Nobody should use ISP provided equipment for anything security sensitive, ever. ISPs don't care about security at all, aside from "security" as a sales term, and aside from when they're getting a bad name because of egregious failures.
ARRIS shouldn't be given a year embargo, either. They're the same company who've known since 2016 about hardware issues which cannot be corrected in software in the Intel PUMA chipsets, yet they still to this day sell devices with them. They don't care about fixing things - they care about selling things.
I think generally you don't get a choice when it comes to DOCSIS equipment. You can't just connect up your own (or at least no to Virgin Media's network)
This is one of the few positives I'll give to Comcast/Xfinity. I'm able to purchase my own DOCSIS modem (as long as it's on their compatibility list) instead of renting one from them.
AT&T U-verse I couldn't bring my own modem, and I understand that they're not a DOCSIS network either.
ATT is really weird about it. They apparently decided a few years back that they'd not allow third party devices on their network, and keep doubling down on it.
Some folks smarter than myself figured out how to mimic the ONT handshakes or some such that they could use their own devices. IIRC, they were pulling the certs from the ATT box.
ATT then came in and installed new stuff at the station to not allow that anymore. I don't remember all the technical details, but that's what I found when I spent an hour or so researching how to get rid of their awful box. In short, you can't...and even if you manage to, it won't be for long.
Any chance you have more details on this? I set up wpa_supplicant on my router to do the 802.11x auth to the ONT and short of a single "your modem/router is not phoning home"-type email, it's been working great the past year. Hoping this does not break in the future.
> No, it's when they port you over to a new splitter in your neighborhood's PFP cabinet seems to be what I'm following. Then you will be connected to a different OLT port at the CO(central office) that supports XGS-PON as well as standard GPON.
>
> Older Gateways will work on the newer OLT gear. But the 10Gbps XGS-PON will only work on the newer OLT ports. This newer port has an added management layer to support 10Gbps which needs authentication on top of the certs needed by both GPON and XGS-PON.
That's good to know. They already dragged their feet getting fiber available in my area (fiber laid 13 years before service was available). Hopefully they'll drag their feet with this "upgrade" too.
With Optimum (nee Cablevision) they pretend to be BYO accessible, but their compatibility list isn't a guarantee of compatibility (depending on region, different devices are compatible but they would never tell you that on their website), you have to wait on hold for 3 hours to activate the device, and then it still might fail for reasons their support agents can never explain.
Comcast makes you downgrade to a business account if you want to get a reverse DNS entry from them. Reverse DNS is a requirement if you want to host your own e-mail and not have your mail categorized as spam. Comcast business accounts don't allow you to use your own DOCSIS modem.
You only need their Comcast Business modem if you have static IP's because they route them using RIP with a password that is set inside the cable modem with their custom software.
If you don't have a static IP with Comcast Business it makes it awfully hard to run a mail server, but then you can indeed use your own cable modem.
Rogers network in Canada also permits BYO— I've used my own modem for years as a TekSavvy cable customer, and recently upgraded from one owned modem to another (both purchased second hand, though, so who knows— maybe I've been pwnt all along).
I haven't tried it myself, but this chain of comments at /r/netsec[1] suggests it doesn't help:
> I'm guessing a workaround is to use a 3rd party router and block traffic to 192.168.100.1 which is the IP of the management UI when in modem only mode, presumably the external IP can still be retrieved in modem only mode
> If it's still active in modem-only mode, it essentially precludes use of these routers entirely for any sensitive comms.
> The web interface is still available in bridge mode with Liberty Global's Arris modems, yes.
> Just tried it on my device in modem-mode and it does indeed still expose the snmpGet endpoint. As suggested above, i've firewalled all traffic to 192.168.100.1 on my own firewall.
I must admit, I don’t know much about networking. But do you have some more information there? My German cable router is in modem-mode, and I’d be interested in knowing what kind of routing it still does.
DOCSIS networks usually assign some management IP address that the provider can access to perform remote diagnostics on the modem directly. It's usually invisible and inaccessible to the user.
Also, in many cases there is a specific that the "modem" listens on, serving a web interface that allows switching back to "router" mode. This also wouldn't be possible with a "pure" modem (as it shouldn't have any concept of the IP layer).
Virgin used to just use the mac address with their old modems, you could flash the firmware and change the mac so you could buy their cheapest package and flash the mac of a modem with unlimited gbit internet. They craked down on that a few years ago tho so I don't think this is possible anymore.
Not always, with Telstra the MAC address was also responsible for authentication.
Though I believe it's since changed, my last interaction with DOCSIS was 4-5 years ago. I seem to recall there's a captive portal involved now but previously it was solely MAC.
