dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
37239
share rss forum feed

Fleeced

join:2012-10-06
kudos:2
reply to kenanmir

Re: NYC TWC - Just got the Arris TG862 - can't access Web GUI

Now you're just twisting words. If you want an official statement, go to the official statement forums. I know plenty of people who have their own equipment who have complete access to their own equipment. So TWC, according to my experience does not lock customer modems because while people hate them, they're not stupid enough to do that.

I know how badly you want me to be something, but stop trying. I'm here to help, it doesn't matter who I am or what I do. I happen to know a lot of people and have been given a lot of information. Just because I won't let one person blame TWC because of one game console doesn't mean anything other than I won't let someone blame something that more than likely isn't the problem. See Riot88 (or whomever) who swore up and down TWC was the problem, got a new provider and is having the exact same problem

Expand your moderator at work


bluepoint

join:2001-03-24
reply to Fleeced

Re: NYC TWC - Just got the Arris TG862 - can't access Web GUI

said by jmruss :

Now you're just twisting words. If you want an official statement, go to the official statement forums. I know plenty of people who have their own equipment who have complete access to their own equipment. So TWC, according to my experience does not lock customer modems because while people hate them, they're not stupid enough to do that.

I do not twist your words, all those I posted came from you and just want a verification. You seems pro TWC on every post you do, that's why we want to know if you will be objectively balance in your opinion, it doesn't seems so.
Stupid or not(your words), they did lock customers modems and why you choose to not see it just shows you're one of them.
»SB6141 Can't access modem config manager

I know how badly you want me to be something, but stop trying. I'm here to help, it doesn't matter who I am or what I do. I happen to know a lot of people and have been given a lot of information. Just because I won't let one person blame TWC because of one game console doesn't mean anything other than I won't let someone blame something that more than likely isn't the problem. See Riot88 (or whomever) who swore up and down TWC was the problem, got a new provider and is having the exact same problem

I know you will not tell, it's just good to know who you are so we know where you're coming from. I'm actually happy you are helping subscribers with problems or leading to but please be objective when dealing with us. My impression of your presence here according to your history is, a protector. Appears your inclination is to blame the customers first, if not then prove it.


hobgoblin
Sortof Agoblin
Premium
join:2001-11-25
Orchard Park, NY
kudos:11

A customer owned modem is flagged differently in the billing system.
I believe there was an issue now corrected that did indeed lock customers out of their own modem.
I have not heard any recent reports of this happening.

"they did lock customers modems and why you choose to not see it just shows you're one of them."

Bluepoint, when you say one of "them" that's a little insulting to any employee that happens to post in here, as you know I am one. Please chill.

Hob
--
"A foolish consistency is the hobgoblin of little minds."
- Ralph Waldo Emerson



bluepoint

join:2001-03-24

2 edits

said by hobgoblin:

Bluepoint, when you say one of "them" that's a little insulting to any employee that happens to post in here, as you know I am one. Please chill.

Hob

No, you're different at least you don't hide. I don't understand why they do that, is it prohibited to be known as an employee? I don't see anything wrong to be known if their purpose is to help. We can sense who they are, they seems to not want responsibility on what they say.


hobgoblin
Sortof Agoblin
Premium
join:2001-11-25
Orchard Park, NY
kudos:11

"No, you're different at least you don't hide. I don't understand why they do that, is it prohibited to be known as an employee? I don't see anything wrong to be known if they're purpose is to help."

Its a tough one for any employee to post on a site like this in their free time. Sites like this attract way more negative than positive and to many its not a lot of fun to see the company in a negative light. This site is read by many employees and no one wants to put their livelihood at risk by posting incorrect or information that could be considered internal.

Your exchange with Fleeced is a prime example. The issue with the 6141 was isolated to NYC. They have a very different billing system to most of the country, so his original statement could well have been correct for his area if he was indeed an employee.

No one posting in here makes any official statements and you jumping their butts as you have done to me many times spoils what can be some unofficial help.

Oh and I cant read anything in the direct forum. There is a separate group that looks after that.

Hob
--
"A foolish consistency is the hobgoblin of little minds."
- Ralph Waldo Emerson


nony
Premium
join:2012-11-17
New York, NY

2 edits
reply to hobgoblin

said by hobgoblin:

Please chill.

