Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Rev. Chris Cappuccio (chrisDQC.ORG)
Date: Sun Apr 29 2001 - 00:36:33 CDT
On Sat, 28 Apr 2001, Rajkumar S. wrote:
| Any one with any experience with this OS. Some bugs are bound to occur.
The Surfboard OS is VxWorks, it seems to be used in many smaller devices that
need an IP stack.
The web server on the Motorola (formerly General Instruments) Surfboard
(2000?)/3000/4000 series give plenty of information about the internal IP
address scheme for the provider's Hybrid Fiber-Coax network, as well as the
features of the modem. One interesting piece of information is the TFTP
server which the modem grabs its configuration file from and that file name.
All DOCSIS cable modems seem to grab a configuration file that is around 120
bytes in size, and although I have not studied the DOCSIS specification
closely, I believe this at least tells the modem what uplink and downlink
speeds to operate at. It must also tell the modem other parameters to use on
the cable network. Most providers appear to use a generic configuration file
for many customers.
Further, DOCSIS cable providers use an internal IP address scheme strictly
for addressing Hybrid Fiber-Coax connected devices like the cable modems and
bridges. If you can figure out what this network is, for instance from the
information provided from the web server on your Surfboard, you can talk to
any cable modem on your network.
This in itself is an interesting security hole from the idea that you can do
extensive information gathering, not from other modems' web servers, but from
SNMP. Install ucd-snmp and try snmpwalk 192.168.100.1 public ! You can get
most, if not all, of the information that the Surfboard's web server will
give you, plus a lot more. I've only used the web server on the Surfboard.
Other modems, like the ever popular Toshiba, still give out extensive
information via SNMP. It must be hard (read: impractical) for cable vendors
and providers to secure SNMP over a wide deployment, so this doesn't seem all
that unusual. But, keep in mind, providers use SNMP for a wide variety of
tasks to manage the modem, and they use information from the modem to manage
For anyone who wants to play with their Motorola Surfboard, just add an IP
alias on your system as 192.168.100.xx (except .1) and connect to
192.168.100.1 to check out the modem. You don't even have to add the alias,
the Surfboard seems to intercept outgoing connections to 192.168.100.1
regardless of the MAC address they are intended for. But, I don't know how
reliable this is.
It is of course possible that the Surfboard or other cable modems may be
vulnerable to some kind of problems where an intruder could change settings
or even load up new firmware. I think it is likely that they are vulnerable
to some DoS attacks, I am thinking along the lines of nuke, teardrop, etc.
Because of the wide open nature of SNMP on these cable modems (e.g. you most
likely can talk to any cable modem in your area with SNMP if you are on one),
I do not think very highly of the general security here. Actually, that
would be understating my opinion. On the positive side, the Surfboard in
particular does not respond to IP connections coming in to its hybrid
fiber-coax IP on the web server port, but it does respond to SNMP. I think
this is specified in DOCSIS.
Motorola's security policy to handle this area is the same (FAILED) policy it
used with its cell phones. Only make modem management information available
to 'registered users', the cable companies. Motorola has a web site which
you can download detailed manuals for the Surfboard, but you have to sign up
and match a registered customer. This policy failed with the cell phones,
because the information on how to access the internal/debugging features of
their cell phones was leaked, and that was only in between the times when
'unregistered' users were getting the information directly from Motorola,
after paying lip service to Motorola on their status or intended usage.
I have only glanced at the (freely available online at cablelabs.com)
specifications for DOCSIS. I don't know how it works in terms of security or
encryption. I wonder how much is left up to the user (cable modem) versus
the head end. I imagine that, with more information from Motorola on how to
access the modem, you could manipulate the speeds that your modem runs at,
and possibly gain control of the cable network in other ways that are clearly
not intended for the end user. Cable looks like a can of worms, just like
cell phones, and the vendors should be held responsible. Stop-gap measures
like limiting access to the manuals are poor bandaids to more serious
If you are going to play with your modem, look at the information from it
carefully, and keep in mind that your modem has its own MAC address which
identifies to the cable system who you are (matching back from their database
with the MAC) and what config file you get from the TFTP server.
--- Rev. Chris Cappuccio http://www.dqc.org/~chris/