Virgin Media allows you to use "modem mode" on their service, which is great, because it also turns off the CGNat crap, and gives you a real IPv4 address via DHCP on your own equipment
I brought my own modem to WideOpenWest, and it wasn't even on the compatibility list. Just gave them the MAC, and a few moments later I had DHCP. Been solid for 9 years now.
Although as of a few weeks ago, WOW has announced bandwidth caps, so I have to rescind my former glowing recommendation. Le sigh.
In the UK, Virgin Media (The biggest cable provider, I think there maybe a couple of minor regional cable providers still dotted around the country) are the largest cable provider after buying up the smaller regional companies (My regional provider was brought up by Telewest).
Long story short, their was tons of regional providers, they were brought up by one of two players which basically devided the country into being served by either NTL or Telewest, NTL and Telewest then merged becoming NTL:Telewest, who then brought Virgin Mobile (an MVNO in the UK) to become a 4 way provider (TV, Phone, Internet and now Mobile). Virgin Media are now owned by a US conpany, Liberty Global iirc)
Neither NTL nor Telewest allow consumer owned equipment onto their cable internet network, heck I remember Telewest only authing one consumer device mac address to be connected to their modems at the start of their cable internet rollout (so if you wanted to use your own router conencted to the modem, you would either have to give Telewest the mac address of the router or set the mac address of the WAN port to the mac address of the computer that was initially conencted to their network (which was the quickest option, you could never get them to swap it instantly over the phone, but could doing business hours over telewests newsgroups as their engineers would hang out their, which used to be the quickest way to get your line serviced if their was ever an issue), a practice telewest did drop before they merged with NTL. NTL never had such a policy iirc, but I only lived in an NTL area for a couple of years).
Their modem secuirty has never been "great". For the longest time (since creation till only a few years ago) you were able to get free internet if you cloned the mac address of someone elses modem but used it in a differnt area, mac addresses that could be captured by any modem (provisioned or not) connected to the network. So there used to be mac swapping forums where X would scan and log their area can trade with Y who would to the same in theirs (used to be handy when they had "fair usage" trottling enabled, used your download limit for the day, swap your mac and get a new limit, or if you wanted to run a 2nd/3rd/4th modem, but that would be naughty... So I never did such a thing. IIRC: Modem cloning is still possible today, but you need to get the certs from a provisioned modem, so its not as simple as just sniffing mac address from the cable line as other modems register on the network).
Here in the UK, we have always been limited to the modem the cable company provided, which remained their property (both were often uncollected by the company when a customer left, so you could easily find old modems on ebay for pennies on the pound, which just happened to have thier unsigned firmware (and mac addresses) on SPI flash if you wished to tinker with them), which for 99% of the UK was fine, as it was common (and still is) to just used what ever device was issued to you. Atleast with ADSL/VDSL in the UK you are free to use what ever device you wanted (except for Sky, they used to be PITAs about getting the auth details to run your own modem, but once you did and aslong as your modem supported their auth (which isn't the auth used by most of the xDSL providers in the UK) you were free to use your own equipment, just "unsupported" so if you had issues on your line, it was best to connect their modem to the line before calling customer services.
Last time I had a modem upgrade from VM, the guys said I should keep the old modem and VM would contact me to send it back.
Five months later I sent it off for recycling because i'd heard nothing. Two months after that they asked for it back and then charged me £80 for not having it anymore.
Back in the day they never bothered chasing up the modems even though they had wording in the contract they could charge if the equipment wasn’t returned, the equipment was never given to the customer but loaned for “free”, they were more pissy about their TV boxes, when I left them they kept sending threats to charging me for the boxes, I kept asking them to either collect them or send me pre-paid postage and I would send them back (was always “well mail one out” and they never did). One day I was in a pissy mood after another treat, drove down to the regional head office (at the time it was about 4 miles away) slapped them down on the receptionists desk with the threat letter and demanded a receipt.
Never heard from them again.
BT do the same these days with their hubs (or at least were planning to, dunno if they changed their minds after the backlash), BTs excuse is to reduce electronics waste. Not that we’re going to reuse the gear themselves more that they would recycle it.
BE (before they were brought out by o2) would send you out a “cat trap” modem on the condition you returned it if you left (so they could give it to ant or customer as a cat trap) but didn’t really give a crap about the primary modem.
I didn't ask Best Buy which one they wanted to sell me... I simply bought one at Best Buy explicitly after deciding which one would be the best (and I had to drive two hours to find a Best Buy that carried it).
