Apresentação realizada pelo Bernardo Rodrigues aka bernardomr durante a 2a.edição da Nullbyte Securite Conference em 21/11/2015. Resumo: A tecnologia de de Internet à Cabo evoluiu consideravelmente nos últimos anos, trazendo novos desafios de segurança. A transição para o DOCSIS 3.0 introduziu equipamentos mais modernos, com maior capacidade e novas funcionalidades. Os clientes acessam a Internet com "caixas pretas" e confiam que os fabricantes e provedores vão mantê-los seguros. A ideia da palestra é discutir a segurança dos modems a cabo, assim como a tecnologia de gerência dos dispositivos, transporte das informações e atualizações de firmware.

1. Hacking Cable Modems
The Later Years
Bernardo Rodrigues
@bernardomr

2. Disclaimer
 Opinions are my own, unless hacked.
 In that case, hacker's
 This is not a talk about Theft of Service

3. $ whoami
 Web, Forensics & Junk Hacking
 CTF Player
https://w00tsec.blogspot.com

4. Cable Modem – Vendors

5. Cable Modem: Models

6. Cable Modem Hacking Timeline
1997 ( … ) 2001 2003 2004 2006 ( … ) 2009 2010
Technology
DOCSIS 1.0
Technology
DOCSIS 2.0
Firmware
Book
SIGMA by
TCNiSO
Tool
BlackCat Programmer
by Isabella
Hacking The
Cable Modem
by derEngel
Firmware
Haxorware R27
by Rajkosto
Legal
DerEngel (Ryan Harris)
arrested
Talk
DEFCON 18
Hacking
DOCSIS For
Fun and
Profit
Talk
DEFCON 16
Free Anonymous
Internet Using Modified
Cable Modems
Talk
DEFCON 16
Sniffing Cable
Modems
Technology
DOCSIS 3.0

7. 2011 2012 2013 2014 2015
Talk
NullByte Con
Hacking Cable
Modems: The
Later Years
Firmware
ForceWare v1.2
by mforce
HOPE 9
The ARRIStocrats:
Cable Modem
Lulz
Talk
Technology
DOCSIS 3.1
w00tsec
Unpacking
Firmware Images
from Cable
Modems
Blog Post
Console Cowboys
Arris Cable Modem
Backdoor - I'm a
technician, trust me
Blog Post
Infiltrate
Practical Attacks
on DOCSIS
Talk
Cable Modem Hacking Timeline

8. DOCSIS
 Data Over Cable Service Interface Specification
 Network Overview:

9. DOCSIS 3.0 Features
 Channel Bonding (Upstream and Downstream)
 IPv6 (inc. provisioning and management of CMs)
 Security (?)
 Enhanced Traffic encryption (?)
 Enhanced Provisioning Security (?)

10. Channel Bonding

11. DOCSIS: Provisioning
 Acquire and lock the downstream frequency
 Get upstream parameters
 Get an IP address
 Download modem configuration via TFTP
 Apply the configuration and enable forwarding of
packets

12. DOCSIS Network Overview

13. DOCSIS SEC
 Encryption and authentication protocol in DOCSIS
 BPI (Baseline Privacy Interface) in DOCSIS 1.0
 BPI+ in DOCSIS 1.1 and 2.0
 SEC (Security) in DOCSIS 3.0

14. DOCSIS SEC
 Digital certificates (VeriSign/Excentis)
 Uniquely chained to the MAC address of each
cable modem
 CMTS allowing Self-signed certificates
 Legacy test equipment
 Cable modems that do not support BPI+

15. DOCSIS: Provisioning

16. DOCSIS: Config File
 Downstream
 Upstream
 Bandwidth cap
 ACL’s
 TFTP Servers
 SNMP community

17. DOCSIS: Config File

18. DOCSIS: Config File
 DOCSIS specification:
 CMTS generates a Message Integrity Check (MIC)
 Hash: Number of parameters, including the
"shared secret"
 Incorrect MIC: CM registration fail
 DOCSIS 2.0: MD5
 DOCSIS 3.0: New MIC hash algorithm (MMH)

19. DOCSIS: Config File

20. Cable Modems
 binwalk

21. Cable Modems
 binwalk + capstone

22. Cable Modems
 Shell access

23. Cable Modems
 Shell access

24. Cable Modems
 Bad authentication

25. Cable Modems
 XSS, CSRF, DoS

26. Cable Modems
 Default Passwords

27. Cable Modems
 Backdoors

28. Cable Modems
 Backdoors in the Backdoors

29. Cable Modems
 Backdoors

30. Hacked Firmwares
 Not Certified by CableLabs
 Backdoors (legit modems too)
 Closed source (legit modems too)
 Enable factory mode (legit modems too)
 Change MAC and Serial (legit modems too)
 Certificate Upload
 Force network access (ignore unauthorized
messages)
 Floods DHCP server with packets
repeatedly until get an IP address
 Disable & Set ISP filters (ACLs at modem level)
 Specify config filename and TFTP server IP
address
 Force config file from ISP, local TFTP or
uploaded flash memory
 Disable ISP firmware upgrade
 Get & Set SNMP OID values and Factory mode
OID values
 Upload, flash and upgrade firmware
 Dual Boot

