Network management vulnerability exposes cable modems to hacking
Hundreds of thousands of internet gateway devices around the world, primarily residential cable modems, are vulnerable to hacking because of a serious weakness in their Simple Network Management Protocol implementation.
SNMP is used for automated network device identification, monitoring and remote configuration. It is supported and enabled by default in many devices, including servers, printers, networking hubs, switches and routers.
Independent researchers Ezequiel Fernandez and Bertin Bervis recently found a way to bypass SNMP authentication on 78 models of cable modems that ISPs from around the world have provided to their customers.
Their internet scans revealed hundreds of thousands of devices whose configurations could be changed remotely through the SNMP weakness that they found and dubbed StringBleed.
Versions 1 and 2 of the SNMP protocol don’t have strong authentication to begin with. They provide either read-only or write access to a device’s configuration through passwords called community strings. By default these passwords are “public” for read-only access and “private” for write access, but device manufacturers can change them in their implementations and it’s generally recommended to do so.
The leaking of sensitive configuration data through the default “public” SNMP community string is a known problem that has affected many devices over the years. In 2014, researchers from Rapid7 found SNMP leaks in almost half a million internet-connected devices made by Brocade, Ambit and Netopia.
However, what Fernandez and Bervis found is much worse: devices from multiple vendors that accept virtually any value for the SNMP community string and unlock both read and write access to their configuration data.
The two researchers first located a small number of vulnerable devices, including the Cisco DPC3928SL cable modem that’s now part of Technicolor’s product portfolio following the company’s acquisition of Cisco’s Connected Devices division in 2015.
The researchers claim that when they reported the issue to Technicolor, the company told them that it was the result of an access misconfiguration by a single ISP in Mexico rather than a problem with the device itself.
This prompted the researchers to perform a wider internet scan that resulted in the discovery of 78 vulnerable cable modem models from 19 manufacturers, including Cisco, Technicolor, Motorola, D-Link and Thomson.
The number of vulnerable devices that can be targeted directly over the internet range from less than 10 for some models to tens and hundreds of thousands for others. For example, there are almost 280,000 vulnerable Thomson DWG850-4 devices on the internet, most of them are in Brazil, according to the researchers.
The researchers believe that the underlying problem is located in the SNMP implementation used by the modems, rather than being the result of misconfiguration by ISPs.
Regardless of the cause, the problem is serious, as attackers could exploit this flaw to extract administrative and Wi-Fi passwords or to hijack devices by modifying their configurations.
There’s not much that users can do if their ISP supplied them with a vulnerable device, other than ask for a different model or install their own modem. Unfortunately, not many ISPs allow their residential customers to use their own gateway devices, because they want uniformity and remote management capabilities on their networks.
Determining if a particular device is vulnerable to this issue is possible, but requires a bit of work. An online port scanner like ShieldsUp can be used to determine if the device responds to SNMP requests over its public IP address.
If SNMP is open, a different online tool can be used to check if the device’s SNMP server returns valid responses when the “public” or random community strings are used. At the very least this would indicate an information leak problem.