It's worth pointing out that not all Arris modems are affected. As the link provided describes - issue is with chipset inside and there are other brands that use it [1]
Was going to say, I've only ever used Arris modems and really haven't had any issues with the Surfboard line in ~15 years of using them. They used to be part of Motorola, not sure when that switch happened, but I've used them in some form or another since getting cable internet back in the late 90s or early 2000s. Time flies.
Holy shit. I've been dealing with this for the past 2 years and it's infuriating. I've tried everything and eventually diagnosed it as a bug in my modem. Random latency spikes, unbelievably jittery internet calls, hard to diagnose.
Heck, AT&T won't even let you change the wifi password if you use their router. Well, you can change it, but it will revert to whatever's on the sticker when the router updates itself. And they will tell you this with a straight face. Incredible.
Correct, but in this case, it sounds like you didn't need to use the ISP router as your VPN gateway.
If I understand the DNS rebinding attack reference correctly, you could be running the VPN software on your desktop/laptop and still have your IP revealed by your ISP router.
Arguably, a setup using a VPN for anonymity purposes is badly flawed if it allows traffic to anything but the VPN gateway. This includes the local network.
Mediocre home appliances or (as in this case) ISP CPEs can easily deanonymize you.
Yes, but that's a deliberate security–convenience trade off then.
One solution is to use proxy servers or per-app VPNs (without local network access) instead of a system-wide VPN, and effectively partition applications into trusted and untrusted ones.
I've done that partitioning with virtual machines. I don't see how it's a "tradeoff". Yes, every additional service you expose can have its own security flaws, but you have to get data in/out of a VPN'd VM somehow. Even if I allocated more local storage to the VM and only ssh'd in to send/receive files, the ssh client could have a hole in it. nfsd, samba, sshd, and ssh are designed to do singular jobs. The issue in this case is the exposing of a consumer router that was never designed for security from the local network.
I was happy when I switched to gigabit internet from Verizon because MoCA can't handle that speed, so they made an ethernet run from the ONT to my apartment (well sort of, they couldn't actually make a new run, but they were able to use the wiring that had been used for the telephone lines). Ever since then I've had my own OPNSense box handling routing. The Verizon router is stuffed away in a closet. I don't know if the Verizon router has backdoor remote control capabilities, and now I don't have to care at all if does.
For context. This is Virgin Media which demands your passwords (including e-mail passwords) must be no longer than 10 characters, must begin with a letter, not a number and cannot include any special characters.
That happened to me. I wanted to reset my account password so they agreed to send a "password reminder" via post. I thought that was weird. I expected a temporary password which I will be forced to change upon login. To my surprise they printed my existing account password and sent it to me via postal mail! WTF! I went on Trustpilot immediately and saw they had 1/5 stars from 40k reviews.
Having no rules means you have a maximum search space. However, a general audience means that the top X% (lets say 70 to be arbitrary) are going to be in a very small search space... An English word with maybe some numbers substituted in for a letter or two.
OTOH, having password rules means that you eliminate the smallest areas of the search space, so every password resides in a restricted version of the larger space. Fewer possible passwords, but all at a larger complexity to guess.
Then, there are password rules like "no special characters" or "maximum length of 10 characters" which are fantastically stupid and lazy, and only serve to make brute forcing them that much easier.
Maximum lengths only make sense if your password field is stored as a SQL CHAR(10) (or COBOL if they’re into that). Basically a fixed width field and that’s too small for a hash. But even then, they’re a horrible idea.
They also make sense if you're using bcrypt since it has a 72-byte max input length. More modern password hashing fuctiions don't have such a short limit, so you can set a much bigger max length to prevent excessive network traffic & processing (eg 1kB). Since functions like Argon2 have very large max limits (2^32-1 bytes for Argon2) it can make sense to set a shorter limit.
"A Network Slug, or "Slug", is a transparent layer 2 firewall running on a device with only two interfaces."
...
"A Slug has no IP address, cannot be reached on the network, and does not increment IP TTL."
...
So, for instance, I have a port 22 slug that I can insert anywhere in the physical chain of a network that passively, and silently, blocks all traffic except for TCP 22.[2]
You could clamp down further and restrict it to port 22 and your specific VPN endpoint IP.
Foolproof ? Perhaps not - but a huge piece of defense-in-depth that makes the use of a (port 22) VPN much safer.
Why is the web browser allowing the Javascript program to access a different server than the one it was loaded from? They call this a "DNS rebinding attack", and it seems it could compromise any router that doesn't have a password set, not just this router? So isn't the real problem here the browser running untrusted code and giving it access to your local network because it didn't check if the DNS had changed?
