Time Warner Cable Modems Expose Users

eldavojohn writes "Wired is reporting on a simple hack putting some 65,000 customers at risk. The hack to gain administrative access to the cable modem/router combo is remarkably simple: '[David] Chen, founder of a software startup called Pip.io, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By simply disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router's configuration file. That file, it turned out, included the administrative login and password in cleartext. Chen investigated and found the same login and password could access the admin panels for every router in the SMC8014 series on Time Warner's network — a grave vulnerability, given that the routers also expose their web interfaces to the public-facing internet.' If you use Time Warner's SMC8014 series cable modem/Wi-Fi router combo, watch for firmware to be released soon that they are reportedly in the process of testing."

The only prudent thing to do with these things...

[John Hasler]

...is to put them in bridge mode and use your own router (no matter who your provider is). Same with DSL modems. Even when they aren't misconfigured (deliberately or due to sheer incompetence) the firmware is usually buggy and limited.

Why wait?

[L4t3r4lu5]

Install your own patch right now by cancelling your Time Warner contract, throwing the router in the trash, and getting a new ISP with better hardware. Hell, fork out $50 for a tried and tested model from Newegg. Be sure to tell Time Warner to "Abragofuckyourself" when they say you're tied into a contract by using the words "unfit for purpose" "gross criminal negligence" and "class action"

Yeah, my utopian world of consumer power is better than this one of "Please, Mr Corporation, harder and deeper!"

Re:The only prudent thing to do with these things.

[milgram]

While I agree with you, the issue usually isn't the small percentage of technically savvy people who use this, but rather the majority of folks looking to "plug and play". These are the security gaps that allow zombie DDoS attacks to happen so easily, as they open up easy access to lot's of similarly configured boxes.

Re: the routers also expose their web interfaces t

[John Hasler]

Convenience and incompetence. They want to be able to run scripts to update/reconfigure all the modems and this is the first method that occured to them. Being stupid, they didn't think it through.

Maybe

[Akita24]

Maybe if they actually gave 0.0000000001% of a shit about the service they provide instead of spending millions trying to figure out how to fuck the customers they've oversold to out of YetAnotherPenny ... nah, won't happen.

That's what they get...

[hitech69]

AOL/TWC have gone through so many reorganizations and consolidations, the best and brightest have been gone from the company for quite some time. This is just a result of continuing to run a failing course.

Multiple-levels of incompetence

[MobyDisk]

This isn't just a security vulnerability - those things happen. This is gross negligence. There are 3 simultaneous absolutely bone-headed things here:

- PUBLIC facing web configuration? I have never, ever, ever, seen a router that did that. Not even cheesy home routers.
- JAVASCRIPT is their security? That was dumb back in 1998, but who does that now?
- CLEAR TEXT username/password? There was this great technique we used back in 1975 called hashing. Look it up. Why does it even write the username/password out anyway?

This is one of those cases of just too many stupid things all at once for it to be a mistake.

Re:The only prudent thing to do with these things.

[Bakkster]

I was under the impression that the only user-configurable option is to add URLs to a blocking list. There is no way to put it in bridge mode, and even if it was someone could log on and change it, and simply pass all your data to their servers anyway.

This is the kind of setup you give people who don't know about security, so they can't muck it up. Of course, it needs to be secure in the first place, so this is a huge issue and fixable only with firmware (or different hardware).

Re:Why wait?

[dissy]

How about lobbying your congressman to get the monopoly given to Time Warner / AT&T / Comcast / Sprint or whatever split up as anti-competitive and not just taking a big rubbery one up the wrong'un?

Lobby as in write letters?
  Check.

Lobby as in send 'contributions' in the hundreds of millions of dollars a year like time warner does?
  Not so much. All though if you let me borrow that amount, I will do exactly that with it. Just paypal it to me!
  Sadly I have discovered they do not accept monopoly money :{

Re:WTF?

[JustOK]

You should always have a key to show to the cops

Not a hack

[flyingfsck]

This is not a hack. This is leaving the key *on top* of the doormat.

Re:Why wait?

[betterunixthanunix]

Dial up is "worthless Internet?" I guess half of the world's Internet users have been swindled.

Re: the routers also expose their web interfaces t

[flibuste]

Yes incompetence looks like the primary cause here. Whoever hides the access to administrative functions of anything by simple javascript on a web page should be at best fired.

It is quite amazing to see how many programmers are just totally clueless about the technology they're using. It's just appauling.

Re:The only prudent thing to do with these things.

[Anonymous Coward]

Bridge mode is just that -- it's a connection between two separate networks. In this case, the TW box is connected to the Internet and is one point of the bridge. On the other end is your home network router, which acts as the other point of the bridge. Your network is physically separate from theirs, and joined by the single patch cable between the boxes.. This is usually how these things work anyways, even when it's all in one box. The difference here is that you're using two physical boxes to ensure the separation, which avoids absurd goofs like the one described in TFA.

Re:Why wait?

[Dare nMc]

you left out the tinfoil. No seriously you would also want to remove the antennas, or wrap the TW box in a Faraday cage IE tinfoil (OK it is unlikely but...)
If anyone can remote into the Wifi/bridge config portion of the router, sounds like you could still remote into the neighbors router with this, change his wifi settings of the TW box for you to connect through, set your wifi connected box as their new dns/dhcp/etc host, change the IP of the TW box (so if they hardcoded) all their traffic would now go through hardware you controlled.)
Then you would pretty much have complete control over what they could do on the internet, even with their un-compromised router hardwired behind the TW box.

Re:VErizon FiOS routers do something similar

[DrVomact]

So get a gigabit wired router. I'd never trust a router that wasn't my property; I will always have my own router behind any provider-owned router, password protected so only I can maintain it. I refuse to install wi-fi, mostly because I know what it takes to secure a wireless network, and it's just easier to pull cable. Hmmm. You can disable wi-fi on those FIOS routers, right? Heck, if not, I'll rip off the frickin antennas and pack the whole thing in tin foil, if they ever get around to laying FIOS in my neighborhood.

My friends say I'm paranoid. Of course, one of them just got his broadband shut off because the neighborhood kiddies were downloading pr0n courtesy of his poorly secured wireless. Heck, some of them give their real name when a Windows installation asks—and then they're supprised when their name shows up in places like the metadata to every Word document that's composed on their computers.

Anyone who isn't paranoid these days is a sucker.