digg

Facebook Connect Join Digg About
See the original image at pcworld.com

Gaping Security Hole Turns Cable Modems Into Hacker Prey

pcworld.com A blogger helping to tune a friend's wi-fi network uncovered a gaping security hole in Wi-Fi cable modem routers installed in 64,000 Time Warner subscribers' homes, leaving them open to attack.

Who dugg this? Made popular Oct 22, 2009

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

60 Comments

show profanity settings
expand all
  • SgtBlue, on 10/22/2009, -2/+36"... administrative control of the routers had been blocked by a Java script. He disabled Java on his friend's router..."

    That line right there makes the article's author sound like a complete moron who probably shouldn't be writing for PC World.
  • DjOverEZ, on 10/22/2009, -1/+31If you're looking for more information on this issue, do not, I repeat, DO NOT Google "gaping hole!"
  • Brak710101, on 10/22/2009, -2/+29Next time, read the article. This is a WebGUI security flaw, and the routers only support WEP anyways.

    My recommened fix is turn WiFi off and disable remote administration. If you need WiFi, daisy-chain on another router or something.
  • twiztidsinz, on 10/22/2009, -1/+20Not broadcasting your ID is just a hurdle
    WPA2 can be cracked
    MAC addresses can be spoofed

    As ladfrombrad said you'll be safer, not safe.
  • ladfrombrad, on 10/22/2009, -1/+19*Safer.
  • OasisR123, on 10/22/2009, -2/+18gaping
    ...
    hole
  • BeShirtHappy, on 10/22/2009, -1/+17FTA: "From within your own network, an intruder can eavesdrop on sensitive data being sent over the Internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks,"

    Some seriously scary stuff. I really try to watch what I put in emails, financial and personal info I may store on my PC, etc., but you get so comfortable... this reminds me to be even more careful.
  • Solkre, on 10/22/2009, -0/+15I despise those ***** all-in-one modem/router/WiFi/coffee-makers.

    One of the worst parts of moving, is setting up my new Internet. I have to call support to setup the account because I don't want to install their crap on my PC. Then if I can't turn the all-in-one into a bridge myself, I have to call support and feel like a criminal for wanting to use my own router.
  • DjOverEZ, on 10/22/2009, -0/+11It was a joke.


    Are you that guy who responds "Does a chicken need a reason to cross the road? What road are we talking about? What's on the other side that makes a chicken want to risk it's life? Why won't girls talk to me?"
  • tgc1, on 10/22/2009, -0/+10Goatse Security Problem?
  • memper, on 10/22/2009, -0/+10A security flaw in a cable modem will not light your computer on fire.

    Courage wolf dares you to try though, cause that would be awesome.


  • eanbowman, on 10/22/2009, -0/+10Haha yeah that doesn't make sense at all, but I caught his meaning anyway.

    Still, blocking admin access with some JS? Someone needs to be fired from SMC...

    ... out of a cannon, into the sun.
  • TheInformer, on 10/22/2009, -1/+10Go live in a cave. That's the way to be safest.
  • CaptainSegfault, on 10/22/2009, -0/+9Every WPA2 "crack" is just brute force, which is only feasible if you pick a weak key.
  • EvelynKillface, on 10/22/2009, -0/+8Hey, awesome. I've been looking for a documented way into my router for a while now. Good to know all I had to do was turn off Java and save a plaintext config backup to get admin access.

    But yeah. Not only Time Warner people! I'm Canadian, on Rogers cable internet, with the same model modem-router. My access has been restricted since day one; today, I get in to find that the remote access was turned ON by default, to ALL IPS.

    Meaning, anybody who isn't a total paranoid freak or a supernerd on rogers cable is ALSO susceptible to this hack. Which can allow anybody (like ME, for instance) into your router, which allows them to get your wireless info, your geographical location, and let us not forget THEY CAN REDIRECT EVERY SINGLE THING YOU DO ON THE INTERNETS. They don't even have to try to spoof your favorite webpages; they just have to watch you login to a few of them.

    Serious. Warning. Alert. This is not a joke article - I just went and checked.
  • mehan, on 10/22/2009, -0/+7if you read the article, you would understand that all of those points are irrelevant to the problem.
  • Greengoo, on 10/22/2009, -2/+9All internet service providers suck ass.
  • rmxz, on 10/22/2009, -0/+7I put the wireless router* outside* my (software) firewall.

    A side-benefit of this is that I also can (and do) open up my access point to allow access to everyone. I used this to provide free wireless for a coffee shop on the corner of my block back when I lived in a SF apartment. QOS features meant that no matter how much guests used it, it didn't noticeably affect my usage. And as far as I can tell, it was never really abused either; just typical light coffee-shop browsing.

    The other benefit is that it protects against hacks like the one described here; or any other security bugs in the wireless devices that show up every now and then.
  • GamerXR72, on 10/22/2009, -0/+5@TheInformer

    That actually depends on the geographic stability of the region, local wildlife, public accessability, and availability of supplies.
  • inajeep, on 10/22/2009, -0/+5Tim Greene also writes for Network World. I noticed that there isn't a bio or any vetting of their writers on their site. I guess my dismissal of their magazine for all these years has been justified.
  • cheddaro, on 10/22/2009, -1/+6Hah! Childs play.

    Back in my day, every Cisco router on the internet had a backdoor password built in. Now that was a security hole...

