"...What?"
I was furious. Time Warner had left a backdoor in all their modems that gives them administrative access to my private connection. And yes -- she did alter the password remotely. She didn't seem to think there was anything wrong with this. I tried googling for relevant information, but wasn't able to find anything more than speculation at the time.
Lately cable companies have been pushing these hybrid modem/router combinations with things like wifi support built in. From a consumer standpoint, this seems very convenient, but the cable companies do this because it makes it easier for then. If you call up with an issue with "your Internet," they can remotely diagnose it and reset your modem/router. Make no mistake; they have more control over these than you do.
If you want to stop your ISP from having administrative access to your "private connection" (I assume you mean your wifi), then don't put the modem and the router in the same box. There's no other way around this.
Yes, their modems. On the connection that they provide for you.
A cable modem is considered CPE (customer premise equipment), meaning it is part of the infrastructure a telco uses to provide you with connectivity. Usually they own it, but in any case they have full control over it, as they should - it's part of their network. They may choose to delegate some configuration via a web GUI, but that's at their discretion -it's theirs to administer.
Business telecom has a formalized notion of a demarc (demarcation point), the place where the telco network ends and yours begins. AT&T owns and is responsible for the fiber/T1/POTS lines as they come through the wall, as well as the CPE (often a large rackmount Cisco router) to which it connects. Their contract is to provide connectivity on specific ethernet ports/fibre GBICs/whatever of that CPE. Whatever happens downstream of those ports is your problem, and whatever happens upstream is their problem.
Both sides will treat this connection as hostile - you'll have your own NATing router up and the telco's router, if it even has a configuration interface listening on your NIC, won't let you in. It would be inappropriate for AT&T to have any sort of access to the router you own and inappropriate for you to attempt any sort of access to AT&T's CPE.
Time Warner has been shifting recently towards placing WiFi on their side of the (logical) demarc. Which makes sense, since most people would rather not be responsible for administering any infrastructure - they just want Time Warner to deliver them WiFi. It sounds like you have this kind of setup, in which case Time Warner's access is not "backdoor" but "building owner" - you're renting a room.
If you'd prefer, you can (have them) turn off their WiFi, go buy a nice wireless router, and connect it to the modem. In this case Time Warner is providing you with a connection on an ethernet port; the device you've plugged in is your own (your side of the demarc) and they have no right to touch its configuration, nor are they responsible for it working correctly.
EDIT: The obvious analogy that would have simplified much of this is that a cable modem is like an electrical meter.
You might be surprised at how much a provider support rep can see with this. Here's two screenshots from Cisco's product to give you a idea: http://images.newsfactor.com/images/super/larger-12-ClearAcc... http://cdn-static.zdnet.com/i/story/60/01/072589/clearaccess...
Moral of the story: Use the most basic cable/dsl modem that they'll give you, make it as close to bridge mode as you can, and use your own router.
Over here when you are BT's FTTC setup through any ISP the vDSL modem that hangs off your master socket (which can do more but is used in this arrangement to simple pick up the connection from the phone line and provide PPPoE on the ethernet port) is very definitely BT/OR's: they tell you not to mess with it, people who want to mess with it have to use hacks to get access to the UI (which is otherwise locked off), and if you plug something else in at that point you are officially not supported. If the router that you plug in to that came from your ISP then that is their's (usually you have to return it when you leave).
If you buy your own router (or "make" your own, people who have a small Linux machine on 24/7 for various things just set that up to talk PPPoE directly and skip the router altogether, neatly avoiding the limits of many "consumer grade" units (shoddy IPv6 support for instance) without shelling out for a much better device) only then do you truly have control of security at that point in the topology. But some ISPs won't support you if you don't use the provided router (though if you know enough to purchase your own router you might not find such an ISP's tech support much help anyway).
Not really a backdoor, just remote administration.
http://www.lightreading.com/tr-069-still-sexy-after-all-thes...
Now combine that with the typical user's tendency towards password reuse...
Seriously, nothing against a little humor in your slides. But making every seconds slide a meme reference gets annoying pretty fast :)
I really wonder why nobody complained about that earlier. Also the interesting thing here is that for a very long time, you weren't allowed to use a different router than the one provided by your ISP. Which enforced their surveillance monopoly.
Here's an article about reverse engineering the backdoor in D-Link routers using IDA:
http://www.devttys0.com/2013/10/reverse-engineering-a-d-link...
PoC Available: http://pastebin.com/vbiG42VD
Most likely your ISP is using a technique like TR-069. This enables them to push settings for voip/TV, and in your friends case wifi. A lot of DSL providers are starting to use this for less intrusive (?) goals like measuring noise and attenuation at the clients end once a day, so they can adjust the speed accordingly.
AVM is a very nice company and you should not accuse them without proof. They actually provide an option to disable TR-069 in the page "Provider Services" ("Allow automatic configuration by the service provider" and "Allow automatic updates"). If you don't have this option you could try installing the original firmware from avm.de. Maybe you are still able to flash the modem with the original firmware from , and configure it yourself?
You shouldn't accuse anybody without proof. But since this is Hacker News I'll disagree with the first part of that sentence. AVM is probably the least hacker-friendly company I've ever come across. For example, they're so hell-bent on violating the GPL that they've taken it to court (and lost) [1].
Why can't this be done on the DSLAM?
