4. DOCSIS Provisioning
▪ Standards Based
- DHCP, ToD, TFTP
▪ Distributed Architecture
- DHCP Server has all the customer data
- CMTS and CMs just policy enforcers
- CMs are untrusted elements
5. DOCSIS Piracy
▪ Mostly Based on Hacked Firmware of
Cablemodems.
▪ Need to be mitigated by a battery of counter
measures.
- Network Based
- CMTS Based
- Provisioning System Based
8. DOCSIS Piracy
Speed Uncapping
▪ Removing the Speed Caps (Limits) by either
changing them for higher ones or completely
removing them.
▪ Done by changing the legit configuration file
used by the Cable Modem with a different one.
▪ Can use a file on a Local PC or in the TFTP
servers in the Network.
9. DOCSIS Piracy
Speed Uncapping
▪ Case I – No Shared Secret implemented
Worst case, the hacker can create a Config file
with any speed limit (or no limit), put it in his PC
and instruct the hacked modem to ignore the
parameters received by DHCP and download a
file from the Local PC.
10. DOCSIS Provisioning
DHCP Process
CMTS is a
DHCP Relay
DHCP Server
DHCP Server DHCP Offer DHCP Offer
Agent
Src: 10.0.0.1 Src: C4:C4:C4:C4:C4:C4
10.0.0.1 Dst: 10.0.0.254 Dst: 00:00:DE:AD:BE:EF
TFTP S: 10.0.0.2
TFTP F: silver.bin Cablemodem
TFTP Server
TFTP Server HFC MAC: 00:00:DE:AD:BE:EF
Network
10.0.0.2
10.0.0.254 172.16.0.1
ToD Server
ToD Server
CMTS
10.0.0.3
Provisioning
System
11. DOCSIS Provisioning
Hacked TFTP Process
Hacked Cablemodem
MAC: 00:00:DE:AD:BE:EF
IP: 172.16.0.10
DHCP Server
DHCP Server Src: 192.168.100.1
Dst: 192.168.100.10
10.0.0.1 FILE: hacked.bin
TFTP Server
TFTP Server HFC
TFTP - Request
TFTP - Response
Network
10.0.0.2
10.0.0.254 172.16.0.1
ToD Server
ToD Server
CMTS
10.0.0.3 Src: 192.168.100.10
Provisioning Dst: 192.168.100.1
FILE: hacked.bin
System
12. DOCSIS Piracy
Speed Uncapping
▪ Case II –
Shared Secret implemented
No Network Security
In this case, the hacker cannot create a custom
config file because it will fail Shared Secret
verification. However it can get valid files with
higher speeds from the MSO TFTP Server and
put them in their own PC.
13. DOCSIS Provisioning
Hacked TFTP Process
Cablemodem
MAC: 00:00:DE:AD:BE:EF
IP: 172.16.0.10
Src: 10.0.0.2
DHCP Server
DHCP Server Dst: 200.0.0.10
FILE: gold.bin
10.0.0.1
TFTP Server
TFTP Server HFC
Network
10.0.0.2
TF
TF
PT-
P -e
R
10.0.0.254 se
Rpo
qu s
172.16.0.1 Src: 200.0.0.10
ne
ToD Server
ToD Server e
st
200.0.0.1
Dst: 10.0.0.2
CMTS FILE: gold.bin
10.0.0.3
Provisioning
System
14. DOCSIS Provisioning
DHCP Process
CMTS is a
DHCP Relay
DHCP Server
DHCP Server DHCP Offer DHCP Offer
Agent
Src: 10.0.0.1 Src: C4:C4:C4:C4:C4:C4
10.0.0.1 Dst: 10.0.0.254 Dst: 00:00:DE:AD:BE:EF
TFTP S: 10.0.0.2
TFTP F: silver.bin Cablemodem
TFTP Server
TFTP Server HFC MAC: 00:00:DE:AD:BE:EF
Network
10.0.0.2
10.0.0.254 172.16.0.1
ToD Server
ToD Server
CMTS
10.0.0.3
Provisioning
System
15. DOCSIS Provisioning
Hacked TFTP Process
Cablemodem
MAC: 00:00:DE:AD:BE:EF
IP: 172.16.0.10
DHCP Server
DHCP Server Src: 192.168.100.1
Dst: 192.168.100.10
10.0.0.1 FILE: gold.bin
TFTP Server
TFTP Server HFC
TFTP - Request
TFTP - Response
Network
10.0.0.2
10.0.0.254 172.16.0.1
ToD Server
ToD Server
CMTS
10.0.0.3 Src: 192.168.100.10
Provisioning Dst: 192.168.100.1
FILE: gold.bin
System
16. DOCSIS Piracy
DHCP Broadcast and Unicast
▪ If a modem makes a DHCP discover with the
Broadcast flag enabled, the Offer is sent to the
Broadcast (ff:ff:ff:ff:ff:ff) in the Downstream.
