1

http://www.soldierx.com/defcon16speech/docsis_insecure_by_design-blake_durandal.ppt
Humor
2
Maybe !ed "te#ens has a series of
hacked modems and a drop amp at his
place. $ould this be the reason he
thinks that the internet is a series of
tubes%
&ackground
'
(ersonal
)
"tarted working in the security industry at the age of
1*.
)
$onducted "+(,-.! /dministration and ,ed !eam
(enetration !esting for the 0"M$.
)
+ currently do research for ".,$ 1"oftware
.ngineering ,esearch $enter23 an -"4
+ndustry/0ni#ersity $ooperati#e ,esearch $enter.
'
"peech
)
/ much shorter #ersion of this presentation was gi#en
at the "pring 5667 ".,$ "howcase.
)
+ ha#e had #arious experts on this topic 1such as
bitemytaco from http://www.sbhacker.net2 #erify the
information in this 8efcon presentation.
3
9hat !his "peech 9ill $o#er
'
,e:uirements 1for our examples2
'
-etwork ;#er#iew
'
/nonymous /ccess
)
<aining ser#ice with a M/$ address not tied to an
account
'
$loning a M/$ !ied to an /ccount
'
How /nonymous =ou ,eally /re
)
How close +"(s can pinpoint your location as well as
techni:ues to catch people abusing/stealing ser#ice
'
&reakdown of Hardware/4irmware 18urandal2
4
,e:uirements
'
9hat do you need for our example%
)
$able connection 1to the cable company2
)
>!/< cable 1M+(" .>!/< for our example2
'
.>!/< stands for .nhanced >oint !est /ction <roup
)
"&?166 cable modem 1other modems can be modified3
but this is the one that we@re using for our example2
)
"oldering "kills
'
+f you do not know how to solder3 there are solderless
adapters a#ailable from sites like
http://www.tcniso.net/shop/product.php%catA5BpageA1BproductidA1?
)
/pplication for flashing the firmware onto the modem
19e use "chwarCe DatCe for 9indows from !$-i"; 2
5
,e:uirements +n 8epth
'
$able connection
'
.>!/< $able
)
.asy to make
)
/#ailable online
6
,e:uirements +n 8epth 1cont@d2
'
Modify the "&?166 or buy a (remod
)
1a#ailable from sites like www.sbhacker.net2
7
,e:uirements +n 8epth 1cont@d2
'
(rogram the "&?166 using "chwarCe
DatCe.
8
Modified 4irmware
'
/bilities of "+<M/ E5 build 1F5 firmware:
)
$hange the M/$ /ddress
)
$hange the serial number
)
4irmware upgrade blocking
)
,eboot disable
)
4orce network access 1ignore unauthoriCed messages2
)
,emo#e +"( filters 1ports blocked at modem le#el2
)
"pecify configuration file filename and !4!( ser#er +(
address
)
0pload and use a configuration file
)
$ontrol of "-M( 1"imple -etwork Management
(rotocol2
)
&roadcom $G+ access
)
4ull shell access to Hx9orks 1unix-like ;" on sb?1662
9
$able -etwork ;#er#iew
10
/nonymous +nternet /ccess
' 4or our example of anonymous internet access3 we will be using $omcast.
' 9hy $omcast%
) /ccording to /lex <oldman@s research on isp-planet.com3 as of the fourth :uarter of
566* - $omcast is the second most used +"( in the 0nited "tates3 and the number
one used +"( using 8;$"+". 1
http://www.isp-planet.com/research/rankings/usa.html2
' +f you plug a modem into the $omcast network that does not ha#e an account3
the only page that comes up is a $omcast page asking you to sign up for
ser#ice.
' 9e found that you can generally connect into the computer hooked up to the
modem ) but you cannot connect out from the computer.
' $hanging the 8-" ser#er gi#es you the ability to connect out 1some of the
time2.
' ,emo#ing filters #ia the &roadcom $G+ remo#es port blocking at the modem
le#el.
) Commands to turn the filters off:
) cd /
) cd snmp
) filters off
)
write
11
4aster "peeds
'
/nonymous access is good3 but faster anonymous access is better.
'
+n order to increase speeds3 you can specify a faster configuration file
to use or upload your own.
'
=ou can specify a !4!( ser#er +( address3 but on $omcast almost
e#ery !4!( ser#er has the same configuration files.
'
"ome example configuration files that $omcast uses:
) 8;$"+" 1.6
' d16_m_sb?166_speedtierextreme5_c6?.cm A 16/5
' d16_m_sb?166_showcase_c61.cm A ??/?
