Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

The Coolest Talk at Defcon 25 That No One is Writing About

I’ve been attending the DEF CON hacker conference for 18 years. This year, I was starting to think “I’m too old for this stuff!” Don’t get me wrong, I still love the community-oriented DIY hacker spirit of the conference, but after all this time, I was starting to think I’d seen it all. Yeah. 

I’ve been attending the DEF CON hacker conference for 18 years. This year, I was starting to think “I’m too old for this stuff!” Don’t get me wrong, I still love the community-oriented DIY hacker spirit of the conference, but after all this time, I was starting to think I’d seen it all. Yeah. 

For example, this year hackers cracked an Internet-enabled car wash. Sure, it made for some news, but when you think about it, it was just hacking a rather mundane, stupid robot that we’ve been living with for decades.

But one talk blew my mind, and its surprising that no one’s been writing about it. The room was packed for “CableTap: Wireless Tapping Your Home Network.” I was expecting it to be a DIY class that could help hobby hackers see what’s happening on their home networks (because Comcast doesn’t provide a way). Instead, the scope of the talk was much, much broader and more entertaining.

Three researchers, Marc Newlin and Logan Lamb, with Bastille Networks and Christopher Grayson with Web Sight, found 26 vulnerabilities within ISP network devices that would have given them remote admin access to the majority of home networks in the United States. 

The abstract of CableTap reads: “Our research revealed a wide array of critical vulnerabilities in ISP-provided, RDK-based wireless gateways and set-top boxes from vendors including Cisco, Arris, Technicolor, and Motorola. We demonstrated that it was possible to remotely and wirelessly tap all Internet and voice traffic passing through an affected gateway. We estimate tens of millions of ISP customers are affected by these findings.”  

The breadth of their hacks ranged from reverse-engineering the MAC address generation for Comcast’s Xfinity routers to exploiting vulnerabilities in the 20-year-old FastCGI subsystem used by webservers you never heard of, like Apache, NGiNX and lighthpttd.

The “CableTap” Attack Chain

You may know that your Xfinity access point, in addition to providing your own private WiFi network, also provides a public ‘xfinitywifi’ wireless network so that roaming Comcast customers can hop on any access point using their own credentials. There’s actually a third, hidden WiFi network named XHS-XXXXXXXX, where XXXXXXXX represents the lower four bytes of the modem’s cable modem (CM) MAC. The passphrase for this hidden WiFi network is deterministically generated from the MAC address of the interface. The researchers found four different ways to get the MAC address, one of which is this little gem: if you connect to the ‘xfinitywifi’ public network, the DHCP ACK includes the CM MAC address. D’oh! 

Advertisement. Scroll to continue reading.

Hacking xfinitywifiWith the MAC address, the researchers could calculate the passphrase and have access to the xfinitywifi network without having to use their own Comcast credentials. Any malicious activity generated on that network could then be attributed to the owner of that cable modem. Neat.

Another vulnerability discovered in their attack chain was brute-forcing a radio-frequency pairing of the Comcast voice remote control, which could then be used to possibly introduce attacks into the Xfinity set-top boxes.

But the most significant analysis of the talk was around the mysterious reference development kit (RDK), an open-source platform (github link) used by ISPs within their cable modems and set-top boxes. The RDK is maintained and patched regularly by developers around the world. Since it is open source, anyone can see the source changes for vulnerability fixes, months before those fixes actually get built and pushed down to the millions of set-top boxes in America. This could be a source of vulnerabilities for months or years to come. Ah, the perils of open source. 

If you think about it, this research should have (and could have) been done and disclosed years ago, given the ubiquity of Time Warner and Comcast networks in the United States. One of the researchers barely knew Linux and networking when he started the research less than a year ago. In that short time, he could have built a surveillance network that the NSA would have been proud of. Who’s to say they didn’t already know about all these little holes in the network and weren’t doing their own surveillance that way?

The story has a happy ending all around; the researchers practiced responsible disclosure and alerted Comcast and the other vendors, giving them plenty of time to address the issues before the talk.

Nothing is more important than our customers’ safety, and we appreciate Bastille bringing these matters to our attention. We have made a number of updates to our software and systems to prevent the issues Bastille identified from impacting Comcast customers, including breaking the attack chains Bastille described in this paper.” —Comcast vendor statement

Maybe the reason no one else is writing about CableTap (yet) is because those holes are patched now, and we’re all “safe.”

Kudos to the trio of researchers, Newlin, Lamb and Logan, for putting in the hours, and making for the most interesting DEFCON 25 presentations. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.