Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sniffing cable modems Guy Martin HackCon 4 - Feb 2009 – Oslo.

Published bySharlene Alexander Modified over 8 years ago

Similar presentations

Presentation on theme: "Sniffing cable modems Guy Martin HackCon 4 - Feb 2009 – Oslo."— Presentation transcript:

1 Sniffing cable modems Guy Martin gmsoft@tuxicoman.be HackCon 4 - Feb 2009 – Oslo

2 Agenda What is DOCSIS ? – Use of DOCSIS – General architecture – Registration process – Encryption on the link How to sniff it – DVB-C / ATSC card – Packet-o-matic to the rescue

3 Agenda Security concerns – Privacy – Impersonating – Modem SNMP tricks – Misc References – DOCSIS – MPEG – Packet-o-matic

4 What is DOCSIS Use of DOCSIS – Internet : The most known application of the DOCSIS protocol – Telephony : Most cable modems have a built-in ATA (Analog Telephone Adapter) – Digital TV decoders : built-in cable modems to monitor/feedback data from end users (VoD)

5 What is DOCSIS General architecture – CMTS on the ISP side broadcast packets to end users on a common single frequency – Modems on end user side sends packets back to CMTS on another frequency during its timeslot – A CMTS serves from a small neighborhood to a whole city – Downstream frequency is in the same range than TV ones – Uses MPEG packets like normal digital TV to encapsulate data

6 What is DOCSIS Registration process – Aquire and lock the downstream frequency – Get upstream parameters from downstream – Get an IP address via DHCP – Download the modem configuration via TFTP – Apply the configuration and enable IP forwarding

7 What is DOCSIS Encryption on the link – Encryption and authentication are NOT mandatory – BPI (Baseline Privacy Interface) provides a mechanism for authentication and/or encryption – Triple DES is available since DOCSIS 1.0 – Authentication using certifiates since DOCSIS 1.1 – AES available since DOCSIS 3.0

8 How to sniff it DVB-C / ATSC card – Possible because protocols and frequencies are purposely similar to digital TV ones – Inexpensive – Only the downstream traffic can be captured – Different hardware like USRP could be used to capture both upstream and downstream – DOCSIS 3.0 uses multiple downstream frequencies

9 How to sniff it Packet-o-matic to the rescue – Input module capture the traffic – Packets are processed and matched using rules – Helper and contrack modules prepare for targets – Eventually the target module process the packets to produce the desired output – Everything occurs real-time – Telnet and XML-RPC interface available

10 Security concerns - Privacy Sniff data destinated to all ISP users – Reassemble streams real-time and extract useable files on the fly (mail, land line phone calls, IM conversations, …) – Gather personal data : Facebook chat / images, google search, other – User workaround : - use a VPN tunnel to a trusted enpoint - use encrypted protocols – ISP workaround : enable DOCSIS encryption (BPI)

11 Security concerns - Impersonating Send packets as someone else – DoS by reinjecting TCP RST (tcpkill) packets or ICMP error packets – Workaround : none – Use someone else's IP address, implies bandwidth and quota – User workaround : Set your firewall NOT to drop packets but rather reject them with TCP RST to kill rogue connections – ISP workaround : enable BPI

12 Security concerns – SNMP tricks Modem SNMP tricks – Change IP filters of the modem's ethernet bridge – Deny access to the server polling the download/upload quota – Reboot the modem – Anything else the modem's SNMP interface allows – ISP workaround : allow SNMP access only from coax interface

13 Security concerns - Misc Bypass filters – Bypass modem filters by reinjecting sniffed packets in the LAN – Create a virtual network interface (tap device) so other tools can be used – ISP workaround : enable BPI

14 Security concerns - Misc VoD sniffing – Gather VoD information from decoders traffic – Tune on the right frequency – ISP workaround : - encrypt VoD MPEG stream - enable BPI

15 References DOCSIS – http://www.cablelabs.com/ – http://www.cablemodem.com/specifications/ MPEG – ISO/IEC 13818-1 Packet-o-matic – http://www.packet-o-matic.com

16 Conclusions Users – If BPI is not enabled, consider your data public – Encrypt as much as you can – Monitor your firewall for ppl who might impersonate your connection ISP – Enabling BPI is severely recommended – Not doing so allow users to bypass the first level of protection provided by the modem – Without BPI theft of service and impersonation are possible

Download ppt "Sniffing cable modems Guy Martin HackCon 4 - Feb 2009 – Oslo."

Similar presentations

Copyright ©Universalinet.Com, LLC 2009 Internet To connect a subscriber to Cable Services, Internet connectivity serves as the endpoint to the subscriber.

Copyright ©Universalinet.Com, LLC 2009 Internet To connect a subscriber to Cable Services, Internet connectivity serves as the endpoint to the subscriber.
1 Welcome Overview of DOCSIS. 2 Data Over Cable Service Interface Specification.

1 Welcome Overview of DOCSIS. 2 Data Over Cable Service Interface Specification.
1 ZIP 4x5 The world’s most functional telephone. 2 PSTN Internet Dallas, TX Sunnyvale, CA VPN Outside callers dial a single extension - phone at the office.

1 ZIP 4x5 The world’s most functional telephone. 2 PSTN Internet Dallas, TX Sunnyvale, CA VPN Outside callers dial a single extension - phone at the office.
Intro to InfoSec Communication Protocols Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Intro to InfoSec Communication Protocols Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
3 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Getting Connected  First,you need to subscribe to an Internet service provider.

3 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Getting Connected  First,you need to subscribe to an Internet service provider.
Allied Telesyn Wireless LAN Solutions AT-WL2411 Access Point AT-WR2411 Wireless LAN PCMCIA Card.

Allied Telesyn Wireless LAN Solutions AT-WL2411 Access Point AT-WR2411 Wireless LAN PCMCIA Card.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
1 Wireless LANs. 2 Introduction Types of Communication Networks. LAN’s Configurations. Wireless Technology. –Definition. –Applications. –Example. Communications.

1 Wireless LANs. 2 Introduction Types of Communication Networks. LAN’s Configurations. Wireless Technology. –Definition. –Applications. –Example. Communications.
A Guide to major network components

A Guide to major network components
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
BY: Jordan Ameerali. What is an Internet Service Provider? A Internet Service Provider or ISP is a company that provides access to the Internet. For a.

BY: Jordan Ameerali. What is an Internet Service Provider? A Internet Service Provider or ISP is a company that provides access to the Internet. For a.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Networking Components Chad Benedict – LTEC 4550 1.

Networking Components Chad Benedict – LTEC
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
4 Network Hardware & Software Network Operating systems: software controlling traffic on the network 2 types of s.ware: server software &client software.

4 Network Hardware & Software Network Operating systems: software controlling traffic on the network 2 types of s.ware: server software &client software.

Similar presentations

Ads by Google