Flaws in ISP gateways let attackers remotely tap internet traffic

Defcon is the most important event for the DIY hacking community and this year too, the conference was held in the same spirit. We got to learn about a variety of novel hacking ideas such as the hacking of Voting Machines, hacking airborne drones, hijacking phone numbers and Internet connected car wash system etc. However, there is one story that has been somewhat ignored by many within the tech fraternity but which is extremely important to be noted.

This was noticed by David Holmes of SecurityWeek who reported that it was the “Cable Tap: Wireless Tapping Your Home Network” talk, which initially was believed to be just a brief discussion on how to track what’s happening on your home network but in reality, it turned out to be way “broader” in its scope. 

Marc Newlin, Logan Lamb and Christopher Grayson with Bastille Networks and Web Sight have managed to identify 26 different flaws and weaknesses in the ISP network devices. These vulnerabilities would easily provide remote admin access to most of the home networks currently used in the US.

The crux of the research was that there happen to be a large number of critical weaknesses in “ISP provided, RDK-based wireless gateways and set-top boxes.” These vulnerabilities are identified in devices manufactured by Cisco, Arris, Technicolor, and Motorola.

“We discovered a wide array of critical vulnerabilities in ISP-provided, RDK-based wireless gateways and set-top boxes from vendors including Cisco, Arris, Technicolor, and Motorola. Our research shows that it was possible to remotely and wirelessly tap all Internet and voice traffic passing through the affected gateways, impacting millions of ISP customers.”

The research team demonstrated at Defcon that remotely and wirelessly tapping all the Internet and voice traffic that passed through an active gateway was possible.” They also stated that these findings applied to tens of millions of ISP customers. The scope of hack ranges from reverse-engineering the Comcast Xfinity routers’ MAC address generation process to exploit the flaws present in the FastCGI Subsystem. This system is used by web servers like Apache, Lighttpd, and Nginx.

Until now we believed that Xfinity access point ensures that you have your private network and offers a public wireless network “Xfinity wifi” for providing an access point to roaming Comcast customers, who can use it by entering their credentials. However, at the Defcon it was revealed that it has another hidden WiFi network apart from the above mentioned two. This network is named XHS-XXXXXXXX. XXXXXXXX indicates the lower four bytes of the cable modem/CM MAC and this hidden WiFi network is generated deterministically through the interface’s MAC address.

The team of researchers identified around four different methods to get the MAC address and one of these methods use the Xfinity wifi public network connectivity since the DHCP ACK contains the CM MAC address. When the researchers hacked the Xfinity wifi using the MAC address, they were able to understand the passphrase and access the Xfinity wifi network without needing to use their personal Comcast credentials.

This means, if there is malicious activity noted on that network, it should be attributed to the cable modem owner. There is another flaw in their chain of attacks, which was brute-forcing of the radio-frequency pairing of remote voice control of Comcast. This could be used to attack or infect Xfinity set-top boxes.

Most noteworthy among all the information shared at the talk was the reference development kit/RDK. It is an open-source platform used by internet service providers in cable modems and set-top boxes. Although developers regularly patch RDK around the globe, it is open-source and therefore, anyone can identify source changes for further vulnerability fixes even months before the fix is applied to the millions of set-top boxes used by Americans.

Why is this story so important? That’s because: “Nothing is more important than our customers’ safety, and we appreciate Bastille bringing these matters to our attention. We have made some updates to our software and systems to prevent the issues Bastille identified from impacting Comcast customers, including breaking the attack chains Bastille described in this paper,” stated Comcast.

Via: SecurityWeek
Source: Defcon

Related Posts