Time Warner Cable Modems Expose Users

eldavojohn writes "Wired is reporting on a simple hack putting some 65,000 customers at risk. The hack to gain administrative access to the cable modem/router combo is remarkably simple: '[David] Chen, founder of a software startup called Pip.io, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By simply disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router's configuration file. That file, it turned out, included the administrative login and password in cleartext. Chen investigated and found the same login and password could access the admin panels for every router in the SMC8014 series on Time Warner's network — a grave vulnerability, given that the routers also expose their web interfaces to the public-facing internet.' If you use Time Warner's SMC8014 series cable modem/Wi-Fi router combo, watch for firmware to be released soon that they are reportedly in the process of testing."

Related to Belgacom hack and 'ransom'?

[Animaether]

I wonder if this is the same 'hack' used to attack Belgacom.
http://tweakers.net/nieuws/63200/belgacom-hacker-publiceerde-authentieke-inloggegevens-van-klanten.html [tweakers.net]

For the curious, a quick recap in English...

A hacker going by the name 'Vendetta', supposedly an American living in Belgium, got fed up with the monthly data cap (at Belgacom, figured out that there's a way to find the username/password for a modem by browsing to it (much as in this article), did that to a claimed several thousand (285,000) modems, and is threatening to release them slowly over time until November 30th as long as Belgacom keeps its monthly data cap.

So far this hacker released 30 usernames/passwords, and they were found to be genuine.

Belgacom contacted authorities, is investigating the claimed method of hacking, blabla.

The modem in question with Belgacom is labeled a "B-Box2-modem".

Re:FAIL

[Again]

According to TFA (my karma be damned), Web-based admin UI is enabled on these routers, not only for the LAN but for the whole fucking Internet. This must be the dumbest default setting ever.

Although I agree that it is dumb, I think that it is to make technical support easier for the company. If the company can go straight to your router and configure it then it makes their life easier. Of course, it turns out that it makes a lot of people's lives easier including hackers.

re: the summary

[jlmale0]

My initial, gut response to this was sheer horror. They list exploit and target side-by-side! The only mention of a fix is that it's to be 'released soon', informing any malicious agents out there that now is the time to strike.

Reading the Wired article, the right thing was done. Big company was sitting on their hands, and now that publicity has been made, they're starting to move.

Wired did the right thing. But this summary, it's fear-mongering and bad journalism.

Re:Why wait?

[TheRealMindChild]

So you are saying I should go back to dial-up...? Because that is my only alternative. Thanks for doing my cost/benefit analysis of this situation for me! It is definitely better to have worthless internet than to just maintain my own router!

Re:The only prudent thing to do with these things.

[TimeTraveler1884]

Initially I was a little confused about the cable modem not being in bridge mode and having an admin interface at all. After RTFA, this vulnerability is only for SMC router/modem combo devices from TW. There was no mention of the Motorola cable modem I have from TW. The Motorola cable modems are acting as a bridge already because my router gets the lease to the public IP.

So apparently no worries regarding this vulnerability for me, but this certainly sucks for 65K other people.

Re:FAIL

[6ULDV8]

Then they should put the admin network on an administrative VLAN like they do their core equipment, so that the majority of the Internet can't see it.

Re:Why wait?

[pak9rabid]

Install your own patch right now by cancelling your Time Warner contract, throwing the router in the trash, and getting a new ISP with better hardware. Hell, fork out $50 for a tried and tested model from Newegg. Be sure to tell Time Warner to "Abragofuckyourself" when they say you're tied into a contract by using the words "unfit for purpose" "gross criminal negligence" and "class action"

Only on slashdot would such a ridiculous "solution" be proposed, when putting the CPE in bridged mode and using your own router (which I'd think most everyone here would be doing already) would suffice.

Re:Multiple-levels of incompetence

[Vellmont]

- JAVASCRIPT is their security? That was dumb back in 1998, but who does that now?

I heard a story that a major public University had exactly this kind of vulnerability in its new financial system. It was found and plugged, but it never should have been their in the first place. I'd reveal which University, but the story was passed down to me 3rd hand so it's not completely verified.

This kind of idiocy is more common than you'd think. Too many programmers aren't taught to think about security and develop tunnel vision trying to solve the problem given outside of any other context. I've seen it first hand multiple times reading through code of multiple programmers. It's easy to hide crap behind an interface that "works".

This is one of those cases of just too many stupid things all at once for it to be a mistake.

Not really. Stupid mistakes happen all the time. There's lots of code written. Eventually you're going to get enough stupid mistakes in one place that it'll add up to this level of incompetence.

Re:The only prudent thing to do with these things.

[peragrin]

You have the same as I then. Into a browser visit http://192.168.1.1/ [192.168.1.1] and play around. While it doesn't havethe stats the full router does you canreally fsck the time warners network and screw the frequencies of everyone on your local cable share. Be warned however you take out your network to do so. And you might not get it back without their help.

Ihave had to manually reset them a couple of times for timewarner. However I haven't found any useful account data their. Just hardware settings.

Re:Why wait?

[commodore64_love]

I use dialup and can access youtube videos, bittorrent the latest Stargate episodes, download pics, and so on. The only thing I can't do is access streaming video sites like NBC.com, since they require minimum 192k connections, but everything else works just fine. Even flash-heavy sites like imdb.com

One advantage I probably have over your connection is I use Netscape ISP. It uses on-the-fly image, text, and flash compression to speed things up. You providerr may not have it, so consider an upgrade: http://www.getnetscape.com/ [getnetscape.com] I hooked-up my friend's father with this, and now his Dialup is faster than ever.

Re:The only prudent thing to do with these things.

[unitron]

I think that's not the IP address for the Motorola ( try http://192.168.100.1/ [192.168.100.1] ), but for a Linksys wireless router, like say a WRT54G.