I’ve been attending the DEF CON hacker conference for 18 years. This year, I was starting to think “I’m too old for this stuff!” Don’t get me wrong, I still love the community-oriented DIY hacker spirit of the conference, but after all this time, I was starting to think I’d seen it all. Yeah.
For example, this year hackers cracked an Internet-enabled car wash. Sure, it made for some news, but when you think about it, it was just hacking a rather mundane, stupid robot that we’ve been living with for decades.
But one talk blew my mind, and its surprising that no one’s been writing about it. The room was packed for “CableTap: Wireless Tapping Your Home Network.” I was expecting it to be a DIY class that could help hobby hackers see what’s happening on their home networks (because Comcast doesn’t provide a way). Instead, the scope of the talk was much, much broader and more entertaining.
Three researchers, Marc Newlin and Logan Lamb, with Bastille Networks and Christopher Grayson with Web Sight, found 26 vulnerabilities within ISP network devices that would have given them remote admin access to the majority of home networks in the United States.
The abstract of CableTap reads: “Our research revealed a wide array of critical vulnerabilities in ISP-provided, RDK-based wireless gateways and set-top boxes from vendors including Cisco, Arris, Technicolor, and Motorola. We demonstrated that it was possible to remotely and wirelessly tap all Internet and voice traffic passing through an affected gateway. We estimate tens of millions of ISP customers are affected by these findings.”
The breadth of their hacks ranged from reverse-engineering the MAC address generation for Comcast’s Xfinity routers to exploiting vulnerabilities in the 20-year-old FastCGI subsystem used by webservers you never heard of, like Apache, NGiNX and lighthpttd.
The “CableTap” Attack Chain
You may know that your Xfinity access point, in addition to providing your own private WiFi network, also provides a public ‘xfinitywifi’ wireless network so that roaming Comcast customers can hop on any access point using their own credentials. There’s actually a third, hidden WiFi network named XHS-XXXXXXXX, where XXXXXXXX represents the lower four bytes of the modem’s cable modem (CM) MAC. The passphrase for this hidden WiFi network is deterministically generated from the MAC address of the interface. The researchers found four different ways to get the MAC address, one of which is this little gem: if you connect to the ‘xfinitywifi’ public network, the DHCP ACK includes the CM MAC address. D’oh!
With the MAC address, the researchers could calculate the passphrase and have access to the xfinitywifi network without having to use their own Comcast credentials. Any malicious activity generated on that network could then be attributed to the owner of that cable modem. Neat.
Another vulnerability discovered in their attack chain was brute-forcing a radio-frequency pairing of the Comcast voice remote control, which could then be used to possibly introduce attacks into the Xfinity set-top boxes.
But the most significant analysis of the talk was around the mysterious reference development kit (RDK), an open-source platform (github link) used by ISPs within their cable modems and set-top boxes. The RDK is maintained and patched regularly by developers around the world. Since it is open source, anyone can see the source changes for vulnerability fixes, months before those fixes actually get built and pushed down to the millions of set-top boxes in America. This could be a source of vulnerabilities for months or years to come. Ah, the perils of open source.
If you think about it, this research should have (and could have) been done and disclosed years ago, given the ubiquity of Time Warner and Comcast networks in the United States. One of the researchers barely knew Linux and networking when he started the research less than a year ago. In that short time, he could have built a surveillance network that the NSA would have been proud of. Who’s to say they didn’t already know about all these little holes in the network and weren’t doing their own surveillance that way?
The story has a happy ending all around; the researchers practiced responsible disclosure and alerted Comcast and the other vendors, giving them plenty of time to address the issues before the talk.
“Nothing is more important than our customers’ safety, and we appreciate Bastille bringing these matters to our attention. We have made a number of updates to our software and systems to prevent the issues Bastille identified from impacting Comcast customers, including breaking the attack chains Bastille described in this paper.” —Comcast vendor statement
Maybe the reason no one else is writing about CableTap (yet) is because those holes are patched now, and we’re all “safe.”
Kudos to the trio of researchers, Newlin, Lamb and Logan, for putting in the hours, and making for the most interesting DEFCON 25 presentations.