Professional Documents
Culture Documents
Hacking Cable Modems
Hacking Cable Modems
Bernardo Rodrigues
@bernardomr
Disclaimer
CTF Player
https://w00tsec.blogspot.com
Cable Modem Vendors
Cable Modem: Models
Cable Modem Hacking Timeline
Book
Hacking The
Cable Modem Talk
Firmware by derEngel DEFCON 18
Technology SIGMA by Hacking
Talk
DOCSIS 1.0 TCNiSO DOCSIS For
DEFCON 16
Technology Fun and
Free Anonymous
DOCSIS 2.0 Profit
Internet Using Modified
Cable Modems
1997 () 2001 2003 2004 2006 () 2009 2010
Technology
DOCSIS 3.0
Talk
Legal
DEFCON 16
Sniffing Cable DerEngel (Ryan Harris)
Modems arrested
Firmware
Haxorware R27
Tool by Rajkosto
BlackCat Programmer
by Isabella
Cable Modem Hacking Timeline
Blog Post
Firmware Console Cowboys Talk
ForceWare v1.2 Arris Cable Modem NullByte Con
by mforce Backdoor - I'm a Hacking Cable
Technology technician, trust me Modems: The
DOCSIS 3.1 Later Years
Blog Post
Talk w00tsec Talk
HOPE 9 Unpacking
Firmware Images Infiltrate
The ARRIStocrats: Practical Attacks
Cable Modem from Cable
Modems on DOCSIS
Lulz
DOCSIS
Network Overview:
DOCSIS 3.0 Features
Security (?)
Get an IP address
Downstream
Upstream
Bandwidth cap
ACLs
TFTP Servers
SNMP community
DOCSIS: Config File
DOCSIS: Config File
DOCSIS specification:
binwalk
Cable Modems
binwalk + capstone
Cable Modems
Shell access
Cable Modems
Shell access
Cable Modems
Bad authentication
Cable Modems
Default Passwords
Cable Modems
Backdoors
Cable Modems
Backdoors
Hacked Firmwares
Not Certified by CableLabs Disable & Set ISP filters (ACLs at modem level)
Backdoors (legit modems too) Specify config filename and TFTP server IP
address
Closed source (legit modems too)
Force config file from ISP, local TFTP or
Enable factory mode (legit modems too)
uploaded flash memory
Change MAC and Serial (legit modems too) Disable ISP firmware upgrade
Certificate Upload Get & Set SNMP OID values and Factory mode
OID values
Force network access (ignore unauthorized
messages) Upload, flash and upgrade firmware
0DAY?
Phisical Protection
SPI
DumpFlash
https://github.com/ohjeongwook/DumpFlash
Factory Mode
Administrative functions
Reflashing Firmware
Dumping keys
Factory Mode
SNMP Scanning
SNMP Scanning
SNMP ACLs
Bypassing SNMP ACLs
https://github.com/nccgroup/cisco-snmp-slap
Bypassing SNMP ACLs
https://github.com/nccgroup/cisco-snmp-slap
DOCSIS Encryption
Required by specification
https://github.com/gmsoft-tuxicoman/pom-ng
https://bitbucket.org/drspringfield/cabletables
Firmware Upgrades
ACL's
TFTP Enforce
Solutions: ISPs
No more backdoors
Open Source?
"Nobody is innocent"
2015
IN MEMORIAM