Hob

Hob,

What is problematic is that TWC(NYNJ) subscribers may be put at risk unwittingly as a result of the lockdown policy on leased eMTAs.

Specfically, the ARRIS TG862G which can be leased with wifi enabled, (marketed as Home WiFi - with a monthly surcharge of $5.95) is configured by default with publicly known PSKs. If the subscriber cannot change those defaults, their internal network can be easily compromised, an intruder can steal their bandwidth, and crimes may be committed using the subscibers broadband connection, for which the subscriber will be initially blamed. This is a major exploit and needs to addressed ASAP. It's also "out in the wild" as a result of an Esquire article that was published this past July, detailing the default PSKs, the components of which are being broadcast in the clear.

This is why it is critically important to either allow the subscriber to change the default PSK or for TWC to provision the eMTA with default PSKs that can't be sniffed or hacked.

And, this is why I tried to assist the OP in changing the defaults, before this thread was hijacked.

-nony


hobgoblin
Sortof Agoblin
Premium
join:2001-11-25
Orchard Park, NY
kudos:11

I understand your concerns. In most cases the Tier 3 group for your area can change the Key for you to eliminate this.

They can also bridge the equipment to allow your own device to look after routing capability.

Hob
--
"A foolish consistency is the hobgoblin of little minds."
- Ralph Waldo Emerson


nony
Premium
join:2012-11-17
New York, NY

2 edits

I know that. I do security. But your typical subsciber would not know. Nor are they advised. This equates to easy pickins for the bad guys.

I have already spoken with the FCC on this matter and plan to get this problem remediated. If you want more details, PM me.

p.s.

I also spoke with the security reseacher (cited in the article) and I disapprove of his decision to allow Esquire to publish the piece prior to the implementation of a vendor/service provider solution.

-nony



hobgoblin
Sortof Agoblin
Premium
join:2001-11-25
Orchard Park, NY
kudos:11

I am well aware of the details, but thanks.

Hob



bluepoint

join:2001-03-24
reply to hobgoblin

said by hobgoblin:

Its a tough one for any employee to post on a site like this in their free time. Sites like this attract way more negative than positive and to many its not a lot of fun to see the company in a negative light. This site is read by many employees and no one wants to put their livelihood at risk by posting incorrect or information that could be considered internal.

I understand their situation, what I don't understand is, why even post if there is nothing positive they can contribute and risk their job.

Your exchange with Fleeced is a prime example. The issue with the 6141 was isolated to NYC. They have a very different billing system to most of the country, so his original statement could well have been correct for his area if he was indeed an employee.

Like what I said, if he's scared to say something why even try. How can we trust a person if we don't know him? He seems to know inside trading but we don't know if he's just a fraud.

No one posting in here makes any official statements and you jumping their butts as you have done to me many times spoils what can be some unofficial help.

I will be jumping their butts if they don't support what they say. Just be real and I will behave.

Oh and I cant read anything in the direct forum. There is a separate group that looks after that.

Hob

I hope whoever is assigned in the direct forum that they take care of the information the subscribers provide and keep it to themselves and not discuss it with other people.

Hobs, I second nony on locking the wireless modems. Those subscribers are put into risk of being compromised. Please tell TWC to let them make changes to their wireless settings, the way it is now it's easy to guess their shared keys.

nony
Premium
join:2012-11-17
New York, NY

2 edits

said by bluepoint:

said by hobgoblin:

Hobs, I second nony on locking the wireless modems. Those subscribers are put into risk of being compromised. Please tell TWC to let them make changes to their wireless settings, the way it is now it's easy to guess their shared keys.

They will remediate. The current deployment of unsecurable wireless modems is an example of gross negligence by an underregulated monopoly. And this is indisputable in the security community. Or as we say "what were they thinking?!"

However, I may have been wrong in my post above where I suggested that if you are able to modify your PSK (in an effort to secure your home network/subscribed network) that the PSK setting will be retained after the eMTA gets its config file, in light of what Hob suggested, namely that a Tier3 tech can customize any and all parameters - including the default PSK.