  • gazzigger, on 10/22/2009, -0/+4And this is why I use dial-up ;)
  • buddyw, on 10/22/2009, -1/+5Until the RIAA sues you because of your IP.

    On the other hand, I guess the open Wifi would be plausible dependability if the FBI ever knocks your door down.
  • GamerXR72, on 10/22/2009, -0/+4Just because something is called a modem doesn't mean it sucks.
  • EvelynKillface, on 10/22/2009, -1/+5Yes, a modem. Its what you've used to get on the internet since, uh, always. Dumbass.
  • diothar, on 10/22/2009, -1/+5Is it ok to google "gaping hole" if I want to find some hardcore porn?
  • skate3214, on 10/23/2009, -0/+3"control of the routers had been blocked by a Java script. He disabled Java on his friend's router"

    So since it was using javascript he decided to disable Java? Silly PCWorld writer.

    When will people learn that javascript != Java.
  • Jeff901, on 10/22/2009, -0/+3Use encryption when and where it is possible.....

    Most ISP's offer this option with email TLS and/or TLS, but it is rarely used because it isn't understood by most users. For everything else, there is PGP or GPG encryption.
  • rmxz, on 10/22/2009, -3/+6Why not? The first google search result is a story more interesting than this article.

    http://www.physorg.com/news107109720.html
    "Astronomers find gaping hole in the Universe"

    Most other results are either about that, or about a jet landing with a gaping hole in it's side.

    While a bit scary, they hardly call for the caution you expressed. I'm curious what you found or were expecting.
  • klowngoblin, on 10/22/2009, -2/+4you moron, even in windows you can change your mac to anything you want in about 14 seconds.

    not broadcasting SSID? broken in seconds with linux and the aircrack suite

    WPA2 is probably most secure for consumer grade routers but still crackable using brute force

    but if you RTFA you would see that wep is the only option, wep can be broken in as little as 3-8 minutes depending on how lucky you are.
  • clippclop, on 10/22/2009, -0/+2You can very easily do this without a borked cable modem. I dont really understand how that is relevant to the issue.
  • spiritamx79, on 10/22/2009, -0/+2I prefer the tried and true method of searching "hardcore porn" but to each his own!
  • jerrycan, on 10/22/2009, -0/+2Hehe, I got a chuckle out of that. nice..
  • spoonmanp, on 10/22/2009, -0/+2The router supports WPA2. But Time Warner has it set up so users cannot change it to WPA2, thus effectively forcing the customer to use a weakly protected wifi network. Not only that, the customer cannot even access the settings to disable wifi.
  • eanbowman, on 10/22/2009, -0/+2It doesn't matter if you don't have the option of WPA2 because the router only supprts WEP though.

    Hopefully SMC's next firmware includes better protocol support. I guarantee the chipset that runs it is a generic system-on-chip setup capable of running pretty much anything - so it's up to the coders at SMC to make it not suck. :P
  • GamerXR72, on 10/22/2009, -0/+2Mabey it really is good, or mabey Ive been deprived of good internet my whole life and can't tell the difference, but goddamnit I like FiOS.
  • Jeff901, on 10/22/2009, -0/+2wow, I gotta re-read what I type....should be "TLS and/or SSL"
  • Cowicide, on 10/22/2009, -0/+2R3v0lution.... FAIL.
  • GamerXR72, on 10/22/2009, -0/+2What if the security flaw in your modem is a malfunctioning thermite countermeasure?

    IT CAN BE DONE!

    Just google "Let's build a self-destruct bay for our PC" and extend that knowledge to a modem.
  • spargonaut, on 10/22/2009, -1/+3@djovereasy: I ask that last question frequently.
  • Lunarbunny, on 10/23/2009, -0/+1Goddamn. I do tech support (not for an ISP), and at the rate ISP-supplied modem-router combos seem to fail from shoddy firmware, I'm really not surprised.

    To modify a quote for my own purposes... don't forget your equipment was supplied by the lowest bidder.
  • foucaultsvac, on 10/22/2009, -0/+1Thousands of diggers break their mouse by clicking right after "Gaping".
  • chenosaurus, on 10/22/2009, -0/+1Yea, SMC really screwed up how they implemented the web admin for that router. I wonder if it's the same thing for all their other models... does anyone have a different SMC cable modem / router?
    msg me @chenosaurus if anyone wants to talk about this problem.
  • feelmypimphand, on 10/22/2009, -1/+2Time Warner, Comcast, Quest, AOL suck Cox
  • drewxhawaii, on 10/22/2009, -0/+1I logged in to post this. Good thing I searched for it first. +1
  • spoonmanp, on 10/22/2009, -0/+1Apparently, Rogers in Canada also uses the same POS routers.
  • HamNCheese, on 10/22/2009, -0/+1@clippclop - agreed

    All one has to do is set up a DHCP server on the LAN, and you are good to go.

    As others have said, use encryption where appropriate. Man-in-the-middle attacks are easily defeated with an updated browser and legit SSL certificates. Problem solved.
  • feelmypimphand, on 10/22/2009, -0/+1Paris?
  • GamerXR72, on 10/23/2009, -0/+1Not sure what you're whargarbling about there Evelyn. It brings up chemicalforums.com for me.
  • memper, on 10/22/2009, -0/+1So he knew his comment would rocket the page to the top result for that search term as he was typing it?

    THAT IS AWESOME.
  • Fetching more discussions...
    Show 51 - 60 of 60 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.