Menu
Network management vulnerability exposes cable modems to hacking

Network management vulnerability exposes cable modems to hacking

SNMP authentication bypass flaw could be used to hijack hundreds of thousands of cable modems from around the world.

IDG

IDG

Hundreds of thousands of internet gateway devices around the world, primarily residential cable modems, are vulnerable to hacking because of a serious weakness in their Simple Network Management Protocol implementation.

SNMP is used for automated network device identification, monitoring and remote configuration. It is supported and enabled by default in many devices, including servers, printers, networking hubs, switches and routers.

Independent researchers Ezequiel Fernandez and Bertin Bervis recently found a way to bypass SNMP authentication on 78 models of cable modems that ISPs from around the world have provided to their customers.

Their internet scans revealed hundreds of thousands of devices whose configurations could be changed remotely through the SNMP weakness that they found and dubbed StringBleed.

Versions 1 and 2 of the SNMP protocol don't have strong authentication to begin with. They provide either read-only or write access to a device's configuration through passwords called community strings. By default these passwords are "public" for read-only access and "private" for write access, but device manufacturers can change them in their implementations and it's generally recommended to do so.

The leaking of sensitive configuration data through the default "public" SNMP community string is a known problem that has affected many devices over the years. In 2014, researchers from Rapid7 found SNMP leaks in almost half a million internet-connected devices made by Brocade, Ambit and Netopia.

However, what Fernandez and Bervis found is much worse: devices from multiple vendors that accept virtually any value for the SNMP community string and unlock both read and write access to their configuration data.

The two researchers first located a small number of vulnerable devices, including the Cisco DPC3928SL cable modem that's now part of Technicolor's product portfolio following the company's acquisition of Cisco's Connected Devices division in 2015.

The researchers claim that when they reported the issue to Technicolor, the company told them that it was the result of an access misconfiguration by a single ISP in Mexico rather than a problem with the device itself.

This prompted the researchers to perform a wider internet scan that resulted in the discovery of 78 vulnerable cable modem models from 19 manufacturers, including Cisco, Technicolor, Motorola, D-Link and Thomson.

The number of vulnerable devices that can be targeted directly over the internet range from less than 10 for some models to tens and hundreds of thousands for others. For example, there are almost 280,000 vulnerable Thomson DWG850-4 devices on the internet, most of them are in Brazil, according to the researchers.

The researchers believe that the underlying problem is located in the SNMP implementation used by the modems, rather than being the result of misconfiguration by ISPs.

Regardless of the cause, the problem is serious, as attackers could exploit this flaw to extract administrative and Wi-Fi passwords or to hijack devices by modifying their configurations.

There's not much that users can do if their ISP supplied them with a vulnerable device, other than ask for a different model or install their own modem. Unfortunately, not many ISPs allow their residential customers to use their own gateway devices, because they want uniformity and remote management capabilities on their networks.

Determining if a particular device is vulnerable to this issue is possible, but requires a bit of work. An online port scanner like ShieldsUp can be used to determine if the device responds to SNMP requests over its public IP address.

If SNMP is open, a different online tool can be used to check if the device's SNMP server returns valid responses when the "public" or random community strings are used. At the very least this would indicate an information leak problem.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments