Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Time Warner Cable Modems Expose Users

samzenpus posted more than 4 years ago | from the protect-ya-neck dept.

Security 185

eldavojohn writes "Wired is reporting on a simple hack putting some 65,000 customers at risk. The hack to gain administrative access to the cable modem/router combo is remarkably simple: '[David] Chen, founder of a software startup called Pip.io, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By simply disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router's configuration file. That file, it turned out, included the administrative login and password in cleartext. Chen investigated and found the same login and password could access the admin panels for every router in the SMC8014 series on Time Warner's network — a grave vulnerability, given that the routers also expose their web interfaces to the public-facing internet.' If you use Time Warner's SMC8014 series cable modem/Wi-Fi router combo, watch for firmware to be released soon that they are reportedly in the process of testing."

cancel ×

185 comments

Sorry! There are no comments related to the filter you selected.

Vilka ska betala för skattekalaset?!?! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29834071)

Jag är en groda :)

Re:Vilka ska betala för skattekalaset?!?! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29834105)

Go jump in a lake.

FIrst? (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29834099)

Firsts!

The only prudent thing to do with these things... (5, Insightful)

John Hasler (414242) | more than 4 years ago | (#29834101)

...is to put them in bridge mode and use your own router (no matter who your provider is). Same with DSL modems. Even when they aren't misconfigured (deliberately or due to sheer incompetence) the firmware is usually buggy and limited.

Re:The only prudent thing to do with these things. (5, Insightful)

milgram (104453) | more than 4 years ago | (#29834207)

While I agree with you, the issue usually isn't the small percentage of technically savvy people who use this, but rather the majority of folks looking to "plug and play". These are the security gaps that allow zombie DDoS attacks to happen so easily, as they open up easy access to lot's of similarly configured boxes.

Re:The only prudent thing to do with these things. (3, Insightful)

Bakkster (1529253) | more than 4 years ago | (#29834417)

I was under the impression that the only user-configurable option is to add URLs to a blocking list. There is no way to put it in bridge mode, and even if it was someone could log on and change it, and simply pass all your data to their servers anyway.

This is the kind of setup you give people who don't know about security, so they can't muck it up. Of course, it needs to be secure in the first place, so this is a huge issue and fixable only with firmware (or different hardware).

Re:The only prudent thing to do with these things. (4, Informative)

TimeTraveler1884 (832874) | more than 4 years ago | (#29834427)

Initially I was a little confused about the cable modem not being in bridge mode and having an admin interface at all. After RTFA, this vulnerability is only for SMC router/modem combo devices from TW. There was no mention of the Motorola cable modem I have from TW. The Motorola cable modems are acting as a bridge already because my router gets the lease to the public IP.

So apparently no worries regarding this vulnerability for me, but this certainly sucks for 65K other people.

Re:The only prudent thing to do with these things. (2, Informative)

peragrin (659227) | more than 4 years ago | (#29834977)

You have the same as I then. Into a browser visit http://192.168.1.1/ [192.168.1.1] and play around. While it doesn't havethe stats the full router does you canreally fsck the time warners network and screw the frequencies of everyone on your local cable share. Be warned however you take out your network to do so. And you might not get it back without their help.

Ihave had to manually reset them a couple of times for timewarner. However I haven't found any useful account data their. Just hardware settings.

Re:The only prudent thing to do with these things. (0)

Anonymous Coward | more than 4 years ago | (#29834519)

That's the only choice I really have with my Verizon DSL setup. The combo modem/transceiver/router/AP thing that they gave me sucks balls (constant disconnects & reboots needed), so I had to pull out my 10+ year-old standalone DSL modem/transceiver box which works flawlessly. Threw a Linksys router/wifi AP on the back end of that and I've been sailing along flawlessly for 3+ years now. There's a reason why they "give" you those crappy all-in-one routers, and it's not because they're reliable.

Re:The only prudent thing to do with these things. (1)

aaaaaaargh! (1150173) | more than 4 years ago | (#29834715)

Not that I care very much, but I still think it's weird that the people responsible for security holes like that don't go to prison for it or have to face other serious consequences. It seems to me that in every other engineering domain engineers are more liable for what they do and companies at one point or another are held responsible for failures and malfunctions than in end-consumer hardware and particularly software, where people seem to get away with just about anything that doesn't kill the customer instantly. I'm not talking about bugs or mistakes, which cannot be avoided 100%, but obvious negligence or incompetence like in the above case. Strange.

Re:The only prudent thing to do with these things. (1)

John Hasler (414242) | more than 4 years ago | (#29834853)

So when are you filing your lawsuit?

Re:The only prudent thing to do with these things. (1)

MikeBabcock (65886) | more than 4 years ago | (#29834719)

I've always used bridge mode on modems of either type from ISPs. I never trust an ISP's modem/router combo.

The only ISP I have respect for doing anything vaguely similar shipped out a Cisco router with their modem.

Router (1)

p51d007 (656414) | more than 4 years ago | (#29834735)

Anyone dumb enough to hook one of these gateway boxes or "cable modems" directly into their computer is just asking for trouble. As you say...plugging it into a router is the ONLY safe way to connect them. Even my dad's computer, who doesn't need anything but a connection, is connected to a router though his gateway DSL box.

Re:The only prudent thing to do with these things. (1)

cayenne8 (626475) | more than 4 years ago | (#29834805)

"...is to put them in bridge mode"

Can you give some info and/or links to what 'bridge mode' is? New term to me...

Re:The only prudent thing to do with these things. (4, Insightful)

Anonymous Coward | more than 4 years ago | (#29835043)

Bridge mode is just that -- it's a connection between two separate networks. In this case, the TW box is connected to the Internet and is one point of the bridge. On the other end is your home network router, which acts as the other point of the bridge. Your network is physically separate from theirs, and joined by the single patch cable between the boxes.. This is usually how these things work anyways, even when it's all in one box. The difference here is that you're using two physical boxes to ensure the separation, which avoids absurd goofs like the one described in TFA.

Re:The only prudent thing to do with these things. (0)

Anonymous Coward | more than 4 years ago | (#29835089)

Bridge mode is just that

Thanks! :)

They need to act on this immediately! (5, Funny)

Rogerborg (306625) | more than 4 years ago | (#29834115)

Presumably armed FBI agents are en route to neutralize notorious terrorist hacker David Chen even now. 50 years in Gitmo is too good for him.

Re:They need to act on this immediately! (0)

Anonymous Coward | more than 4 years ago | (#29834875)

I'm horrified that you got modded insightful.

Why wait? (2, Insightful)

L4t3r4lu5 (1216702) | more than 4 years ago | (#29834189)

Install your own patch right now by cancelling your Time Warner contract, throwing the router in the trash, and getting a new ISP with better hardware. Hell, fork out $50 for a tried and tested model from Newegg. Be sure to tell Time Warner to "Abragofuckyourself" when they say you're tied into a contract by using the words "unfit for purpose" "gross criminal negligence" and "class action"

Yeah, my utopian world of consumer power is better than this one of "Please, Mr Corporation, harder and deeper!"

Re:Why wait? (0, Funny)

Anonymous Coward | more than 4 years ago | (#29834225)

In Soviet America, corporation cancels you!

Re:Why wait? (1)

Anonymous Coward | more than 4 years ago | (#29834233)

cable internet usually has no contract.

Re:Why wait? (4, Informative)

TheRealMindChild (743925) | more than 4 years ago | (#29834401)

So you are saying I should go back to dial-up...? Because that is my only alternative. Thanks for doing my cost/benefit analysis of this situation for me! It is definitely better to have worthless internet than to just maintain my own router!

Re:Why wait? (2, Interesting)

L4t3r4lu5 (1216702) | more than 4 years ago | (#29834541)

How about lobbying your congressman to get the monopoly given to Time Warner / AT&T / Comcast / Sprint or whatever split up as anti-competitive and not just taking a big rubbery one up the wrong'un?

Re:Why wait? (2, Insightful)

dissy (172727) | more than 4 years ago | (#29834631)

How about lobbying your congressman to get the monopoly given to Time Warner / AT&T / Comcast / Sprint or whatever split up as anti-competitive and not just taking a big rubbery one up the wrong'un?

Lobby as in write letters?
  Check.

Lobby as in send 'contributions' in the hundreds of millions of dollars a year like time warner does?
  Not so much. All though if you let me borrow that amount, I will do exactly that with it. Just paypal it to me!
  Sadly I have discovered they do not accept monopoly money :{

Re:Why wait? (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#29834727)

If your congressman won't help, get another one.

I know democracy is a rubbish system (especially in first-past-the-post systems), but it's not difficult. The electorate just need the situation explained to them, and to understand why they should care.

Re:Why wait? (1)

SydShamino (547793) | more than 4 years ago | (#29834909)

The electorate just need the situation explained to them, and to understand why they should care.

Again, it sounds like those millions would come in handy, at least to counter the millions being spent by Time Warner for the opposite.

