Uncapping cable modems, the process by which a cable modem's rate limits are removed, is the most common and mostly widely publicised security breach on cable IP networks. Uncapping refers to the removal of a modem’s throughput "cap" or maximum rate limit (usually in the upstream direction). Uncapping typically involves users who have valid service contracts initially but who wish to achieve higher service levels (usually higher speed connections) without authorisation. When users uncap their cable modems they are committing a theft of service. Users who perform this act will receive a level of service for which they are not authorised and for which they do not pay. Due to the shared nature of DOCSIS networks, users who modify class-ofservice (CoS) profiles such as rate limits will cause other users to experience correspondingly poorer service levels. Several users with illegally uncapped cable modems may completely monopolise available bandwidth and legitimate users may even be denied service completely. If a cable operator is to appropriately design, deploy, and maintain the cable IP network, uncapped cable modems must be denied access to network resources. Several website have appeared detailing the process of modifying DOCSIS cable modems such that they connect with no defined limits to throughput. How-to guides to uncapping modems and even free software programs that assist users in uncapping their modems are widely available. Efforts to limit the publication of uncapping techniques simply will not suffice to keep users from practicing these techniques. Only by securing the cable IP network can users be kept from the unauthorized modification of their CoS profiles.
NEW BOOK SHOWS HOW TO CONTROL YOUR CABLE MODEM
DerEngel, "Underground Prometheus of super-broadband,” opens the box and
explains what’s going on inside
August 29, 2006, San Francisco—In the beginning there was dial-up, and it was slow; then cam broadband in the form of cable, which redefined how we access the internet, share information, and communicate with each other online. Hacking the Cable Modem (No Starch Press, September 2006, http://www.nostarch.com/cablemodem.htm) goes inside the device that makes Internet via cable possible and, along the way, reveals secrets of many popular cable modems, including products from Motorola, RCA, WebSTAR, D-Link and more. The book’s author, DerEngel, is regarded in hacker circles as the foremost expert on cable modems. Once described in the media as “a dangerously unemployed U.S. coder,” the author now runs his own embedded development assembly business that seeks to improve hardware by modifying and experimenting with it. Sometimes dismissed as a thief or belittled as no better than a virus writer, DerEngel’s activities have drawn attention from the Slashdot crowd, have been profiled by the SecurityFocus website, and have incited passionate debate in many an online forum. Written for people at all skill levels, Hacking the Cable Modem features step-by-step tutorials with easy to follow diagrams, source code examples, hardware schematics, and previously unreleased cable modem hacks.
Readers of Hacking The Cable Modem will learn:• the history of cable modem hacking
• how a cable modem and DOCSIS work
• the importance of firmware (including ways to install new firmware)
• how to unblock network ports and unlock hidden features
• how to hack and modify a cable modem
• what uncapping is and how it makes cable modems upload and download faster
“I don’t like black boxes; I like to know how things work. The goal of this book and my point in publishing it is to show the many cable modem users how that black box works, how to understand it, and how to control it,” said Bill Pollock, founder of No Starch Press. “DerEngel demystifies cable modems for the legions of geeks who wonder just how the heck the thing works.” For the idle tinkerer or active modder, Hacking The Cable Modem is sure to shed new light on cable Internet.
Additional Resources:Table of contents: http://www.nostarch.com/cablemodem_toc.htm
Sample chapter: http://www.nostarch.com/download/cablemodem_ch17.pdf
ABOUT THE AUTHOR: Profiled by Security Focus, Tech TV, and the Register, and the subject
of multiple Slashdottings, DerEngel has been hailed as “the underground Prometheus of superbroadband.”
He has written several programs to simplify and streamline cable-modem hacking since he started doing it himself in 2000. He currently heads TCNiSO, a group of hackers that has revolutionized reverse engineering techniques and produces free hackware.
The book is concise and detailed. There are sections on the physical components and how to get at them without destroying the case or the components. There is probably the most lucid and short description I have read of how buffer overflows work. And there are explicit instructions on how to change speed settings and port controls.
The book is concise and detailed. There are sections on the physical components and how to get at them without destroying the case or the components. There is probably the most lucid and short description I have read of how buffer overflows work. And there are explicit instructions on how to change speed settings and port controls.
A word about ethics here. DerEngel explicitly states that he does not condone stealing bandwidth from cable providers . His arguments that sysadmins need to know how to configure cable modems to effectively manage their Internet connectivity has some merit. I would suggest that the most valuable contribution DerEngel has made to the world of security is to create a manual that the cable operators and cable modem manufacturers can use to harden their devices against malicious attacks.
