Sniffing A Cable Modem Network: Possible or Myth? – A paper by Dexter Lindstrom : Sniffing A Cable Modem Network: Possible or Myth? – A paper by Dexter Lindstrom Boris Gitelman
2/23/2005 Outline : Outline Sniffing Overview
Cable Modem Network Structure
Sniffing on the Upstream Channel
Sniffing on the Downstream Channel
Techniques for sniffing the Downstream Channel
Baseline Privacy Initiative
Conclusion Network Sniffing Overview : Network Sniffing Overview Network Sniffing is a method of eavesdropping on network communications.
Network sniffing is based on electrical properties. In order for a network device to send data to another network device, an electrical signal is propagated along a medium. Any device connected to this medium receives the signal.
Normally a network card is configured to disregard any signals not intended for its host. However, a network card can be configured for ‘promiscuous’ mode, where all signals are retained for inspection.
In respect to cable modems, the threat of network sniffing is seeded with the idea that the cable modem network is a shared medium. Cable Modem System Model : Cable Modem System Model The Downstream & Upstream Path : The Downstream & Upstream Path The downstream data path of the cable modem uses a SINGLE 6mhz TV channel, which is typically in the higher frequencies range (550 MHz and above) because higher frequencies can carry information faster.
The lower end of the radio frequency spectrum (5MHz – 42 MHz) is used for the upstream or the return path.
In terms of data bandwidth, the typical upstream channel usually has a capacity of around 5 Mbps.
The total downstream bandwidth for a single channel is around 30 Mbps. Multiple TV Channels Downstream Channel Background : Background Cable Modem – Modulation & Demodulation Phase : Cable Modem – Modulation & Demodulation Phase Demodulation Phase: The cable modem has a tuner (just like a TV) that tunes to the appropriate 6 MHz downstream channel (42 MHz – 850 MHz). The cable modem demodulates the signal, extracts the downstream data that is destined for it, and then converts the data into an Ethernet or USB signal to be fed into the user’s computer.
Modulation Phase: The cable modem receives data on its Ethernet or USB interface and modulates the data onto the upstream carrier frequency, negotiates channel access with the CMTS and sends the data. Author’s Assessment of Sniffing Ability on the Downstream Channel : Author’s Assessment of Sniffing Ability on the Downstream Channel The downstream signal from the CMTS (Cable Modem Termination System) is received by each and every cable modem
It is the function of the cable modem to disregard all the data that is not intended for it.
In other words, the modem’s Operating System is programmed to drop all frames not destined for it instead of forwarding these frames to the Ethernet Interface
The Author concludes that the “downstream channel is vulnerable to a possible, but unlikely sniffer attack” Author’s Assessment of Sniffing Ability on the Upstream Channel : Author’s Assessment of Sniffing Ability on the Upstream Channel Each cable modem is designed to receive/demodulate on one range of frequencies (50- 850 MHz).
It is likewise designed to send/modulate on another range of frequencies (5-42 MHz).
Consequently, all consumer brand cable modems on this shared network have no way of demodulating the upstream data because their demodulating circuitry is strictly for the downstream frequencies!
Only the CMTS is equipped to demodulate the upstream frequencies.
Further, there are usually multiple upstream channels (around 5) used per CMTS. This is for load balancing purposes as too many users can overwhelm this low bandwidth channel
Thus, even if it were possible to demodulate the upstream channel, we would be able to do so only 1 at a time (since our modem can only tune to 1 channel at a time)
Author concludes that “the upstream channel is virtually impenetrable” Consequences of inability to sniff the Upstream Channel : Consequences of inability to sniff the Upstream Channel One of the most typical uses of a sniffer device is to eavesdrop on communications to catch user id and password information.
Telnet, FTP, POP3, SNMP are some examples of upper layer protocols that send account and password information in clear text.
These passwords are sent from the client to the server and thus cannot be sniffed on a cable modem network because the passwords are encapsulated in the upstream data.
However, this does NOT mean that we are finished. The downstream channel could still provide us valuable information about the target.
For example, if the customer is using VoIP with his cable modem, the entire conversation of the other person is subject to eavesdropping. Ways to enable sniffing on the Downstream Channel : Ways to enable sniffing on the Downstream Channel Simply enabling sniffing with promiscuous mode on a computer connected to the cable modem will not work!