Re:Why wait? (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#29834979)

Like I originally said, my utopian world of consumer power is better than the current world.

I can dream...

Re:Why wait? (2, Funny)

jandrese (485) | more than 4 years ago | (#29835103)

Time Warner has pissed me off. I need you to vote your senator out of office! Wait, his replacement would be exactly the same? Then vote him out too!

Re:Why wait? (0)

Anonymous Coward | more than 4 years ago | (#29834659)

I'm in the same boat, and it's not because of a monopoly. Verizon just doesn't consider my (middle-class suburban) neighborhood worth invetsing in. So much for the free market.

Re:Why wait? (2)

L4t3r4lu5 (1216702) | more than 4 years ago | (#29834741)

The very definition of a free market; Free not to supply products to unprofitable demographics.

This is where you write to your congressman backing a similar scheme as is being mandated in Sweden; Guaranteed 1MB downstream to the home.

Re:Why wait? (0)

Anonymous Coward | more than 4 years ago | (#29834879)

Guaranteed 1MB within 2 KM of you, and as long as you are not one of 2,000 other homes the Sweden government does not care about.

Re:Why wait? (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#29834991)

Oh, so they're taking the US system! How bizarre...!

Re:Why wait? (1)

commodore64_love (1445365) | more than 4 years ago | (#29835041)

Still a monopoly situation. Still takes away power from the home-owner.

Re:Why wait? (1)

SirWhoopass (108232) | more than 4 years ago | (#29835047)

You probably don't need your congressman. Most cable monopolies are granted locally, by the city. As a bonus, you have a good chance of actually talking to the person responsible, unless you live in a very large city.

Re:Why wait? (2, Insightful)

betterunixthanunix (980855) | more than 4 years ago | (#29834699)

Dial up is "worthless Internet?" I guess half of the world's Internet users have been swindled.

Re:Why wait? (3, Funny)

EricX2 (670266) | more than 4 years ago | (#29834795)

Yes... it is worthLESS than broadband.

Re:Why wait? (3, Interesting)

thepotoo (829391) | more than 4 years ago | (#29834815)

Speaking as someone who has no option of anything other than dial-up, I can tell you that it most certainly is worthless.

Remember back in 1999 how it would take 15 seconds to load a page? Now imagine that every page has flash instead of pictures and most serves will decide to give you a timeout message if you take longer than 45 seconds to respond to a request. Youtube, torrents, the whole digital distribution revolution is totally useless.

I dare you, go back to dial-up for two weeks. Completely worthless Internet. Yeah, I've still got Internet at the library, but that doesn't allow me to get patches for my OS or watch Youtube, now does it?

Re:Why wait? (2, Informative)

commodore64_love (1445365) | more than 4 years ago | (#29835153)

I use dialup and can access youtube videos, bittorrent the latest Stargate episodes, download pics, and so on. The only thing I can't do is access streaming video sites like NBC.com, since they require minimum 192k connections, but everything else works just fine. Even flash-heavy sites like imdb.com

One advantage I probably have over your connection is I use Netscape ISP. It uses on-the-fly image, text, and flash compression to speed things up. You providerr may not have it, so consider an upgrade: http://www.getnetscape.com/ [getnetscape.com] I hooked-up my friend's father with this, and now his Dialup is faster than ever.

Re:Why wait? (1)

SydShamino (547793) | more than 4 years ago | (#29834931)

Two-thirds of the world's internet just care about their email and bbc.co.uk. They're fine.

However, it's a fair assumption that anyone posting on Slashdot uses the internet for many, many more things, and having all those other things taken away would make it "worthless", especially since most Slashdot users can check their email and the news on their phone for "free".

Re:Why wait? (0)

Anonymous Coward | more than 4 years ago | (#29834825)

So you are saying I should go back to dial-up...?

If that's what it takes, yes.

Re:Why wait? (2, Informative)

pak9rabid (1011935) | more than 4 years ago | (#29834517)

Install your own patch right now by cancelling your Time Warner contract, throwing the router in the trash, and getting a new ISP with better hardware. Hell, fork out $50 for a tried and tested model from Newegg. Be sure to tell Time Warner to "Abragofuckyourself" when they say you're tied into a contract by using the words "unfit for purpose" "gross criminal negligence" and "class action"

Only on slashdot would such a ridiculous "solution" be proposed, when putting the CPE in bridged mode and using your own router (which I'd think most everyone here would be doing already) would suffice.