▪ All the broadcast traffic received by a modem is
copied to the ethernet port.
▪ Anybody with a packet sniffer and get Modem
MAC Addresses and config file names in the local
downstream!!!.
▪ When the modem sends a Discover with the
broadcast flag in 0 the Offer will be sent only to
the modem MAC Address and will not be copied
in other modems ethernet port.
17. DOCSIS Piracy
Speed Uncapping - Protection
DOCSIS Provided
▪ Implement Shared Secret MIC!
▪ Use a Strong Secret - 30 Chars+ and Special
Characters.
▪ Allow TFTP Files Downloads only from
Cablemodem IP Networks (172.16.0.0) and block
from CPE network and others (Use Filters in CMTS
and routers, not CMs they are untrusted).
▪ Request CM Vendors firmware supporting DHCP
requests using Broadcast Flag disabled.
CMTS Provided
▪ Implement TFTP Enforce (TFTP Proxy)
▪ Use Dynamic Shared Secret
18. DOCSIS Piracy
Speed Uncapping – TFTP Enforce
▪ During the DHCP Exchange, the CMTS
replaces the TFTP Server address and name
with its own address and stores that information
in a table.
▪ When the modem sends the TFTP File request,
the CMTS Proxies it and gets the file from the
TFTP Server.
▪ By doing that it ensures that the legit file is
downloaded from the proper server.
19. DOCSIS Provisioning
TFTP Enforce - DHCP Process
DHCP Server
DHCP Server DHCP Offer DHCP Offer
Yiaddr:172.16.0.10
Src: 10.0.0.1
10.0.0.1 TFTP S: 172.16.0.1
Dst: 10.0.0.254 TFTP F: silver.bin
Yiaddr:172.16.0.10
Cablemodem
TFTP Server
TFTP Server TFTP S: 10.0.0.2
TFTP F: silver.bin
HFC MAC: 00:00:DE:AD:BE:EF
Network
10.0.0.2
10.0.0.254 172.16.0.1
ToD Server
ToD Server
CMTS
10.0.0.3
CMTS TFTP Client Table
Provisioning CM TFTP S TFTP File
System 172.16.0.11 10.0.0.2 gold.bin
172.16.0.10 10.0.0.2 silver.bin
20. DOCSIS Provisioning
TFTP Enforce - TFTP Process
Src: 172.16.0.10
Src: 172.16.0.1
Src: 10.0.0.2 Src: 172.16.0.1
Dst: 172.16.0.1
Dst: 10.0.0.2
Dst: 172.16.0.1 Dst: 172.16.0.10
FILE: silver.bin
FILE: silver.bin
FILE: silver.bin FILE: silver.bin
DHCP Server
DHCP Server
TFTP - Response
TFTP - Request TFTP - Response
TFTP - Request
10.0.0.1
Cablemodem
TFTP Server
TFTP Server HFC MAC: 00:00:DE:AD:BE:EF
Network IP: 172.16.0.10
10.0.0.2
10.0.0.254 172.16.0.1
ToD Server
ToD Server
CMTS
10.0.0.3
CMTS TFTP Client Table
Provisioning CM TFTP S TFTP File
System 172.16.0.11 10.0.0.2 gold.bin
172.16.0.10 10.0.0.2 silver.bin
21. DOCSIS Piracy
Speed Uncapping – Dynamic Secret
▪ This feature goes one step further than TFTP
enforce, the CMTS instead of just doing a proxy
of the file, it disassembles the file and
recalculates the MIC with a per session shared
secret and reassemble the file.
▪ After the modem gets the file and sends the
Registration Request, the MICs must match.
