Only half the threat – and most of the answer.

Today, Slashdot posted a story to the front page regarding a widespread SMC 8014 router/modem vulnerability, allowing access to administrative functions. I would link to the original blog post, but it seems to be slashdotted. (Edit: no longer. I also indulged myself with a comment on the slashdot story and the blog post, both came late in the game. No, I’m not selling anything nor do I get ad revenue.) In any case, this is nothing new. These and similar SMC routers are common in New York and are identifiable in their use of a four digit hex SSID. Naturally, all APs broadcast their Wifi adapters’ MAC address in the clear, allowing for identification of the manufacturer (barring spoofing).

These SMC routers were ordered in bulk with a custom firmware, with some “features” that were put in place to (presumably) assist in over the phone tech support. The firmware enables WEP encryption with a preset key on the network and uses Javascript to disable more advanced features, including choosing WPA. If that wasn’t problematic enough, the WEP key is derivable from the MAC address. Let me repeat that point as clearly as I can.

The preset WEP key is derivable from the MAC address that is broadcast in the clear.

That last part is trivial, and I’m not going to give out (what I hesitate to call) the algorithm.

But wait, there’s more. One of the advanced features disabled by the Javascript hack is the ability to change the WEP key. I was not vulnerable to this (I use a different service with my own hardware), but a friend was -which allowed me to do a bit of work on these routers and their deployment. We were told (July 2008) by a customer service rep that changing the WEP key was not supported for the end user – even after I asked my friend to claim that she thought someone had her “network password” (which was technically true).

Ironically, the vulnerability mentioned in the Slashdot article is the means to secure the router: by using various techniques (disabling Javascript, Greasemonkey, etc.) you can restore these functions: changing the mode of encryption, the key, and the administrative values.

SMC is not the only company to have sold these gelded all-in-one routers to bulk telecom customers; nor is Time Warner the only customer to deploy them. In a private discussion sharing these findings with some westcoasters at Defcon in Aug 2008, I was told there was an L.A. telecom doing exactly the same things – mass deployed routers with predictable keys and a broken firmware that prevented a fix.



This entry was posted on ‍‍ה׳ חשון ה׳ תש״ע - Thursday, October 22nd, 2009 at 11:33 and is filed under chuckles, hardware, incidental, notices, product, ruminations, software, tech. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Only half the threat – and most of the answer.”

  1. David Says:

    Hi Adam, great post! I was furious when TW’s security & abuse department told me that there’s nothing they could do about it. I believe in NY, these are the default devices that TW gives to customers now. They won’t give you a regular cable modem unless you specifically request it. TW claimed to have placed a temporary fix on the problem, but I haven’t seen any evidence of it. From what I can tell about these devices, it would take a major firmware update to change their method of “security”.

Leave a Reply