Re:Why wait? (2, Interesting)

SleepingWaterBear (1152169) | more than 4 years ago | (#29834539)

Be sure to tell Time Warner to "Abragofuckyourself" when they say you're tied into a contract by using the words "unfit for purpose" "gross criminal negligence" and "class action"

Unfortunately, in negligence cases the courts often look to the industry standard to decide what sort of precautions a company ought to take. Given that the industry standard is basically no security at all this might be a tough case. Also, to establish negligence you'd have to show some actual harm done - not just the potential for harm. "Unfit for purpose" might still get you out of the contract though.

Re:Why wait? (1)

couchslug (175151) | more than 4 years ago | (#29834663)

"Install your own patch right now by cancelling your Time Warner contract, throwing the router in the trash, and getting a new ISP with better hardware."

The only alternative where I live is dialup, and AOL is still the fastest dialup in the area.

Related to Belgacom hack and 'ransom'? (4, Informative)

Animaether (411575) | more than 4 years ago | (#29834199)

I wonder if this is the same 'hack' used to attack Belgacom.
http://tweakers.net/nieuws/63200/belgacom-hacker-publiceerde-authentieke-inloggegevens-van-klanten.html [tweakers.net]

For the curious, a quick recap in English...

A hacker going by the name 'Vendetta', supposedly an American living in Belgium, got fed up with the monthly data cap (at Belgacom, figured out that there's a way to find the username/password for a modem by browsing to it (much as in this article), did that to a claimed several thousand (285,000) modems, and is threatening to release them slowly over time until November 30th as long as Belgacom keeps its monthly data cap.

So far this hacker released 30 usernames/passwords, and they were found to be genuine.

Belgacom contacted authorities, is investigating the claimed method of hacking, blabla.

The modem in question with Belgacom is labeled a "B-Box2-modem".

Re:Related to Belgacom hack and 'ransom'? (1)

MRe_nl (306212) | more than 4 years ago | (#29834389)

And (a screenshot of) the original post by "Vendetta":

http://tweakers.net/ext/i/1256117383.png [tweakers.net]

Re:Related to Belgacom hack and 'ransom'? (1)

eeeuh (165197) | more than 4 years ago | (#29834487)

It seems rather improbable that this was the same hack because these are cable modem/routers and the Belgacom hack was done on ADSL modem/routers. Also, from TFA:

That file, it turned out, included the administrative login and password in cleartext. Chen investigated and found the same login and password could access the admin panels for every router in the SMC8014 series on Time Warner's network

In ADSL modems there may be a reason for storing the users password in the modem: ppp-authentication, for cable modems I can't think of such a reason. Then again, if you control a router/modem you can sniff out user's passwords if the use plain-text authentication e.g. for POP3.

Re:Related to Belgacom hack and 'ransom'? (3, Funny)

Bucc5062 (856482) | more than 4 years ago | (#29834757)

Why are evil minions so dumb. This guy gets access to all these passwords and his only idea is to blackmail a corporate entity more evil then himself...by doling out uid/pwd combinations a few at a time...please!!

As was already stated the first action by evil corporation is to get the law on their side so they do not have to do any work to change anything. The law pursues the bad guy and he realizes the grand scheme not only fails, but now he's screwed because ultimately he either gets caught, or can't release anything else for fear of being caught and thus becomes harmless. He never gets what he wants.

Were it me (and I most certainly do not live in Belgium) and I choose to do evil I would have blasted all uid/pwds at once across as many nodes as possible thus, for a moment, potentially hurting the pockets of evil corporation. Short lived excitement with no long term reward, but still would be fun to watch the fallout.

My other idea would be to use my new found data to my advantage. Can I load slaves on all those systems so that when I want to watch streaming video of pr0n I piggyback on someone else's quota. Perhaps I can monitor usage and find users with low bandwidth and borrow (steal) from them. I would never ever share this information with others, because certainly at some point a "friend" would abuse the system, or rat me out if/when caught.

No, the guy blackmails a corporate with some stupid ass name and a piss poor methodology for revenge. Do they not teach anything at Evil U any more?

Re:Related to Belgacom hack and 'ransom'? (0)

Anonymous Coward | more than 4 years ago | (#29834837)

I don't think it's related, apart from the fact that the ISP screwed up.

The hack on BC(Belgacom) routers/modems is a firmware bug, even accessible with the web interface disabled for the outside, which is not the case here.

I'm a BC customer myself, but I don't think I really suffer from this bug, as my router is a *NIX box, properly firewalled (at least I hope I did it right), the modem/router they provided is way to old, and hasn't got enough memory to handle more than 100 concurrent tcp connections properly, so I'm running it in bridged mode, trying to access it's web interface from the outside just gives you the index of the webserver I run.
Also it's difficult to upgrade as it's an ISDN line, which requires another type of adsl router than the regular phone lines.

the routers also expose their web interfaces to (4, Funny)

Col. Panic (90528) | more than 4 years ago | (#29834209)

the public-facing internet

wait. what? why?

Re: the routers also expose their web interfaces t (5, Insightful)

John Hasler (414242) | more than 4 years ago | (#29834265)

Convenience and incompetence. They want to be able to run scripts to update/reconfigure all the modems and this is the first method that occured to them. Being stupid, they didn't think it through.

Re: the routers also expose their web interfaces t (2, Interesting)

drinkypoo (153816) | more than 4 years ago | (#29834415)

I don't know if they're using DOCSIS, but I can't imagine they aren't. If I'm wrong, ignore the rest of this comment; but if they are DOCSIS modems, then they get their config file from the network every time you boot them. Even if they aren't DOCSIS modems, that's still the most reasonable way to configure them, and if they didn't do that they should be shot into orbit without a suit, or perhaps with one but on a rapidly decaying orbit and without heat shields.

the strange ways of the truly stupid (2)

circletimessquare (444983) | more than 4 years ago | (#29834767)

problem: clueless time warner suit needs to hire a "programmer" to config their modems remotely

solution: his sister's boyfriend is a programmer, a JAVASCRIPT programmer

problem solved. wait, here's an email from a guy in tech support, something about a DOCSIS. delete email...

Re:the strange ways of the truly stupid (1)

ae1294 (1547521) | more than 4 years ago | (#29834975)

Someone should just go ahead and brick every last one of them routers. At least it would cost the corp some money. Would suck for the end user but maybe they would learn not to trust stupid corps...

you're not cynical enough (1)

circletimessquare (444983) | more than 4 years ago | (#29835017)

time warner would charge the end users for an "upgrade": a modem with "amazing new features" (translation: security exploit patched). so time warner would eventually make money off of exposing end users to script kiddies and hackers

Re: the routers also expose their web interfaces t (1)

MMC Monster (602931) | more than 4 years ago | (#29834429)

The nice thing is that they may actually be able to update everyone on their networks to plug the hole, given this feature.

Whether they will or not is another issue.

Re: the routers also expose their web interfaces t (1)

Col. Panic (90528) | more than 4 years ago | (#29834547)

underscore incompetence. that is just ridiculous given the maintenance overhead involved with patching any found vulnerabilities down the road. let's hand out the password in clear text while we are at it. shoot me now

Re: the routers also expose their web interfaces t (3, Insightful)

flibuste (523578) | more than 4 years ago | (#29834901)

Yes incompetence looks like the primary cause here. Whoever hides the access to administrative functions of anything by simple javascript on a web page should be at best fired.

It is quite amazing to see how many programmers are just totally clueless about the technology they're using. It's just appauling.

Re: the routers also expose their web interfaces t (1)

skiman1979 (725635) | more than 4 years ago | (#29834685)

It's just a nice way to make it so if an inexperienced hacker fails to break into your network, he can just pull up the web interface, open the port he's trying to use, and then continue hacking your internal systems. Think of the (children) hackers! :-P

FAIL (2, Interesting)

gzipped_tar (1151931) | more than 4 years ago | (#29834223)

According to TFA (my karma be damned), Web-based admin UI is enabled on these routers, not only for the LAN but for the whole fucking Internet. This must be the dumbest default setting ever.

Also in TFA...

Time Warner’s Dudley says the SMC8014 modem/routers are just a small portion of the 14 million devices its customers are using.

What's more? Gnome With the Ping of Death? ;)

Re:FAIL (3, Informative)

Again (1351325) | more than 4 years ago | (#29834311)

According to TFA (my karma be damned), Web-based admin UI is enabled on these routers, not only for the LAN but for the whole fucking Internet. This must be the dumbest default setting ever.

Although I agree that it is dumb, I think that it is to make technical support easier for the company. If the company can go straight to your router and configure it then it makes their life easier. Of course, it turns out that it makes a lot of people's lives easier including hackers.

Re:FAIL (1)

Jellybob (597204) | more than 4 years ago | (#29834453)

Leaving the admin interfaces exposed is fairly common practice for ISPs, since it allows them to reflash and do maintenance on routers they are responsible for.

The good ones have the competence to limit that access to the IP range that maintenance will be happening from though.