' d16_m_na_c6?.cm A 6/6 1unrestricted2
) 8;$"+" 1.1
' d11_m_sb?166_speedtierextreme5_c6?.cm A 16/5
' d11_m_sb?166_showcase_c61.cm A ??/?
' d11_m_na_c6?.cm A 6/6 1unrestricted2
12
$hanging the $onfiguration 4ile
'
-a#igate to http://1I5.167.166.1:1JJ*
13
=ou can either specify a file that
exists and the ser#er that it exists
on 1blank for your +"(s tftp ser#er2
or you can upload your own.
!echni:ues for ,emaining /nonymous
'
8isable ,eading the Modem with "-M(
) cd /
) cd snmp
) #iew_#1#5 -oaccess
) y
)
cd /
'
Hide the Modem@s H4$ +( /ddress 1=ou cannot hide $(. +(
addresses2
) cd /
) cd non-#ol
) cd snmp
) hide_ipstack_ifentries true
)
write
'
Hide ,eported "oftware Hersion 1system ;+82
) cd /
) cd snmp
) delete sys8escr
)
write
14
4ield ,esults
'
Harious members of ";G8+.,E and other
groups ha#e reported high success rates with
Cero signs of detection
)
8urandal has a high use ser#er that has been
online for o#er 16 months
)
/n anonymous indi#idual has a machine on a
business configuration that has been seeding
torrents steadily for 6 months
)
Many people ha#e as many as 7 modems
running concurrently
)
+n all of these scenarios3 the indi#iduals are
paying for ser#ice. !hey are simply splicing
their line to add additional modems
15
$loning
'
$loning is where you use another
customer@s M/$ address in order to get the
same ser#ice they are paying for.
'
8ue to the way the system is setup3 you
ha#e to use the M/$ address of a
customer that is on a $M!" other than
yours.
'
!his method is not as stealthy because
your modem is now tied to somebody
else@s account.
16
$loning 1$ont@d2
'
!he $M!" 1$able Modem !ermination "ystem2 does not pre#ent the
cloning of a M/$ address from -ode J to -ode 1.
17
<etting M/$ /ddresses for $loning
'
M/$ addresses are often traded in pri#ate ircs and on pri#ate forums.
'
;ne free tool to sniff M/$ address and configs is $oax !hief/$M"niff
) Gocated at http://www.tcniso.net/-a#/"oftware/$ontent/$oax!hief.rar
18
How /nonymous /re =ou%
'
!he ;perations "upport "ystem is unable to pinpoint a
modem to an exact location due to the design of the
legacy cable network.
'
$urrently3 detection only goes as far as the -ode where
the modem in :uestion is located.
19
How /nonymous /re =ou% 1cont@d2
'
"ome +"(s poll for poor signal le#els.
)
!his technician will disconnect each line to find out which line is
causing the signal loss.
)
=ou can pre#ent this by using an amp if your signal strength is too
low. 9e personally like the &8/-"1 &roadband 8rop /mp from
Motorola.
)
!he downstream should be between -1? and K1? d&mH and the
upstream should be between -J? to -?6 10pstream is always
negati#e2.
'
Many +"(s perform routine check on lines that should not
be connected in order to #erify that they are not.
)
Many +"(s use colored tags to identify the account and ser#ice.
20
!hrowing 0p a ,ed 4lag
'
-ot using pre#iously discussed techni:ues
for remaining anonymous
'
.xcessi#e torrenting
'
4!(/9eb "er#ers hosting 9areC/(orn 1or
other types of hea#ily used ser#ices2
'
0ncapping on cloned M/$ addresses
'
"plitting the connection too many times will
weaken the signal and can cause techs to
come out to check it.
21
(recautions to !ake
'
8o not transfer personal information o#er
unencrypted connections
'
Deep an eye out for the party #an 1or cable
technicians2
'
(ay for ser#ice on one modem and ha#e another
one hooked up that is modified for anonymous
internet.
'
,emo#e line identifiers to assist in anonymity
1especially at apartment complexes2
22
,esponse 4rom the ".,$ "howcase
'
/nonymous +nternet was not nearly as much of a
concern as &(+/&(+K in 8;$"+" 1/1.1/5.6
)
!he maximum pri#acy that is offered #ia encryption is ?6bit 8.".
23
'
!hanks to bitemytaco of "&H 1
http://www.sbhacker.net2 for re#iewing the
information in these slides.
'
/nonymous network technicians that
answered :uestions about ;"".
'
!hanks to 8er.ngel of !$-i"; for starting
mainstream cable modem hacking.
'
/nonymous cable modem hackers that
told me their stories and ga#e me enough
information to #erify it.