▪ This is much more secure as an individual
secret is used for each file download.
22. DOCSIS Provisioning
Dynamic Shared Secret
Src: 172.16.0.10
Src: 172.16.0.1
Src: 10.0.0.2 Src: 172.16.0.1
Dst: 172.16.0.1
Dst: 10.0.0.2
Dst: 172.16.0.1 Dst: 172.16.0.10
FILE: silver.bin
FILE: silver.bin
FILE: silver.bin FILE: silver.bin
DHCP Server
DHCP Server
TFTP - Response
TFTP - Request TFTP - Response
TFTP - Request
10.0.0.1
Cablemodem
TFTP Server
TFTP Server HFC MAC: 00:00:DE:AD:BE:EF
Network IP: 172.16.0.10
10.0.0.2
10.0.0.254 172.16.0.1
ToD Server
ToD Server
CMTS
10.0.0.3
CMTS TFTP Client Table
Provisioning CM TFTP S TFTP File Dynamic MIC
System 172.16.0.11 10.0.0.2 gold.bin 0x12dce5f5430
172.16.0.10 10.0.0.2 silver.bin 0x524c45f5879
23. DOCSIS Provisioning
Dynamic Shared Secret
Registration ACK Service Flows
Classifiers
MAC CPE
MD5 CMTS MIC=
DHCP Server
DHCP Server 0x524c45f5879
REG - Response
REG - Request
10.0.0.1
Cablemodem
TFTP Server
TFTP Server HFC MAC: 00:00:DE:AD:BE:EF
Network IP: 172.16.0.10
10.0.0.2
10.0.0.254 172.16.0.1
ToD Server
ToD Server
CMTS
10.0.0.3
CMTS TFTP Client Table
Provisioning CM TFTP S TFTP File Dynamic MIC
System 00:00:DE:AD:00:00 10.0.0.2 gold.bin 0x12dce5f5430
00:00:DE:AD:BE:EF 10.0.0.2 silver.bin 0x524c45f5879
24. DOCSIS Piracy
Cablemodem MAC Cloning
▪ A Cable Modem identifies to the Network by its
MAC Address
▪ Cloning the MAC Address of a Modem allows
an un-provisioned modem to get the Service of
a provisioned modem.
▪ This is much more dangerous because a
Hacker behind a cloned modem can do illegal
activities and be untraceable.
▪ Hacked Firmware allows to change the MAC
address of a compromised modem to any value
25. DOCSIS Piracy
Cablemodem MAC Cloning
▪ DOCSIS 1.1 Specified BPI Plus as a method to
authenticate a Cable Modem
▪ All Modems DOCSIS 1.1 and over, have an
embedded certificate that is Signed by the
Manufacturer and Cablelabs
▪ When BPI+ is enabled the modem must send
the Certificate to the CMTS and it validates the
signature with its own database. If it fails the
CMTS can deny the service.
26. DOCSIS Piracy
MAC Cloning - Recommendations
▪ BPI+ is enabled in the Configuration File, all the
previous protection measures should be
implemented in order to ensure that the file is not
modified and BPI+ is disabled.
▪ It is recommended to remove all DOCSIS 1.0
modems from the network and only having
DOCSIS 1.1 Modems, by doing so all DOCSIS
1.0 Config files can be deleted from the TFTP
Server.
▪ Ensure all the modems send the DHCP broadcast
flag in 0 in order to ensure that that their offers
are not sent on the broadcast.
27. DOCSIS Piracy
MAC Cloning – BPI+ Mandatory
▪ Hacked firmware also supports changing the
advertised supported DOCSIS Version in order
to cheat the provisioning.
▪ Some CMTSs support BPI+ mandatory, that
means that if a modem tries to register without
BPI+ is rejected.
▪ All modems and config files need to be DOCSIS
1.1 enabled.
28. DOCSIS Piracy
MAC Cloning – Other Cases
▪ Some modems vendor are vulnerable to full Flash
copy (MAC and Certificates)
▪ This Creates a full Clone
▪ High Tech Equipment and physical access is
required for that.
▪ BPI+ cannot do much about that.
▪ Some CMTSs support manual deny lists in order to
block that modems to pass from Ranging stage.