Re:FAIL (2, Informative)

6ULDV8 (226100) | more than 4 years ago | (#29834483)

Then they should put the admin network on an administrative VLAN like they do their core equipment, so that the majority of the Internet can't see it.

A hack? Hardly (1)

fgaliegue (1137441) | more than 4 years ago | (#29834243)

This is not a hack, this is incompetence from the guys who sold that in the first place.

Are all Time Warner employees marketers or something?

Re:A hack? Hardly (1)

piripiri (1476949) | more than 4 years ago | (#29834463)

a simple hack putting some 65,000 customers at risk

Some guy has not learned how to use a proper integer type.

Clock is ticking (2, Funny)

oldspewey (1303305) | more than 4 years ago | (#29834251)

If you use Time Warner's SMC8014 series cable modem/Wi-Fi router combo, watch for firmware to be released soon that they are reportedly in the process of testing.

And if you are a hacker planning to pwn Time Warner's SMC8014 series cable modem/Wi-Fi router combo, be sure to get your exploit written and distributed soon before the new firmware is released.

Re:Clock is ticking (1)

John Hasler (414242) | more than 4 years ago | (#29834289)

Or just wait for the new firmware and hack that: it will be just as bad.

Re:Clock is ticking (1)

Thanshin (1188877) | more than 4 years ago | (#29834753)

Or just wait for the new firmware and hack that: it will be just as bad.

I was about to say "Or worse".

However, I can't think of any such situation, unless the router actually has a list of known hackers and directly mails them the password everytime it's changed.

Maybe (2, Insightful)

Akita24 (1080779) | more than 4 years ago | (#29834279)

Maybe if they actually gave 0.0000000001% of a shit about the service they provide instead of spending millions trying to figure out how to fuck the customers they've oversold to out of YetAnotherPenny ... nah, won't happen.

That's what they get... (2, Insightful)

hitech69 (78566) | more than 4 years ago | (#29834283)

AOL/TWC have gone through so many reorganizations and consolidations, the best and brightest have been gone from the company for quite some time. This is just a result of continuing to run a failing course.

Re:That's what they get... (0)

Anonymous Coward | more than 4 years ago | (#29834405)

TWC isn't part of Time Warner (Former "AOL") anymore...

http://ir.timewarnercable.com/separationfaq.cfm

Mod me redundant (0, Redundant)

HNS-I (1119771) | more than 4 years ago | (#29834301)

..but I believe the word flabbergasted comes to mind.

Is this worse than the many unsecured wifi routers (1)

Viol8 (599362) | more than 4 years ago | (#29834327)

...all sold to beacon by default , plenty sold with a googlable default password (or none at all) which they never prompt the user to change , encryption - even WEP - switched off by default.

Etc.

It took me all of 2 minutes to get into my mums neighbours home network via their belkin wifi router.

And yes , I did tell them how to secure it. And they ignored me. What can you do?

Re:Is this worse than the many unsecured wifi rout (0)

Anonymous Coward | more than 4 years ago | (#29834373)

i usually just pwn their machine and then setup wpa that way i know noone else will be listening in on me borrowing their internet

Re:Is this worse than the many unsecured wifi rout (1)

wastedlife (1319259) | more than 4 years ago | (#29834437)

At least those do not have the configuration accessable from the WAN by default. Also, they normally have either instructions or a setup wizard that sets up security for them. This is a case of WAN-accessable config pages that let unauthenticated users download the config file, which stores the username and password in plain text. The difference is clueless users versus extremely insecure design.

This is the difference between a linux box configured with insecure settings and a Windows 98 box sitting on the WAN with no firewall.

Or, how about a car analogy:

You can drive a brand new car with tons of safety features 100 mph into a brick wall and still die, or you can drive a Pinto which is likely to explode if someone rear-ends you.

Re:Is this worse than the many unsecured wifi rout (0)

Anonymous Coward | more than 4 years ago | (#29834709)

What can you do?

Remotely access and use their unsecured networks to initiate p2p downloads of songs by Madonna, Metallica, and Sir Elton John. Narc them out to the British telco. Given their "three strikes" they'd be "safe" for good.

re: the summary (4, Informative)

jlmale0 (1087135) | more than 4 years ago | (#29834335)

My initial, gut response to this was sheer horror. They list exploit and target side-by-side! The only mention of a fix is that it's to be 'released soon', informing any malicious agents out there that now is the time to strike.

Reading the Wired article, the right thing was done. Big company was sitting on their hands, and now that publicity has been made, they're starting to move.

Wired did the right thing. But this summary, it's fear-mongering and bad journalism.