OpenCable Platform vs DCR+There's a big political battle brewing about the way the National Cable & Telecommunications Association (NCTA) and the Consumer Electronics Association (CEA) believe two-way "Plug & Play" should emerge onto the marketplace.In one corner is the OpenCable Platform, which is being pushed to the hilt by the U.S. cable industry. In the other is the CEA's non-OpenCable proposal called DCR+.
The FCC is expected to scrutinize both proposals, because the cable and CEA have been unable to find common ground on their own, as they did in late 2002 with the one-way Plug & Play agreement, which the FCC later adopted.
That one-way agreement paved the way for CableCARD-capable TVs that could display digital cable content, including premium networks such as HBO, without a separate set-top box. Those same sets, however, cannot handle interactive, two-way services such as video-on-demand (VOD) without a set-top.
The DCR+ proposal would rely upon DSG for headend communication with set-top terminal devices, but CEA has made no provision for the integrity of operating software or applications in a DCR+ device. This approach would weaken the common core security on which cable-delivered video, data, and voice all depend and expose the cable network to software/Internet-based system-wide attacks. It would also undermine Cable Broadband Intercept Specification (CBIS), on which the law enforcement community relies for legal CALEA-compliant wiretaps. The failure of the DCR+ proposal to provide necessary security facilitates spoofing of modem MAC addresses, thus limiting the ability of law enforcement to perform lawful intercepts of voice and data services, and increasing the likelihood that surveillance will be directed to an innocent customer, rather than the target.
The DCR+ proposal additionally fails to recognize that the majority of cable systems rely on out-of-band communications, rather than DSG, for communication purposes with set-top terminal devices. By proposing to rely exclusively on DSG, DCR+ devices will not be nationally portable.
DOCSIS Set-top Gateway (DSG)
The DCR+ proposal fails to recognize the diversity of network infrastructure in use by cable operators for digital video services. In particular, cable networks today use at least three different solutions for two-way communication between the cable headend and set-top terminal devices. One of these is DSG, a DOCSIS-based protocol that is beginning to be more widely adopted. The other two methods rely on legacy out-of-band (“OOB”) communication.
DSG Security
The use of DSG, either alone or in conjunction with legacy OOB support, has security implications which are addressed in the OpenCable solution, but are not addressed in CEA’s DCR+ proposal. The integrity of the DOCSIS network must be based on the security components of DOCSIS specifications.
The elements of this security include:
o Device certificates for device authentication indicating that the device and its software are compliant with the specifications, including protections for the security of the network.
o Secure Software Download using code signing and validation for verifying the integrity of the software installed in the device. This measure is to deter rogue software entering the DSG modem which could then utilize the reverse path to the cable network.
o Certification of compliance with the device specifications through a hands-on certification testing program, including security testing to prevent harm to the network and the experience of other users.
o Management of the Public Key Infrastructure (PKI) to insure that certificates and the private keys that support them are protected appropriately to prevent theft of service and harm to the network.
o Encryption of customer traffic to help prevent unauthorized snooping of a cable customer’s voice, data, and video traffic. This is especially important in the star and branch “shared” network architecture of cable.
o Configuration file authentication to assure that the cable modem is operating with the correct, purchased, level of service, thus preventing theft of service.
All of the elements are necessary to protect the cable network from theft-of-service, denial-of-service attacks, and harm to the cable network (including harm to other consumers using the same shared network). If one of these elements is weakened, then the overall security of the cable network is reduced, potentially negatively impacting all services delivered by cable – voice, data and video. All CableLabs specifications (DOCSIS, CableHome, PacketCable and OpenCable) make use of DOCSIS cable modem and this same security model.
DCR+ Opens the Cable Network to Software/Internet-Based Attacks
The hardware implementation of DOCSIS based devices is critical to security of the device and of the network. The same is true for the software implementation in those devices since the vast majority of the functionality of these devices is implemented in software. In the case of an embedded DSG modem, the integrity of the software that implements the DSG modem is ensured through the use of DOCSIS BPI+ Secure Software Download (SSD). All of the CableLabs specifications make use of this SSD mechanism to insure the integrity of the device and consequently the network. Only software that has been signed (and optionally cosigned) is permitted to be downloaded via SSD to the device that contains the DSG modem. The use of SSD therefore helps the cable operator to protect the network by protecting the /DSG modem software from tampering.
CEA has made no provision for the integrity of operating software or applications in a DCR+ device, compromising the overall cable security structure, and exposing the cable network to software/Internet-based system-wide attacks. This would weaken the common core security on which cable-delivered video, data, and voice all depend.
Hackers and pirates are already poised to exploit any weakness, but known hacks today
require physical modifications to the modem and cannot be distributed over the Internet. The
TCNISO website (www.tcniso.net) offers downloads of “DreamOS,” promising “Complete control of the device and DOCSIS stack” and “OneStep,” “the software that took cable modem hacking mainstream.” “By making uncapping easier, OneStep introduced cable modem hacking to individuals who may not have been able to accomplish it otherwise (and created many security concerns for service providers in the process).” Uncapping is a theft of service.