24
!hanks
$able Modem Hardware
;r How + Gearned to ,elax and
Go#e the "urfboard
.nter 8urandal
25
'
(resenter &ackground
'
9H=!; #ersus H;9!;
'
"&?166 ) >ust another $omputer
'
$urrently /#ailable 4irmware and
4eatures
'
4irmware ,e#erse .ngineering
'
4irmware Modification
26
/bstract
'
9hy you should listen to what + ha#e to
say
'
9hy you shouldn@t listen to random people
on forums
'
9hy you shouldn@t panic
'
How to a#oid obsolescence by not being
dumb
'
(roof it doesn@t take an angel to impress
people
27
/bstract - !ranslated
'
/cti#e in the underground community
since 1II7
'
/rabic Ginguist 5665-566F
'
>.!" trainer under some of the most
respected leadership in /rmy +ntelligence
566J-566F
28
&ackground +nformation
HOWTO
'
!ells you how to do
something in a
methodical3 step by step
method3 allowing one to
perform a task without
understanding it.
WHYTO
'
!ells you why something
is a certain way3 creating
the underlying
understanding necessary
to perform a task.
29
H;9!; #s 9H=!;
HOWTO
'
+ndi#idual can follow
simple steps3 but cannot
operate independently3 or
perform anything not
specifically discussed in
H;9!;.
WHYTO
'
+ndi#idual is capable of
operating independently
and to the fullest ability of
a#ailable e:uipment3
including the application
of knowledge to situations
not specifically mentioned
in any document or
briefing.
30
H;9!; #s 9H=!; ;utcome
SB5100 HARDWARE: WHY
YOU ALREADY HAVE IT
WRONG
+f you fail3 you can always do social engineering consultingL.
31
'
/ cablemodem is Must a computer3 so
you@re already halfway there:
)
$hipset: &roadcom &$MJJF7
)
(rocessor: 566MHC M+("-J5 core with MM0
)
,/M: 16-bit "8,/M bus with 7M& ,/M
1upgradeable2
)
"torage: 5M& 4lash ,;M
)
;": 9ind,i#er Hx9orks 10-+E-es:ue ,!;"2
32
9hat does a "&?166 $onsist ;f%
'
8ue to the nature of the 8;$"+"
infrastructure3 most of the burden associated
with authentication is placed solely on the
cable modem.
'
.#en if 8;$"+" 5JI7? comes out next year3
it stands to reason that if you can undermine
all the countermeasures put into the cable
modem3 you@re still online while all the kids
are waiting for someone to make a firmware
update.
33
!rust
SB5100 FIRMWARE
OVERVIEW
/d#ice is like assholesL
34
!"#
'
=ou probably already
ha#e it
'
+t@s e#ery bit as functional
as anything else out there
if you know what you@re
doing
'
!here@s #ery little chance
of a surprise #isit from the
local +"(.
$"%#
'
=ou ha#e to ha#e two
braincells to rub together
'
.#eryone in forums will
tell you it has to be
flashed to some other
firmware
'
+nstead of ha#ing a nice
<0+ to change settings
with3 you ha#e to use that
icky command line.
35
"&?166 4actory 4irmware
!"#
'
9orks without too much
trouble
'
Made by someone who
wrote a book
$"%#
'
!hat somebody was
8er.ngel
'
=ou ha#e to pay for it
'
$laimed to come with
N#alue-added featuresO
1backdoors2
'
"ince it3 and e#erything else
that goes with it 1you@ll need
a licensed copy of
schwartCekatCe as well23
re:uires a #alid license3 the
idea of anyone actually
paying for it so they can
steal ser#ice defies all logic.
36
"igma E5 ) !he Gips of an /ngel
!"#
'
$racked #ersion of
!$-i";@s firmware3
meaning you sa#e
money.
'
0sually has fixes to
things 8er.ngel broke.
'
/ll around stable
firmware.
$"%#
'
"ome #ersions are e#en
harder to unpack than
8er.ngel@s firmware3
raising speculations as to
the intentions of the
author.
'
9ith a name like "tealth
.dition3 you@re bound to
get caught.
37
"igma "tealth
'
+f you simply want free internet access3 the
4.,$"/-modified firmware is about as
easy as it comes3 re:uiring no knowledge
of underlying commands.
38
$onsiderations
DISASSEMBLING THE
FIRMWARE
"ince your firmware can@t possibly be worse than anything else out
thereL
39
'
+mage of firmware you wish to
disassemble
'
$M+mage!ool by &;G!/,
'
GPM/..E.
'
9inHex
'
+8/ (ro /d#anced
'
>!/< cable and software 1optional2
40
!ools -eeded
'
!wo types of firmware images:
)
$ompressed .bin files 1usually packed and
compressed2
)
,;M dump images 1already unpacked2
41
;btaining 4irmware
Q//
'
Questions%
42