Cable Haunt: Exploiting DOCSIS Modems
ฝัง
- เผยแพร่เมื่อ 10 ก.ย. 2024
- Cable Haunt is the fancy name given for a vulnerability recently disclosed by a group of researchers at Lyrebirds in Denmark exploiting DOCSIS modems. Cable Haunt affects cable modems using the Broadcom chipset specifically having the built-in spectrum analyzer many of us in the industry are quite fond of. Typically the forward path spectrum analyzer or Full Band Capture (FBC) analyzer in the Broadcom chipset is used by the industry for proactive network maintenance (PNM) applications to identify a number of downstream impairments in the home without ever requiring the technician to enter the home, because we can access the modems spectrum analyzer remotely.
For the exploit code shown in the video, see the blog post here: volpefirm.com/...
Subbed. You explained everything so well and I learned a lot. Have they patched this for the Arris SB8200 or should I be looking at the Netgear CM1100? In between purchases and I plan to get the Netgear R8000 router eventually so wonder if I should go all in with Netgear.
Hi Marc, there is a bandaid and all cable operators are aware of it. I have the bandaid listed on my blog here: volpefirm.com/cable-haunt-exploiting-docsis-modems/ It is at the very end and describes the MIBs operators are applying. This is a bandaid and not a fix, but it does protect you and the cable operator. At this time I wouldn't recommend a new modem for this issue alone as it is being handled by operators.
@@Volpefirm I live in a rear in-law suite behind my landlords house. He has Spectrum services with premium cable, phone, and Internet. The coaxil cable also comes into my apartment and feeds a premium cable Spectrum box that he pays an extra fee for. I piggyback Internet services through his wifi from the modem and router in his house, but there's too much distance and interference (walls) to get a good signal. I bought a plug in wireless signal enhancer which made the signal bearable for very light Internet surfing, but I cannot stream videos or live sports.
So my question is this: can I pick up a used modem at a thrift shop and make it work somehow in my apartment? Or is there anything else I can do? Thanks for any help.
Hi @@MasterArmedforces if you have an agreement with your landlord that he provides you Internet, then you could ask that he ads an extender to his modem. This is also something Spectrum could do. Ideally he could run a CAT6 hardline directly to your in-law suite and you could then put an access point in. If this is not possible, you may need to ask your landlord or Spectrum to set yourself up with a dedicated account in your name. You would get your own cable modem and your own drop from Spectrum.
I don't have Spectrum Analyzer on my Arris TN822 modem. SW patched to disallow?
Likely
Wow this was really cool! Also subbed
Thanks for watching!
This guy was great in The Sims
Sims was a great game in its day 😂
A Spectrum cable guy forced me to take the DOCSIS 3.1 modem and he seemed kinda sketchy, so how do I make sure he can't access or hack my modem?
Hi @DoceFarnienteABC123 You are safe. All DOCSIS cable modems follow a security process defined in the DOCSIS specification. However, all of your data can be monitored by the cable operator unless you use a VPN.
@@Volpefirm How would a VPN stop my ISP from monitoring my ethernet cable internet? They have direct access to my internet through the node. VPN only masks my location from other networks, it won't stop the ISP from accessing my internet activity.
I know your very good at these Situations but the Timeout T3 on a Modem should I be Concerned I'm not the most Technical guy out there
but how to Analyze or fix this can it be a Outdated Coaxial or Wiring in my Home
Only if you see a lot of T3 timeouts back to back. This will usually cause your modem to reboot. If you have bad wiring, the easiest thing you can do is buy a new coax cable and run a piece from your splitter outside to your modem... I know this is vague. I'll be doing more videos on how to do this.
@@Volpefirm Ok so the Main Splitter or my Splitter that goes from my Voip Modem to ISP's Modem
@@Volpefirm Or Nevermind I know which one but I just wish I had a Coaxial Port rather than my Cables running thru the Ground it would've been much more Easier
to prevent e waste, and keep an upgrade less expensive, is it possible to turn my old docsis 3.0 arris modems into MoCa adapters? i've got rg6 quad running to other structures from the house, fiber to home now, with tp link omada, currently using one set of hitron moca going to the shop. i don't want to buy 4 more if i don't need to.
Hi @davidrobinson6185 I like the question. So yes you could add it to your MoCa network but I don’t believe the LAN side of the modem will work (for most modems) until the modem is registered to the CMTS. I have not tested this, however and you may find that some vendors and/or some software builds enable the functionality you are suggesting. I think it’s a really good idea. Worth exploring. Particularly as DOCSIS 3.0 modems age out they could be re-purposed for something like your suggesting.
Can my ISP see everyone downstream connected to the network? Isp is spectrum, and its basically analog cable on the poles and then converted back to digital at the customer i think. It's all coaxial. My question is (hypothetically speaking) how do they shut you off remotely? And could one exploit the network with a pre-programmed modem? Free internet?
Yes. Your ISP can see every cable modem connected to the network. Each cable modem has a unique MAC address. The ISP will see each cable modem with its associated MAC address.
@@Volpefirm I've always wondered, that's crazy to me that they can see all that. Thank you 🙏
Can this be used to get "free internet" if so what would one hypothetically need to do with the code if anything at all?
No sorry, this hack won't get you free Internet.
@@Volpefirmahh got it, I've been wondering how people are programming modems for free Internet, they sell them online and I've used them in the past, but they charge and arm and a leg for one.
@@redditavatars Thanks for answering :)
i thought the browser and the tcp/ip stacks do the https meaning that the encryption is not done on the modem.
however someone could maybe flash a wireshark like decoder and intercept the site's certificate and do it on the firmware.
a malicious actor could instead of bricking the modem they could just insert the code and reboot the modem as a means of kicking us off.
however if it requires you to first visit the spectrum analyzer page then we should be safe from a injection attack hit and run style.
You are correct, https encryption is done in your web browser. There is a secondary encryption called baseline privacy interface (BPI+) which encrypts the traffic to and from your modem between the CMTS and the cable modem.
On my modem it is on 192.168.100.1 8888 is it normal?
Yes. IP varies from modem vendors.
@@Volpefirm thanks
Man, I have one and wondering if there is a firmware reversion process or what all causes the inability to login or possibly a workaround to login or access the SA? Seems like a scam not allowing access to the user owned hardware and firmware capabilities.
Hi jafinch78 a lot of MSOs have been blocking the SA. They are able to do this with a config file which is downloaded to your modem when it registers with the cable operator. So its not a firmware upgrade. Just a config file that blocks the ports.
@@Volpefirm Hi The Volpe Firm, Inc. So does a reset of the SB6183 cable modem with the config file installed reliably erase the config file so the port is open? Really appreciate the feedback. Thank you sir!
@@jafinch78 every time you reset the modem it goes back to its default configuration.
@@Volpefirm Interesting... never tried and I wound up finding a SB6141 for ~$5 at the Goodwill Store. Didn't reset since found the already using SB6183 had the port available all the sudden out of the blue. So, swapped in the SB6141 as my cable modem I use and had Xfinity do their thing so now I have a SB6183 that I can use as a SA. I made a bad video or two detailing... in particular the SB6141 required a capacitor replaced to get working again.
@@jafinch78 Just watched your video. I agree. Great idea and use of old modems. I have a few which when I get time will see how they can be made into useful equipment.
May I borrow you to decipher this video please?
If you give me a human cloning machine I will gladly send you a copy 🤓
@@Volpefirm tease