more interested in making a profit than making sure a secure and reliable service is being released. Of all the security issues at hand today, the hottest topic right now seems to be the ability for malicious hackers to take advantage of problems with TCP/IP and sniff network traffic going over the Internet and corporate Intranets. Companies such as Netscape Communications Corporation and Open Market, Inc. are pushing secure commerce servers so conducting transactions over the Internet and corporate Intranets can be safe and secure. The problem with this approach is that only transactions via SSL equipped WWW browsers can take advantage of this security. Most other forms of connections are left unsecured because not all clients are capable of SSL or encryption. Another problem is that these extreme novice Internet users don't understand what sniffing is and don't know why they should only use SSL equipped WWW browsers to conduct transactions and send confidential data over the Internet. In the past, the risk of someone sniffing Internet data was relatively low. In order for a sniffer to be successfully set up, a key gateway machine sitting in between the client and server had to be compromised and superuser access had to be attained. Once superuser access was attained, the intruder had to hide their tracks from the system administrators and find a way to silently retrieve sniffer logs from that compromised host. Usually, these gateway machines were UNIX based and vast amounts of knowledge about the UNIX operating system were required to keep oneself hidden. The routing used by cable modems in this area (Zenith HOME*Works Universal transceivers), however, completely bypasses the need to compromise a gateway machine in order to sniff. Each cable modem network interface (NI) acts as an Ethernet transceiver and directly connects each cable modem user s machine to the Internet via 10BaseT. Because of this, each machine a cable modem user has connected to the Internet is considered a local node on whatever subnet has been assigned to that user's geographical area. This trend was first noticed when the cable modem NI was installed and powered up at this site. The TX, RX, and NET-ACTIVE status LEDs had immediately lit up and started reporting network traffic even though the cable modem NI had not yet been plugged into the Ethernet card of the firewall/gateway machine. It was then hypothesized that it may be possible for cable modem users to sniff all traffic passing over the same subnet. Software, such as sniffit and tcpdump, was used to test this hypothesis and, not surprisingly, every other cable modem user on the same subnet could, in fact, be monitored. Due to the fact that this type of major security hole could put the privacy of hundreds of cable modem users at risk and quite possibly destroy the reputation of an ISP, it was decided that [ISP] should be contacted regarding the sniffing issues. After playing phone tag and being on hold for nearly an hour, I was finally connected to someone within [ISP]'s security group and explained exactly what was being tested and the methods being used. I was then told that the ability for any cable modem user to sniff network traffic on their subnet is a "known bug, and no fix is available at this time." According to the [ISP]'s security group, the fact that cable modem users can sniff network traffic was not publicized because "this cable modem service is not being sold as a secure service and no such claims are being made in the service agreement." Baffled by this, I posed the question, "since this isn't a secure service, [ISP] has decided upon the policy that it's the sole responsibility of the end user or system administrator to make sure that all connections are secured and encrypted by third party software?" The response was, "Hrm...that's actually a pretty good way of phrasing it." This is an extreme display of [ISP]'s inability to plan ahead and take steps to keep their networks reasonably secure. Topped off by a seemingly intentional coverup to keep cable modem users from finding out that virtually every single keystroke that goes across their Internet connection could very well be monitored, it's frightening to think that most end users are ignorant of the fact that any problems such as this even exist. With today's threats of credit card fraud and the widespread value of personal information, [ISP] should have taken all steps possible to make sure that cable modem subscribers were educated and aware of these dangers. With more and more users transmitting confidential and personal information over the Internet and World Wide Web, more security issues need to be addressed and publicized. The issue of sniffing does not stop here, however. With cable modem technology being pushed as the next "big thing," ISPs and cable companies should take as many precautions as possible to make sure cable modems become a secure and reliable service. If current technology is not updated to reflect these problems, thousands, if not millions, of future users could be at risk.