This is so because promiscuous mode is designed to detect everything that is on the wire, however, all the traffic not destined for the cable modem never reaches the Ethernet interface, because it is discarded by the Coaxial interface.
The only type of traffic which does reach the Ethernet interface, and could be sniffed using promiscuous mode on a host computer is broadcast frames, and multicast frames, such as ARP requests from the local router and a few sporadic DHCP requests.
This method does not yield anything useful to us. Ways to enable sniffing on the Downstream Channel (cont) : Ways to enable sniffing on the Downstream Channel (cont) The author claims that the injection of a rogue modem configuration file could subvert the modem’s filtering system and allow promiscuous mode to work. The effort required to this trick is the same as the effort needed to uncap a modem (see Raul’s presentation on uncapping).
According to my own research, altering the modem’s configuration file could only affect its caps (upload & download speeds) and is unlikely to put it into promiscuous mode. Thus, I believe the author is wrong.
Another claim made by the author is that promiscuous mode could be enabled using SNMP (Simple Network Management Protocol) commands. Specifically, using the SNMPSET command.
The author states that he tried this technique and could not get it to work. Possible reasons could be because SNMP querying and setting is usually blocked from the customer (Ethernet) interface or because the “community string”, which is like a password is unknown and thus setting SNMP parameters is not allowed. Ways to enable sniffing on the Downstream Channel (cont) : Ways to enable sniffing on the Downstream Channel (cont) TCNISO a cable modem hacking group invents a product called SIGMA.
SIGMA – System Integrated Genuinely Manipulated Assembly
SIGMA – Allows the user to tap into the modem’s powerful VxWorks operating system to be able to communicate with it (issue Unix like commands to it) –
This is a functionality never before had!!! How to load SIGMA into the Cable MODEM? : How to load SIGMA into the Cable MODEM? Solder a serial cable onto the modem’s circuit board to enable console operation Slide 15: Finished Product Advantages of SIGMA : Advantages of SIGMA SIGMA gives is us very low-level control of our cable modem
Basically, it gives us a shell with a Unix like interface, through which we can issue commands
SIGMA enables Interface Bridging which forwards traffic between Coaxial and the Ethernet interface.
This should allow us to sniff by connecting our computer to the modem and placing it in promiscuous mode. This is so, because unlike before, the traffic reaches the Ethernet interface and we could now “hear” it because it would be on the wire
SIGMA also allows for more advanced sniffing commands to be issued via the shell interface Protecting the Downstream Channel (and the upstream as well) : Protecting the Downstream Channel (and the upstream as well) A component of the DOCSIS 1.1 standard called Baseline Privacy Initiative+ (BPI+) is bi-directional encryption between the cable modem and the CMTS
Each DOCSIS 1.1 compliant cable modem also has a digital certificate stored in its firmware. This allows for the cable modem to be authenticated onto the network.
The authentication takes place when the CMTS verifies the certificate presented by the modem. (The certificate is signed by the manufacturer’s private key).
Encryption is based on 56-bit Triple-DES
This scheme effectively renders any sniffing attempts useless, unless cracking of the Triple-DES scheme is possible DOCSIS Security Overview-- BPI+ -- : DOCSIS Security Overview-- BPI+ -- CMTS CM PC Internet Data Encryption
(DES) Key Management
(RSA, Tri-DES) CM Authentication
(X.509 Certificates) Secure Software Download
(X.509 Certificate) TFTP Server New CM Code
Digitally Signed by: Manufacturer Mfg Certificate
Digitally Signed by: DOCSCSIS Root CM Certificate
Digitally Signed by: Mfg CA x$a9E! abcdef abcdef Result of Enabling Baseline Privacy : Result of Enabling Baseline Privacy OptimumOnline Does NOT Use Baseline Privacy : OptimumOnline Does NOT Use Baseline Privacy Comcast DOES Use Baseline Privacy : Comcast DOES Use Baseline Privacy Conclusion with regard to Cable Modem Sniffing : Conclusion with regard to Cable Modem Sniffing Sniffing of the upstream channel is impossible with commercial cable modems due to component design
Sniffing of the downstream channel is a possibility with slightly modified cable modems
Baseline Privacy Initiate in DOCSIS 1.1 should eliminate sniffing altogether due to the added encryption in the system
However, not all ISP’s have switched over to DOCSIS 1.1, thus the threat remains! References : References http://www.sans.org/rr/whitepapers/hsoffice/623.php
http://www.tcniso.net Slide 25: Q & A