In my case, I am configured for bridge mode, and I am able to retain my security settings including the PSK, but that may not be the case for "routed mode" where it counts big time for vulnerable subscribers.

If anyone in my market is interested in testing... PM me.

I could work this with Tier3, but I don't want to put them in an ackward position nor do their employers nor do their attorneys. I prefer to work with the LFA (Local Franchising Authority), which in my case is the City of New York (read different attorneys).

»www.nyc.gov/html/doitt/html/faq/···.shtml#1

-nony

nony
Premium
join:2012-11-17
New York, NY

4 edits

Update: If you are a certified security practitioner (CISSP) and you work for a cable company and you post on this forum, and you are aware that all TWCNYNJ customers with ARRIS gateways are unwittingly being put at risk for identity theft - then you can step up to the plate or shame on you if you looked the other way.

You can't knowingly put your susbscribers at risk without penalty.

Details:

The secret key that allows access to your wifi (PSK) has zero-bit entropy by default because its guessable with 100% accuracy.

And you guys, have done nothing to protect us. If you previously worked for ARRIS and now work for TWC you are complicit big-time by remaining silent.

The combination of guessable PSK and the policy of preventing customers from changing the defaults so they are no longer at risk, without any notification that their "door is wide open" is an egregious misjudgement and violation of the public trust on the part of the regulated franchisee. Don't you guys have a whistleblower program? ARRIS and TWC, on the surface, are both complicit.

-nony


pumany

join:2013-03-10
White Plains, NY
reply to nony

Hi Nony,

I have the Arris DG860 from time warner NYC. In the past, I was able to access it at the 192.168.0.1 address using the userid (admin) and password (password) with no problem. I had to set my modem to bridged and disable the firewall so my website would work.

I have noticed I can no longer get in using admin and password. Do you have any insight? I disconnected the coax cable, reset using the pin hole, and I was then able to get in using "admin" and "password", but as soon as I connected the coax cable, that changed and I couldn't get in. Does this make sense to you?

Thanks,
PumaNY


Fleeced

join:2012-10-06
kudos:2
reply to kenanmir

Why don't you call in to have TWC bridge your modem? Then the router functionality is off and you have nothing else to worry about.


Titan01

join:2001-08-14
New York, NY

are you guys saying the pw for the wifi is basically easy to figure out?

that's what i told tw CSR and i said i felt unsecure about the pw. but they said its fine


Fleeced

join:2012-10-06
kudos:2
reply to kenanmir

If you want to be technical, wireless is simply insecure, just like pretty much nothing is 100% secure. I think it takes about 2 hours or so with a good computer to crack WPA2 right now. WEP can be cracked on a cellphone in like 2 minutes.

What nony is getting at is the fact that with the correct packet sniffing programs, and a little knowledge of how the passwords work, it's easy to crack the default passwords. Then again, you're back to the old adage: Locks only keep honest people out.


nony
Premium
join:2012-11-17
New York, NY

4 edits

wpa2 cracked?

Are you kidding?

Kindly cite your sources.

Edit: Ouch!

Edit: [Hole196 attack mitigation goes here] See -
»www.airtightnetworks.com/WPA2-Hole196
»wnss.sv.cmu.edu/courses/14829/f1···2_07.pdf

To be clear:

Hole196-based exploits are insider attacks which work off of a shared broadcast crypto key, unique to the access point and its clients. Consequently, a wireless attacker would first need to authenticate to the AP to acquire the broadcast key (the GTK - Group Temporal Key) before any harm could be done.

Consequently,
if you have selected a secure passphrase (not subject to a dictionary attack), you will be protected from the Hole196 exploits.

Whereas, the TWC/ARRIS scheme effectively broadcasts your WPA passphrase in the clear and as such is available to bad guys to take out critical infrastructure on a massive scale (I won't elaborate) using our access points as launch pads (in addition to the personal risks that have been fleshed out in this thread). Governmental entities should be concerned for obvious reasons.

It also follows that the insider attacks mentioned above will apply if you are forced by TWC/Arris to maintain the default passphrase.

-nony


nony
Premium
join:2012-11-17
New York, NY

4 edits
reply to pumany

Yes. This part makes sense -

Prior to registration, by design, you are able to access a superset of resources, which (also by design) you won't be able to access after registration.