I wish browsers would solve the problem by using TLS (ok that’s a website operator issue) and discarding any javascript loaded from a different certificate for the same domain.
I would consider the router untrusted when using a VPN, so blaming it for the attack seems misplaced. I'd go even one step further, and say that unprivileged applications using the VPN should have no way of discovering your real IP. Applications not using the VPN shouldn't be able to discover the VPN IP, at minimum not use/leak it by accident (e.g. via webrtc).
IMO the safest way to access a VPN is from a VM which is restricted to that VPN. Like whonix, but using a VPN instead of Tor.
In theory, deep integration into the OS (like Tails does for Tor) could work, but is much easier to get wrong, especially if you want direct network access for other applications.
(Only talking about VPNs used for hiding your IP. Tunneling into a company network via VPN is a very different use-case)
I have a seedbox set up on freebsd with two jails. One jail runs wireguard and pf. The other jail runs transmission. They are connected by a virtual Ethernet cable (epair). The transmission jail can only talk to the internet via the VPN jail, which it is not aware of.
Just need to make sure host applications don't see the network interface provided by the VPN gateway, so they don't accidentally leak it (linking it to your real IP). A typical example are browsers when using WebRTC.
FreeBSD Jails using vnets cannot see any of the network interfaces belonging to the host (or other jails), so there's little risk of a compromise that way.
The only way (in theory) someone could figure out my IP from this setup is A) if they have a jail escape (unlikely) or B) if I screw up my firewall config and accidentally let some packets through that aren't going straight into the VPN (plausible)
So all the while, for almost two years, Virgin didn't do squat about this. Gives me flashbacks to some of our disclosure interactions with PayPal and others.
Wonder why issues like this are so common - do they just de-prioritize vulnerabilities reported by researchers to death?
Virtually no legal consequences for them. Virgin is also one of the worst consumer business I have ever interacted with (and this includes many big US ISPs with bad reputations). The company is beyond dysfunctional.
These endpoints are available in modem only mode, but everyone I’ve asked who has a SH3 says that they’re not affected by this and the endpoint doesn’t return the IP address.
If you’re in modem only mode, block HTTP traffic to 192.168.100.1 outbound from your firewall just to be sure.
Seems relatively low impact, but still pretty bad. Not surprising from VM given the quality of their firmware.
I've been running my VM superhubs in modem-only mode ever since I got them; with OpenWRT on my own router behind it.
I've been blocking traffic to RFC1918 ranges (all of them) that attempts to egress the WAN interface for just as long.
It's almost like I knew that eventually, someone was going to find a vulnerability in their web panel, and I wanted to make sure it wouldn't be exploitable.
I tested mine in modem mode and it returns 0s for the public ip address, it could be safe or it could just need a different oid or something. I blocked the ip from my router just to be on the safe side.
Home hub is a spectacularly poor piece of kit. Long start up time from powering on, high energy usage, really poor software (repeat soft bricking from remote updates at random times of day and night), historically awful attitudes to security (see other comments). Everything was better rub as Telewest/NTL.
Recently I tried to find a VPN providers who fully supported IPv6. There were only few options and they were much on the expensive side. Of the remaining IPv4 VPNs only few warned you in their docs about switching off IPv6, even fewer switched it off while running, and one I'm aware of switched it off forever in a sneaky way on Windows that involved continuously overwriting registry keys, which on the one hand was laudably paranoid but on the other hand caused endless hours of troubleshooting for me. In a nutshell, if your computer has a IPv6 address as it should have, the software from most commercial VPN providers will leak your IPv6 IP all the time to all websites and make you easy to identify.
I suppose this is well-known to savvy users and sysadmins, but still thought it worth mentioning in the context if this more general router vulnerability. Some of the cheaper VPN services out there are very insecure anyway.
Not only that, but mandate a route only to 192.168.1.1 (or whatever) and not the whole 192.168.x.x address space (which this exploit uses -- I didn't know there was a separate management interface on 192.168.100.1 until a poster above mentioned it.
This may be a very naive question, but is there a way for someone who is not knowledgeable about all the internet security issues discussed here of checking if my IP address is, in fact, being leaked when I'm using my VPN service?
Never mind. I checked ProtonVPN's support page and there is a web page provided that shows my public IP address when I'm connected through the VPN, which is different from my IP address when I'm not connected through the VPN.
Am I correct in assuming that this means that I'm not exposed by the vulnerability described in the article?
Comments at /r/netsec[1] suggest yes, but I haven't verified this:
> Just tried it on my device in modem-mode and it does indeed still expose the snmpGet endpoint. As suggested above, i've firewalled all traffic to 192.168.100.1 on my own firewall.
