Broadband Tech > Security > Security > Time Warner Cable Exposes 65,000 Routers to Remote Attacks

Time Warner Cable Exposes 65,000 Routers to Remote Attacks

quote:

---

A vulnerability in a Time Warner cable modem and Wi-Fi router deployed to 65,000 customers would allow a hacker to remotely access the device’s administrative menu over the internet, and potentially change the settings to intercept traffic, according to a blogger who discovered the issue.

Time Warner acknowledged the problem to Threat Level on Tuesday, and says it’s in the process of testing replacement firmware code from the router manufacturer, which it plans to push out to customers soon.

“We were aware of the problem last week and have been working on it since,” said Time Warner spokesman Alex Dudley

---

»chenosaurus.com/2009/10/20/time-···ty-hole/

quote:

---

For most Time Warner customers, unless you provide your own router, they will supply you with a cable modem/wifi router combo. It’s typically an SMC8014WG-SI, a pretty crappy piece of hardware in my opinion. Time Warner installs the device with their default configurations; It allows the customer to do nothing more than add URLs to be blocked. This is done via the web interface using a generic user/user account which is given to the customer. Wifi networking is locked into WEP mode and a random string of hex as the network name and key. If you want to use any sort of port-forwarding or advanced network configurations, forget about it.

I was asked by a friend to help change their wifi network name and password to something easier to remember. In addition to changing the network name, I wanted to change the default WEP encryption to WPA2. We all know WEP encrypted networks can be cracked within minutes. After poking around using the customer account, I found that access to the admin features of the router has been disabled via Javascript. You heard me correct, the web admin for the router simply uses a script to hide certain menu options when the user does not have admin privileges. By simply disabling Javascript in the browser, I was able to access all the features of the router. With that access, I am now able to change the wifi settings, port-forwarding, etc.

It just gets better from here. The extra features that I now had access to included a little item called “Back Up Configuration File”. When I clicked it, a text dump of the router’s configurations was saved to my desktop. Upon examination of this file, I found the admin login & password in plaintext. Another issue which was alarming was the fact that by default, the web admin is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, I easily found dozens of these routers, open to attack. Of course I got in touch with Time Warner’s security department and warned them about the security issue but their response was simply “we are aware of it but we cannot do anything about it”.

Now you can now put two and two together and realize that this has opened a gaping hole on every single Time Warner customer’s network that uses the SMC8014. By forcing the customers to use only WEP encryption on their wifi network, they are allowing anyone to penetrate the network with ease. Also by using a fixed format for the SSID, it’s extremely easily tell which wifi network is using the device. Once inside, anyone can access the router’s web interface and login with the admin account. What makes this even scarier, is the fact that the web interface is accessible from anywhere. From within your own network, an intruder can eavesdrop on sensitive data being sent over the internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks. Someone skilled enough can possibly even modify and install a new firmware onto the router, which can then automatically scan and infect other routers automatically.

---

reply to siljaline
I've worked with TW business customers and have always had Time Warner put their router in bridge mode so we could use our own routers and have control over administrative functions. Having had to wait hours for them to make trivial changes to their router, we decided to eliminate the wait and do our own administration of our own equipment.

Invariably the TW support people balked at putting their router in stupid mode, but I insisted and they complied. My present stance is to verify such details as router control, port blocking etc prior to agreeing to become a customer of a prospective ISP.

A side note - the beach house we stay at in Holden Beach is a Time Warner customer - the owner had a Motorola modem with an SMC wireless router behind it, but the admin functions were all available to me. When I first encountered it, it was an open network, default password etc. With the owner's permission I secured the router with WPA/AES, disabled remote and wireless admin and left the config information with the rental office and the user key and setup instructions on the fridge door.

We came back last year and this year, the config is still in place
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis

Cool. Neat idea posting it on the 'fridge.
--
What is this, some kind of FREAK OUT?!?

reply to siljaline
Time Warner testing fix to hole in home router

»news.cnet.com/8301-27080_3-10379···ol;title

quote:

---

Time Warner has rolled out a temporary patch and is testing a permanent fix.

"We are aware of the issue and we are hard at work on a solution and have been for quite some time," Alex Dudley, a Time Warner Cable spokesman, said on Tuesday.

"The manufacturer has developed a fix," he added. "We believe it will work and we are testing it now to make sure it won't affect our network in other ways."

In the meantime, customers should be protected by a temporary patch, he said. Time Warner will push the permanent fix out to the affected devices from its regional data centers, possibly as soon as a matter of days, Dudley said.

About 67,000 devices across Time Warner's network are affected out of 14 million devices total.

---

reply to siljaline
All you have to do is have 'MSO REMOTE MAINTENCE' disabled and it wont accept any outside connections...

Am i right?

reply to siljaline
It's news to me that RR provides routers to users! Here you have to buy your router. TW used to tell we couldn't use routers and you had hide it from them. As far as I know that is still their "official" position. I have a Surfboard modem and a six year old Linksy wired router. I will not accept the crap modems they currently give out.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

reply to EGeezer

said by EGeezer:

A side note - the beach house we stay at in Holden Beach is a Time Warner customer - the owner had a Motorola modem with an SMC wireless router behind it, but the admin functions were all available to me. When I first encountered it, it was an open network, default password etc. With the owner's permission I secured the router with WPA/AES, disabled remote and wireless admin and left the config information with the rental office and the user key and setup instructions on the fridge door.

We came back last year and this year, the config is still in place

reply to Mele20

quote:

---

All you have to do is have 'MSO REMOTE MAINTENCE' disabled and it wont accept any outside connections...

Am i right?

---

Umm....I didn't say that.

I think you intended to reply to someone3 not me.

reply to siljaline
Hmmmmmmm i clicked REPLY on that message but it still says your name... (Hmmmm)

reply to siljaline
Again, from: Wired threat level
Blogger: Time Warner Routers Still Hackable Despite Company Assurance

quote:

---

A blogger who stumbled across a vulnerability in more than 65,000 Time Warner Cable customer routers says the routers are still vulnerable to remote attack, despite claims by the company last week that it patched the routers.

Last Tuesday, David Chen, an internet startup-founder, published information about the vulnerability in Time Warner’s SMC8014 series cable modem/Wi-Fi router combo, made by SMC. The problem would allow a hacker to remotely access the device’s administrative menu over the internet and potentially change the settings to intercept traffic, making possible all sorts of nefarious activity.

Time Warner acknowledged the problem to Threat Level that day, and said it was testing replacement firmware code from the router manufacturer, which it planned to push out to customers soon. Shortly after Threat Level published a piece about the vulnerability, a Time Warner spokesman Tweeted to Chen that the patch had been deployed and customer routers were now protected.

---

From the article:

"SMC spokesman Fisher told Threat Level that the admin credentials Chen exposed are actually the administrative credentials for a router made by Ambit. He said it appears that Time Warner applied the same credentials to its customers’ SMC routers."

Talk about incompetent bamboozling! These idiots provide my broadband and the only other choice is dialup. I have a Surfboard 5100 provided by Oceanic TW back in early 2005 and my own Linksy router but Oceanic has not given out ANY surfboards since 2005. Instead they give out utter junk and one modem is this SMC vulnerable one. We are not allowed (supposedly) to buy our own modems so I don't know what will happen when I eventually need a new one. I want only a Surfboard and am more than willing to buy my own...if I can.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Mr. Chen gave us the port numbers there.

quote:

---

ports 8080, 8181 and 23

---

reply to siljaline