That's what I did, I flashed it with a custom firmware (that was after I got aware of the backdoor). I've not "reverse-engineered" the base image of my own router like in the article above, because that's a lot of work. I've worked on an awful lot of routers, hubs, switches of all sorts, enterprise and consumer. Have been network administrator for a large global company and I think that I can trust my sources.
What the new user "blablablaat " mentioned is obvious, I'm not stupid to make something like this up. Of course I have no "Provider Services" or anything remotely similar enabled, but it's still possible to connect to the router and take control over it according to my source and I've seen it back then, when I asked for him/her to show it. Now why, do you expect me to prove that? A security researcher, is more qualified than me to create the convincing report you're asking for, sorry. You can feel free to do it yourself too, if you want. It's not my intention to spread rumors or FUD, but to make you at least aware of that your router ain't secure.
I've heard of some cases that ISPs tried to stop by going to court, like permanent-storage of all data, but lost the case. It's not just the NSA btw. in Germany there is the Bundesnachrichtendienst (BND), which translates to "Federal Intelligence Service"
Most annoyingly, AT&T put out a firmware update some months later that closed the exploit, but didn't fix any other problems. So, I found another more intrusive/permanent exploit. Still waiting on them to patch it next heh. But now they are actually putting out some updates that actually fix problems too at least. Hopefully user uproar will continue to drive them to fix more problems
Note: Tomato is imho a bit nicer than DD-WRT, but not as good for tweaking as OpenWRT (which I use on my office routerstation pro).
It's a totally different attitude when the intended market is enterprise: it's assumed that if a product causes a failure, the vendor is going to receive escalating, unpleasant phone calls until it's resolved.
Equipment failure that can kill people should be taken more seriously than equipment failure that leads to less serious consequences.
The thought of wireless gear in mines is pretty scary! I used to build / test equipment for a sub-contractor of Joy Mining and communication between the devices was carried by inch thick cables with nikel-plated machined steel connector shells. Pit props at the cutting face can be active devices that walk forward as the face is cut, and the coordinate that forward movement. Designing user interfaces is tricky, and designing a UI that should prevent death or huge financial costs if misused is probably hard.
Not the industrial ones. They're unit tested ad-nauseum, subjected to crush and environmental testing. You can run over the units with fully-loaded haul truck, the cases are cast steel. They also retail for $10k USD a piece.
(No, not my mom specifically; I gave her a router with Tomato installed for, among other things, exactly this reason. But not everyone has a technologist for a son, let alone one who knows what he's doing well enough to install m0n0wall on a Soekris box, or even Tomato on an old WRT54G*.)
It's a backdoor in the sense that it allows you to change settings on the modem with no credentials.
It's plausible that on a badly configured network this port could be exposed to the Internet. Anyone want to check Shodan?
It's also plausible that an attacker could find one of these in the local coffee house or any other place that offers public wifi and get at it from the internal side that way, or war driving for access points using weak passwords or WEP, or small office corporate networks with mischievous employees, or an attacker compromising a single PC on the LAN and then using this to change the DNS handed out by the router's DHCP and compromising the others, ...
That's a pretty scary prospect. If its been 'known' and exploited since at least 2008. Poor form Netgear/Linksys.
Many of Linksys' old DSL modems were manufactured by them, AFAIK.. and it seems many of the noted 'probably affected' models have a SerComm manuf'ed device for at least one revision of that model line
More probable SerComm manuf'ed devices are visible at the WD query link below..
http://wikidevi.com/w/index.php?title=Special%3AAsk&q=[[Manu...
I wonder if there is anyone still working in the GPL compliance department.
Excerpt from the GPL [1] (paragraph 6b):
"You may [...] Convey the object code in, or embodied in, a physical product [...], accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License [...]."
"Mr. Guessing 2010" doesn't know shit about backdoor (superuser.com).
Assuming GRC isn't out to decive me, can I assume that my router is fine?
Bill, using a Netgear router.
However seeing mention of (and an implementation of) Dual_ECC_DRBG in the slides immediately gives me a lot of pause regarding the security of my router. I love memes more than the next guy but this guy really went out of his way to make this confusing to understand.
My expression: http://i.imgur.com/pYJMKC6.jpg
http://superuser.com/questions/166627/netgear-router-listeni...
If I flash the firmware warranty is void and I have no user/pass to re-enable the ADSL. So basically, my router is a hostile AP.
Given the fact that, it's a common pattern among ISPs in order to offer quick service - I firmly believe that ISPs do it for practical reasons - and end up killing your security, the best thing is to put the router in bridged mode and get a cheap custom-made router like carambola2[1] and install FreeBSD[2] on it.
Disclosure: I donated one of these devices to Adrian Chadd[3] in order for him to port FreeBSD on this device, which enabled me to use PF[4] - my favorite firewall - but I have no affiliation otherwise with 8devices or FreeBSD.
[1] http://8devices.com/carambola-2
[2] https://wiki.freebsd.org/FreeBSD/mips/Carambola2
He's figured out many of their "encryption" methods. I've independently "cracked" most of the major ones as well, (including checksums/headers required to write back to the router).
They're all pretty broken. PRNG key streams, simple bit swaps, XOR, encryption against a static key, etc.
Fun stuff.
At first I thought it was this, which has been known for a long time now: http://wiki.openwrt.org/toh/netgear/telnet.console