31. Hacked Cable Modems

32. Hacked Cable Modems

33. Reversing Cable Modems

34. Reversing Cable Modems
 RAM Start Address

35. Firmware Types
 Signed and compresed (PKCS#7 & binary)
 Compressed binary images
 RAM dump images (uncompressed & raw)

36. Firmware Structure

37. Firmware Structure

38. Firmware Upgrades

39. Firmware Upgrade
 Authenticate originator of any download
 Verify if the code has been altered
 Digitally signed (Root CA)

40. Firmware Downgrade

41. Firmware Upgrade

42. Phisical Protection

43. Phisical Protection
 0DAY?

44. Phisical Protection

45. SPI
 Serial Peripheral Interface Bus
 SCLK : Serial Clock (output from master).
 MOSI : Master Output, Slave Input (output from master).
 MISO : Master Input, Slave Output (output from slave).
 SS : Slave Select (active low, output from master).

46. SPI
 Identify the Model

47. SPI: Datasheet

48. SPI: Beaglebone

49. SPI: Beaglebone

50. SPI: Beaglebone

51. SPI: GoodFET

52. SPI: GoodFET

53. SPI: GoodFET

54. SPI: BlackCat USB

55. SPI: BlackCat USB

56. SPI: BlackCat USB

57. NAND Flash
 DumpFlash
 https://github.com/ohjeongwook/DumpFlash

58. Factory Mode
 Administrative functions
 Reflashing Firmware
 Dumping keys

59. Factory Mode

60. SNMP Scanning

61. SNMP Scanning

62. SNMP ACL’s

63. Bypassing SNMP ACL’s
 https://github.com/nccgroup/cisco-snmp-slap

64. Bypassing SNMP ACL’s
 https://github.com/nccgroup/cisco-snmp-slap

65. DOCSIS Encryption
 Use of 56-bit DES
 DOCSIS 3.0 adds support for AES
 Never seen AES used (as of 2015)
 Lack of use likely due to DOCSIS 2.0
support

66. DOCSIS Encryption

67. DOCSIS 3.1 Encryption: Worldwide

68. DOCSIS 3.1 Encryption: China

69. Problems with DOCSIS SEC

70. Problems with DOCSIS SEC

71. Problems with DOCSIS SEC
 CMTS are not picking most secure
cryptographic algorithm supported by CM
 Re-use of CBC IV in each frame
 Required by specification
 Identical packets will have identical
ciphertext

72. Sniffing DOCSIS
 MPEG packets like normal TV to encapsulate
data (ISO/IEC 13818-1)
 https://github.com/gmsoft-tuxicoman/pom-ng
 https://bitbucket.org/drspringfield/cabletables
 MPEG Encapsulation: MPEG packets > DOCSIS
frames > ETHERNET frames > IPv4 > TCP

73. Sniffing DOCSIS: Id the Victim
 Sniff ARP traffic on downstream and collect
subnets
 ICMP ping sweeps across subnets with various
packets sizes
 Perform correlation between encrypted packet
sizes and sent ICMP packet length
 Produce (MAC, IP) tuples

74. Sniffing DOCSIS

75. Sniffing DOCSIS

76. Sniffing DOCSIS
 ARP traffic is in the clear
 IP registration occurs prior to
encryption/auth
 Unless EAE enabled (Early Authentication
& Encryption)

77. Sniffing DOCSIS

78. Brazilian Criminals

79. Brazilian Criminals

80. Brazilian Criminals

81. Brazilian Criminals

82. Solutions: ISPs
 Firmware Upgrades
 Isolate DOCSIS network
 ACL's
 BPI+ Policy Total
 TFTP Enforce

83. Solutions: ISPs
 DMIC - Dynamically generates config file
passwords (Can’t reuse)
 Enforce EAE - Encrypts IP & DHCP process
 Cable Privacy Hotlist (finds cloned modems)

84. Solutions: Vendors
 No more backdoors
 FCC certification – Security
 Open Source?
 TPM, Smart Cards?

85. Insecurity: Root Causes
 Improperly configured CM/CMTS
 Security flaws in CM/CMTS OS
 Costs & Convenience
 Backwards compatibility != Security

86. Myths
 Perfect Clones (Theft of Service)
 "Nobody is innocent"
 "Needs physical access“
 "You need JTAG, SPI"

87. Conclusion
 The question remains:
 Is DOCSIS a secure & viable communications
protocol?

88. R.I.P TG862 SN XXXXXXXX91344
2015
IN MEMORIAM