In my testing, I could disconnect the upstream cable and wait a few minutes, until my device reverted to its pre-registration state.
Then I would enable telnet and log on to the full cli using the technician credentials, and capture the traffic (using snmp)

On a more basic level, the admin/password credential would work when I was connected directly to a switch port, using a default ip address, but would not work if I attempted to connect via a downstream router.

In bridged mode, you should be able to access the configuration gui and log on with a direct connection, by assigning a static ip address e.g., 192.168.100.2 on your client pc/mac using the default credentials, both before and after registration (See my posts above)

-nony


nony
Premium
join:2012-11-17
New York, NY

3 edits
reply to Titan01

said by Titan01:

are you guys saying the pw for the wifi is basically easy to figure out?

that's what i told tw CSR and i said i felt unsecure about the pw. but they said its fine

The contractual agreement between TWC and Arris specifies defaults that put you at risk. They didn't intend to put you at risk, but they failed in their due dilligence to address the toxic flaw(s) that allows two-bit criminals to rip you off for all your worth.

So, don't trust the wifi, and wait for the case law to play out, but continue to trust the advice of the reps who post here.

-nony

Titan01

join:2001-08-14
New York, NY

so what should i do for the time being


Fleeced

join:2012-10-06
kudos:2
reply to kenanmir

Call TWC, bridge the modem and use your own router, which is what I recommend anyways.


nony
Premium
join:2012-11-17
New York, NY

1 edit
reply to nony

Of interest -

GAO report on wireless security (challenges and opportunities) including but not limited to the consumer space.... (published September 2012)

»gao.gov/assets/650/648519.pdf

-nony


nony
Premium
join:2012-11-17
New York, NY

4 edits
reply to kenanmir

Let's look at the cablelabs spec on wifi and perhaps we can better understand how/why TWC lost their way - (its only 15 pages)

Wi-Fi Requirements for Cable Modem Gateways
»www.cablelabs.org/specifications···0216.pdf

''The Wi-Fi GW MUST support the ability of the operator to configure an SSID for use by the subscriber (the
subscriber controlled SSID). Furthermore, the Wi-Fi GW MUST support the ability of the operator to set the default
designation of the subscriber controlled SSID; for example, to the device model number plus the last six digits of one
of the wireless MAC address."

It's clear that one MUST NOT.. hmmm let's ignore this part.
---
"For residential and enterprise configurations, the Wi-Fi GW MUST support the configuration of the user-controlled
SSIDs and the associated attributes via a local web page. The Wi-Fi GW MUST provide the residential subscriber
with the option of configuring their SSID."

Let's not ignore this last paragraph
---
So, it appears that combining the model number + the last six digits of the MAC address is an example of what MUST be supported - for the SSID, not the PSK. It's not a secret key if you broadcast it in the clear.
---
"The Wi-Fi GW MUST support the following security operating modes configurable per SSID: WEP
(64 and 128 bit), encryption, WPA-PSK, WPA2-PSK, WPA with 802.1x, WPA2 with 802.1x, and mixed
WPA(TKIP) - WPA2(AES) security mechanisms as per [802.11i] and [WPA], in bridge or router mode."

Maybe its ok to broadcast the PSK in the clear. Who says that the PSK needs to be a secret value? Perhaps we should take a look at the WPA2-PSK spec to find our answer.
---
Oh, what the heck, why should we care about a cable modem spec that was issued by the cable modem industry for the cable modem industry, anyway?

-nony


nony
Premium
join:2012-11-17
New York, NY
reply to Fleeced

said by Fleeced:

I think it takes about 2 hours or so with a good computer to crack WPA2 right now.

It's a lot faster to run a dictionary attack using cloud computing and it's cheaper than one would think -
»www.securitytube.net/video/6373

-nony

nony
Premium
join:2012-11-17
New York, NY

1 edit

IAD provides guidance to those entities who require a locked-down solution for wireless networks -

»www.nsa.gov/ia/_files/Campus_WLAN.pdf (for classified)
»www.nsa.gov/ia/_files/factsheets···eets.pdf (for unclassified)

-nony