Re: the summary (2, Funny)

Ash-Fox (726320) | more than 4 years ago | (#29834435)

But this summary, it's fear-mongering and bad journalism.

You must be new here.

Multiple-levels of incompetence (5, Insightful)

MobyDisk (75490) | more than 4 years ago | (#29834355)

This isn't just a security vulnerability - those things happen. This is gross negligence. There are 3 simultaneous absolutely bone-headed things here:

- PUBLIC facing web configuration? I have never, ever, ever, seen a router that did that. Not even cheesy home routers.
- JAVASCRIPT is their security? That was dumb back in 1998, but who does that now?
- CLEAR TEXT username/password? There was this great technique we used back in 1975 called hashing. Look it up. Why does it even write the username/password out anyway?

This is one of those cases of just too many stupid things all at once for it to be a mistake.

Re:Multiple-levels of incompetence (2, Informative)

Vellmont (569020) | more than 4 years ago | (#29834531)


- JAVASCRIPT is their security? That was dumb back in 1998, but who does that now?

I heard a story that a major public University had exactly this kind of vulnerability in its new financial system. It was found and plugged, but it never should have been their in the first place. I'd reveal which University, but the story was passed down to me 3rd hand so it's not completely verified.

This kind of idiocy is more common than you'd think. Too many programmers aren't taught to think about security and develop tunnel vision trying to solve the problem given outside of any other context. I've seen it first hand multiple times reading through code of multiple programmers. It's easy to hide crap behind an interface that "works".

This is one of those cases of just too many stupid things all at once for it to be a mistake.

Not really. Stupid mistakes happen all the time. There's lots of code written. Eventually you're going to get enough stupid mistakes in one place that it'll add up to this level of incompetence.

Re:Multiple-levels of incompetence (3, Interesting)

gEvil (beta) (945888) | more than 4 years ago | (#29834555)

- PUBLIC facing web configuration? I have never, ever, ever, seen a router that did that. Not even cheesy home routers.

Even the cheesy home routers have this as an option, but it's always buried deep in the 'advanced' configuration options, and it's ALWAYS disabled by default.

Re:Multiple-levels of incompetence (0)

Anonymous Coward | more than 4 years ago | (#29834865)

I used to have a Microsoft MN-700 hand-me-down wireless router that not only had this enabled by default, it had no way to turn it off except to forward port 80 to a non-existent ip address.

Still better than PLANET... (5, Funny)

loutr (626763) | more than 4 years ago | (#29834359)

Some years ago, part of my tech support job was to set up PLANET [planet.com.tw] ADSL modem/wifi routers. I quickly noticed that the admin login / password was embedded in most configuration pages. But not to worry, they had cleverly hidden them with this brilliant security technique :

style="color:white;background-color:white"

...

Re:Still better than PLANET... (1)

StormyWeather (543593) | more than 4 years ago | (#29834413)

That's awesome! I wish I was that good at security.

Re:Still better than PLANET... (5, Funny)

TimeTraveler1884 (832874) | more than 4 years ago | (#29834495)

How stupid could they possible have been? It's easy (with the correct equipment) to extract white text on a white background. They should have used style="display: none"

Re:Still better than PLANET... (1)

gEvil (beta) (945888) | more than 4 years ago | (#29834569)

How stupid could they possible have been? It's easy (with the correct equipment) to extract white text on a white background. They should have used style="display: none"
The 'correct equipment' being the ctrl/cmd-A keys? Or a mouse and the ability to click and drag?

Re:Still better than PLANET... (1)

DeanLearner (1639959) | more than 4 years ago | (#29834579)

Wait what? I don't see anything. How'd you do that?!

There should be laws against this. (1)

FlyingBishop (1293238) | more than 4 years ago | (#29834433)

This shouldn't be legal. Cleartext password internet-facing consumer hardware? This is worse than those idiots using unsecured wireless routers for their credit card swiping machines. If I owned a Time Warner router I'd really feel justified in suing them for gross negligence.

WTF? (1)

BlueBoxSW.com (745855) | more than 4 years ago | (#29834457)

This is like finding out an uncut car key can open any Ford.

Meanwhile Verizon FIOS has been rolling out firmware upgrade to their routers that prohibit you from running your own secure sub-net inside their routers.

Why do these clowns think that because they control the last mile they can arrogantly control the whole internet?

Re:WTF? (1)

Dunbal (464142) | more than 4 years ago | (#29834523)

If you need a key, you are doing it wrong...