DCR+ opens the security gates wide to hackers and pirates: it makes no provision for SSD, a key authentication measure used to assure the end-to-end integrity of cable-delivered video, data, and voice services. Without SSD, the cable modem in DCR+ is unprotected against distribution of undetectable rogue software that can be easily downloaded over the Internet.
Widespread, software-proliferated, modem hacks could also open the network up to denial of service attacks, potentially system wide.
The DCR+ proposal additionally fails to recognize that the majority of cable systems rely on out-of-band communications, rather than DSG, for communication purposes with set-top terminal devices. By proposing to rely exclusively on DSG, DCR+ devices will not be nationally portable.
DOCSIS Set-top Gateway (DSG)
The DCR+ proposal fails to recognize the diversity of network infrastructure in use by cable operators for digital video services. In particular, cable networks today use at least three different solutions for two-way communication between the cable headend and set-top terminal devices. One of these is DSG, a DOCSIS-based protocol that is beginning to be more widely adopted. The other two methods rely on legacy out-of-band (“OOB”) communication.
DSG Security
The use of DSG, either alone or in conjunction with legacy OOB support, has security implications which are addressed in the OpenCable solution, but are not addressed in CEA’s DCR+ proposal. The integrity of the DOCSIS network must be based on the security components of DOCSIS specifications.
The elements of this security include:
o Device certificates for device authentication indicating that the device and its software are compliant with the specifications, including protections for the security of the network.
o Secure Software Download using code signing and validation for verifying the integrity of the software installed in the device. This measure is to deter rogue software entering the DSG modem which could then utilize the reverse path to the cable network.
o Certification of compliance with the device specifications through a hands-on certification testing program, including security testing to prevent harm to the network and the experience of other users.
o Management of the Public Key Infrastructure (PKI) to insure that certificates and the private keys that support them are protected appropriately to prevent theft of service and harm to the network.
o Encryption of customer traffic to help prevent unauthorized snooping of a cable customer’s voice, data, and video traffic. This is especially important in the star and branch “shared” network architecture of cable.
o Configuration file authentication to assure that the cable modem is operating with the correct, purchased, level of service, thus preventing theft of service.
All of the elements are necessary to protect the cable network from theft-of-service, denial-of-service attacks, and harm to the cable network (including harm to other consumers using the same shared network). If one of these elements is weakened, then the overall security of the cable network is reduced, potentially negatively impacting all services delivered by cable – voice, data and video. All CableLabs specifications (DOCSIS, CableHome, PacketCable and OpenCable) make use of DOCSIS cable modem and this same security model.
DCR+ Opens the Cable Network to Software/Internet-Based Attacks
The hardware implementation of DOCSIS based devices is critical to security of the device and of the network. The same is true for the software implementation in those devices since the vast majority of the functionality of these devices is implemented in software. In the case of an embedded DSG modem, the integrity of the software that implements the DSG modem is ensured through the use of DOCSIS BPI+ Secure Software Download (SSD). All of the CableLabs specifications make use of this SSD mechanism to insure the integrity of the device and consequently the network. Only software that has been signed (and optionally cosigned) is permitted to be downloaded via SSD to the device that contains the DSG modem. The use of SSD therefore helps the cable operator to protect the network by protecting the /DSG modem software from tampering.
CEA has made no provision for the integrity of operating software or applications in a DCR+ device, compromising the overall cable security structure, and exposing the cable network to software/Internet-based system-wide attacks. This would weaken the common core security on which cable-delivered video, data, and voice all depend.
Hackers and pirates are already poised to exploit any weakness, but known hacks today
require physical modifications to the modem and cannot be distributed over the Internet. The
TCNISO website (www.tcniso.net) offers downloads of “DreamOS,” promising “Complete control of the device and DOCSIS stack” and “OneStep,” “the software that took cable modem hacking mainstream.” “By making uncapping easier, OneStep introduced cable modem hacking to individuals who may not have been able to accomplish it otherwise (and created many security concerns for service providers in the process).” Uncapping is a theft of service.
DCR+ opens the security gates wide to hackers and pirates: it makes no provision for SSD, a key authentication measure used to assure the end-to-end integrity of cable-delivered video, data, and voice services. Without SSD, the cable modem in DCR+ is unprotected against distribution of undetectable rogue software that can be easily downloaded over the Internet.
Widespread, software-proliferated, modem hacks could also open the network up to denial of service attacks, potentially system wide.
Comments of the National Cable & Telecommunications Association (NCTA) responded to the CEA September 10, 2007
