Network management vulnerability exposes cable modems to hacking

SNMP authentication bypass flaw could be used to hijack hundreds of thousands of cable modems from around the world.

IDG

IDG

Hundreds of thousands of internet gateway devices around the world, primarily residential cable modems, are vulnerable to hacking because of a serious weakness in their Simple Network Management Protocol implementation.

SNMP is used for automated network device identification, monitoring and remote configuration. It is supported and enabled by default in many devices, including servers, printers, networking hubs, switches and routers.

Independent researchers Ezequiel Fernandez and Bertin Bervis recently found a way to bypass SNMP authentication on 78 models of cable modems that ISPs from around the world have provided to their customers.

Their internet scans revealed hundreds of thousands of devices whose configurations could be changed remotely through the SNMP weakness that they found and dubbed StringBleed.

Versions 1 and 2 of the SNMP protocol don't have strong authentication to begin with. They provide either read-only or write access to a device's configuration through passwords called community strings. By default these passwords are "public" for read-only access and "private" for write access, but device manufacturers can change them in their implementations and it's generally recommended to do so.

The leaking of sensitive configuration data through the default "public" SNMP community string is a known problem that has affected many devices over the years. In 2014, researchers from Rapid7 found SNMP leaks in almost half a million internet-connected devices made by Brocade, Ambit and Netopia.

However, what Fernandez and Bervis found is much worse: devices from multiple vendors that accept virtually any value for the SNMP community string and unlock both read and write access to their configuration data.

The two researchers first located a small number of vulnerable devices, including the Cisco DPC3928SL cable modem that's now part of Technicolor's product portfolio following the company's acquisition of Cisco's Connected Devices division in 2015.

The researchers claim that when they reported the issue to Technicolor, the company told them that it was the result of an access misconfiguration by a single ISP in Mexico rather than a problem with the device itself.

This prompted the researchers to perform a wider internet scan that resulted in the discovery of 78 vulnerable cable modem models from 19 manufacturers, including Cisco, Technicolor, Motorola, D-Link and Thomson.

The number of vulnerable devices that can be targeted directly over the internet range from less than 10 for some models to tens and hundreds of thousands for others. For example, there are almost 280,000 vulnerable Thomson DWG850-4 devices on the internet, most of them are in Brazil, according to the researchers.

The researchers believe that the underlying problem is located in the SNMP implementation used by the modems, rather than being the result of misconfiguration by ISPs.

Regardless of the cause, the problem is serious, as attackers could exploit this flaw to extract administrative and Wi-Fi passwords or to hijack devices by modifying their configurations.

There's not much that users can do if their ISP supplied them with a vulnerable device, other than ask for a different model or install their own modem. Unfortunately, not many ISPs allow their residential customers to use their own gateway devices, because they want uniformity and remote management capabilities on their networks.

Determining if a particular device is vulnerable to this issue is possible, but requires a bit of work. An online port scanner like ShieldsUp can be used to determine if the device responds to SNMP requests over its public IP address.

If SNMP is open, a different online tool can be used to check if the device's SNMP server returns valid responses when the "public" or random community strings are used. At the very least this would indicate an information leak problem.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?