Re:WTF? (2, Insightful)

JustOK (667959) | more than 4 years ago | (#29834645)

You should always have a key to show to the cops

Re:WTF? (1)

ijakings (982830) | more than 4 years ago | (#29834625)

Because they have a piece of paper from the government telling them they can do whatever the fuck they want. And if it isnt covered by an old agreement? Well new illegal ones spring up all the time.

Re:WTF? (1)

kalirion (728907) | more than 4 years ago | (#29834751)

Meanwhile Verizon FIOS has been rolling out firmware upgrade to their routers that prohibit you from running your own secure sub-net inside their routers.

Huh? Does that mean if I get FIOS, I wouldn't be able to plug in a wireless router into whatever the FIOS modem is?

As I stare growling at my Time/Warner modem (0)

Anonymous Coward | more than 4 years ago | (#29834479)

Yeah I think It's about time to set up that server as a gateway. Ironically the internet service has been excellent and since I live in rural Maine we have few people using the bandwidth so I have amazing speed. Their cable TV service is what sucks. That hole in the modems is about as bad as the old file swap backdoor in Unix. On the bright side how many people could know about it? It's not like it was posted on Slashdot.

How many ISPs are different? (1)

IBBoard (1128019) | more than 4 years ago | (#29834561)

I've got Sky broadband (because we only need the cheapest package, which is free with the TV package) and their router has a very easily guessable password that they don't tell you (so you can't configure things). I don't know if the interface is web accessible, but we were having network issues fairly recently and they said "we couldn't check your router", which I assume means that they tried to log in remotely with the original password.

Not surprising (3, Interesting)

ledow (319597) | more than 4 years ago | (#29834595)

The Javascript thing isn't important - that's how the device operates because it's been told to and, in 99% of circumstances it's an internal-only device. My printer offers up a lot worse options. However, exposing that interface to the web is stupid, as are using standardised passwords.

The former is nothing but user-education and/or forcing them into a password from the factory (like a lot of wireless routers comes with WPA keys printed on the bottom of them).

For the latter, a lot of cheap ADSL modems/routers do this, it's hardly a shock. Some of them run telnet on ports 254/255 and the only way to get rid of it is to forward that port to a non-existent IP address. Yes, it's crap security. Yes, they should know better. But, additionally, it's their fault from day one and people have known about this for YEARS.

It would also pick up on *any* external security scanner (e.g. nmap, GRC.com's ShieldsUp!) and any competent person would be testing any new system with something like that anyway. I know I've always scanned whenever I've used a new connection, if only to find what proxy servers / port-blocking / port-forwarding are in place. And yet all my Internet connections have hard-coded DNS, the router acts as nothing more than a passthrough to a real firewall (usually Linux iptables, if only for decent, configurable NAT / port-forwarding) and anything vaguely suspicious on an external scan is investigated (my ISP offer port 139 filtering as default, for example).

If you didn't know about it, test it. If you haven't already disabled it, do so. If you're that worried, change the device. This type of problem has been around for YEARS, and only the bog-standard, password is 'password', home users would ever be hurt by it. I think it's disgusting that they are, but they are not the only ISP / modem / router that has these problems.

And to claim this is new/shocking is quite misleading - most router manufacturers have suffered from this since ADSL became mainstream. Even things like BT's HomeHub have had similar security problems over the years.

Happens all over the world... (0)

Anonymous Coward | more than 4 years ago | (#29834623)

Cable & Wireless here in Panama also has the same dumb password for almost every ADSL subscriber's box since ADSL came out years ago.

time warner clients going offline in 3, 2, 1... (0)

Anonymous Coward | more than 4 years ago | (#29834649)

Really, how long will it take before someone scripts together a crawler to scan Time Warner's IP space for these modems, log in, and disable the connection ?

Not a hack (2, Insightful)

flyingfsck (986395) | more than 4 years ago | (#29834697)

This is not a hack. This is leaving the key *on top* of the doormat.

Trust these guys without net neutrality laws? (1)

zerofoo (262795) | more than 4 years ago | (#29834739)

These idiots can't figure out how to secure the config pages of a cable modem, and we are to trust that they can implement QOS correctly? I've only been working on networks and IT stuff for a decade, so maybe I don't know what I'm talking about, but QOS seems a bit harder to do than securing a cable modem config page.

We need net neutrality for two reasons:

1. To keep the internet open to all that would want to use it.

2. To keep grossly incompetent network administrators' hands off of our data.

-ted

to be fair (0)

Anonymous Coward | more than 4 years ago | (#29834817)

you know the backdoor exist solely to make your internet experience more pleasurable.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>