▪ Your provisioning system could have detection
algorithms in order to detect the same MAC coming
from different CMTS/Upstream Ports
31. Customer Security
Source Verify
▪ CMTS snoops all CPE DHCP offers and
creates a list of CPE MAC/IP and CM Table
▪ When a CPE sends and ARP Request, the
CMTS Looks for in the table for an existing
entry, if there is not matching entry, the ARP
is discarded.
▪ This allows to avoid ARP Poisoning.
▪ Also allows a tight control to be sure that all
the IP addresses being used by CPEs were
assigned and logged by the DHCP Server.
32. DOCSIS Provisioning
Source Verify
Src: 00:11:22:33:44:55
Src: 10.0.0.254
Src: 10.0.0.1 Dst: FF:FF:FF:FF.FF:FF
Src: C4:C4:C4:C4:C4:C4
Dst: 10.0.0.1
Dst: 10.0.0.254 Dst: 00:11:22:33:44:55
Giaddr:200.0.0.1
chaddr: 00:11:22:33:44:55 yiaddr: 200.0.0.10
yiaddr: 200.0.0.10
DHCP Server
DHCP Server
DHCP --Discover
DHCP Offer DHCP --Discover
DHCP Offer
10.0.0.1
TFTP Server
TFTP Server HFC
Network
10.0.0.2
Cablemodem
10.0.0.254 172.16.0.1 MAC: 00:00:DE:AD:BE:EF
ToD Server
ToD Server 200.0.0.1 IP: 172.16.0.10
CMTS
10.0.0.3
CMTS MACDB Client Table
Provisioning CPE MAC CPE IP CM MAC
System 00:11:22:33:44:55 200.0.0.10 00:00:DE:AD:BE:EF
33. DOCSIS Provisioning
Source Verify
Who has : 200.0.0.1
Src: 00:11:22:33:44:55
Src: C4:C4:C4:C4:C4:C4
Dst: 00:00:00:00:00:00
Dst: 00:11:22:33:44:55
tell: 200.0.0.1
DHCP Server
DHCP Server
ARP REP
ARP REQ
10.0.0.1
TFTP Server
TFTP Server HFC
Network
10.0.0.2
Cablemodem
10.0.0.254 172.16.0.1 MAC: 00:00:DE:AD:BE:EF
ToD Server
ToD Server 200.0.0.1 IP: 172.16.0.10
CMTS
10.0.0.3
CMTS MACDB Client Table
Provisioning CPE MAC CPE IP CM MAC
System 00:11:22:33:44:55 200.0.0.10 00:00:DE:AD:BE:EF
34. Customer Security
CMTS Option 82.1 and 82.2 Relay
▪ The CMTS can add to either CM or CPE
DHCP Discover packets the option 82.
▪ Option 82.1 specifies the Upstream Port name
from where the request came.
▪ Option 82.2 specifies the MAC Address of the
Cablemodem from where that Discover came.
▪ For CPEs is Very useful to know to which
Cablemodem (MAC) that Device is connected
in order to take provisioning actions, or just for
keeping a log.
35. DOCSIS Provisioning
Option 82 Relay
Src: 00:11:22:33:44:55
Src: 10.0.0.254
Dst: 10.0.0.1 Dst: FF:FF:FF:FF.FF:FF
Giaddr: 200.0.0.1
hwaddr: 00:11:22:33:44:55
Opt 82.1:Upstream 1
Opt 82.2 :00:00:DE:AD:BE:EF
DHCP Server
DHCP Server
DHCP - Discover DHCP - Discover
10.0.0.1
TFTP Server
TFTP Server HFC
Network
10.0.0.2
Cablemodem
10.0.0.254 172.16.0.1 MAC: 00:00:DE:AD:BE:EF
ToD Server
ToD Server 200.0.0.1 IP: 172.16.0.10
CMTS
10.0.0.3
Provisioning
System
36. Customer Security
Protocol Throttling
▪ ARP and DHCP are protocols that are necessary
for system operation and cannot be completely
filtered.
▪ Hackers can take advantage of that and generate
denial of service attacks.
▪ DHCP DoS can overload the DHCP Server.
▪ ARP DoS can saturate the local segment with
ARP Traffic.
▪ CMTSs support Protocol Throttling, that means
that they allow a certain acceptable amount of
traffic of that protocols and drop the rest.