Since they mention a DNS rebinding attack, I would assume the victim visits or is redirected to attacker.com. This then has all the JS to talk to the unsecured router API endpoints. Now after a few seconds the attacker.com's IP address is switched to 192.168.0.1 (or whatever the routers default IP is) and zap: the SOP is circumvented.
>"published details of the flaw nearly two years after first alerting Virgin Media"
Two Years !! - Ja this just makes me mad !
Sure security issues happen to the best of them and us, but dammit being alerted to this and just ignoring it, tells you EXACTLY the level of competence of management and their commitment to YOUR data.
If I may add a few data points, I recently had a look at some of the ISPs in my country, just "basic level stuff". I'm by no means a PEN-Tester. This is what I found:
1. ISP A
1.1 CLIENT-Side Localstorage, no validation:
Thus if you are signed in, goto localstorage and change 'user-id:123' to 'user-id:456' - Congrats you are now logged in as user:456
1.2 All API's where you can pass in a user-id, did not check if you are allowed. Thus you can do "<broken-isp.com>/api/getuserinfo/<add-any-user-id>"
1.3 Same API, also brings back HASHED-PW and HASHED-PIN, I thought it was strange but what's the chance one can "crack" SHA on a PC these days, especially with 'proper' password libraries like bCrypt/Salt. Turns out there were NO SALTs added to hashed pw and it was SHA-256. Hashcat makes quick work of most passwords.
PS was also "funny" how they "HASHED" the PIN (4 digit value) that was also returned in API response. If you think hashcat is fast with passwords, you know how fast it is to test the hash-values for [0000-9999] :)
1.4 Time to respond: I managed to have a phone call with the CEO which at least sounded (I do think the response was 100% sincere) UPSET, WORRIED and asked that I send him all the info and recommendations I have.
Good response to a bad situation ! - Well done.
2. ISP B
2.1 Hmmm seems someone deployed a part of a .git folder to their website.. Only .git/INDEX and .git/HEAD were deployed but it was very easy to reconstruct the "commits/changesets" with something like GitTools and discovered part of the changesets was when they were doing lead generation via facebook and their CRM system. API keys were all hard coded and visible in changeset.(source code) Thus using the API keys one has access to their whole CRM it seems.
2.2 Company Response: Managed to track down CEO via LinkedIn, super nice guy and it's a BIG ISP. He was very upset about security and super thankful for my "responsible disclosure" he CC'd most of his exec-committee. CTO, InfoSec, COO and operations team. He's parting words. "I hope someday we can help you as well" ! Well done
3. ISP C
3.1 Wow they were/are just terrible.
They have unauthenticated AJAX calls for their “account-pages,billing details, router details”. You ONLY had to “guess” the account number (very predictable account numbering scheme)
3.2 Company Response:
Spent a few days tracking down their contact details. Managed to find their emails for CEO, COO, and a few other “CxO” people. I emailed them about the security on their site. Do they have an InfoSec team or where should I send the details to ?
He responded to send it to him (so we know the email address works). After sending proof and details of their complete lack of security I got zero response. After TWO weeks I followed up with the CEO and he only replied (send me your contact number, no phone call yet) but they did seem to fix the security issues only once I followed up.
As a Virgin Media customer for some time now, and having previously worked for ISPs, I think I can say with some reasonable confidence that VM are a really really mediocre ISP.
I almost admire how mediocre they are - they do just enough to keep people on their service and because they've done the work of laying cable to all the houses in an area, there's little incentive for OpenReach to lay fibre in those areas.
I live in London and I can get Gigabit from VM (although only download, their upload is a pathetic 50Mb/s) so OpenReach has just left this area on crappy old copper phone lines and my alternative is <10Mb/s from DSL.
It sucks and I hate it and I have absolutely no choice in the matter. Thanks capitalism! ;)
Edit: Fun fact, VM is owned by Liberty Global, who have thus far rolled out IPv6 on their other ISPs using DS-Lite (where you get a routable v6 address, but your v4 address is behind Carrier Grade NAT). I saw this and decided to switch to VM's business service so I could get a static v4 address.... turns out they just connect normally over the residential network and then do a GRE tunnel to the other side of the country for the static addressing, and their crappy router will just randomly stop routing packets over the GRE tunnel after a couple of weeks, requiring a reset of the router.
ARRIS shouldn't be given a year embargo, either. They're the same company who've known since 2016 about hardware issues which cannot be corrected in software in the Intel PUMA chipsets, yet they still to this day sell devices with them. They don't care about fixing things - they care about selling things.