A Case Study in Practical Security of Cable Networks Amir Alsbih, Felix Freiling, Christian Schindelhauer To cite this version: Amir Alsbih, Felix Freiling, Christian Schindelhauer. A Case Study in Practical Security of Cable Networks. Jan Camenisch; Simone Fischer-Hübner; Yuko Murayama; Armand Portmann; Carlos Rieder. 26th International Information Security Conference (SEC), Jun 2011, Lucerne, Switzerland. Springer, IFIP Advances in Information and Communication Technology, AICT-354, pp.92-103, 2011, Future Challenges in Security and Privacy for Academia and Industry. <10.1007/978-3-642-214240_8>. <hal-01567603> HAL Id: hal-01567603 https://hal.inria.fr/hal-01567603 Submitted on 24 Jul 2017 HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés. Distributed under a Creative Commons ttribution�ttribution 4.0 International License A Case Study in Practical Security of Cable Networks Amir Alsbih1 , Felix C. Freiling2 , and Christian Schindelhauer1 1 Albert-Ludwigs-Universität Freiburg, Germany 2 Universität Mannheim, Germany Abstract. Cable networks are complex systems that have evolved over years and in which new features like Internet access and Voice over IP (VoIP) have been integrated. We argue that threat models must evolve together with such systems and show that inadequate threat models can be used to explain known and unknown vulnerabilities in today’s cable networks. We do this by demonstating an attack on the DOCSIS provisioning standard in cable networks. By exploiting this weakness, an attacker can hijack VoIP accounts. We also show how to mitigate the attack. 1 1.1 Introduction Motivation Cable networks were initially deployed as a low-cost means to broadcast television programs to customers, first analog and then also digital. Today, almost all cable networks have been re-engineered so that they are able to additionally transport arbitrary digital data both to and from the end user. The number of Internet users in Germany and elsewhere that access the network in this way is rising sharply . Within the system of cable networks there are three main stakeholders: First of all, there is the user (customer) who wishes to enjoy digital media and network access in high quality at low cost. Second, there is the cable network provider (CNP), a company running the physical cable network infrastructure. Third, there is the Internet service provider (ISP) who provides access to the global Internet. Traditionally, the context and mindset of the CNP is a closed, physical network with static functionality. Since the services of an ISP were added to the portfolio of the CNP only rather recently, the original mindset of the CNP may be reflected in the way the ISP is managed. Since the Internet is an open, virtualizable and dynamic network, there is a potential for misconceptions regarding security assumptions that can lead to many surprises. In this paper we show that this is in fact the case. 1.2 Context Technically, the user’s cable modem acts as bridge between the customers home network and the backbone of the ISP. The cable modem is a rather simple device that downloads its configuration after every reboot from a server at the ISP. This is called provisioning and the relevant standard is the Data Over Cable Service Interface Specification (DOCSIS) . So there is a way to access the ISP servers from the customer’s home networks and therefore the ISP has to secure the provisioning process to restrict the possibilities of a service abuse. In this paper, we document a weakness in the way the provisioning process is handled today. 1.3 Related Work There is relatively little work that investigated cable networks security from an academic viewpoint. Existing work mainly comes from industrial or rather applied forums and deals with possibilities of service theft, e.g., possibilities of achieving higher service bandwidth without paying for it (so-called “uncapping”) by manipulating the cable modem [1–3, 11, 15]. Other threats to ISPs have been formulated as well  and refer to attacks on confidentiality and weak endpoints: The classical attack to confidentiality of network traffic through eavesdropping is omnipresent in shared medium networks like the cable network is. Since the downstream traffic is broadcast across the shared medium, network providers have to enforce rigid access control techniques at the endpoints of the network to ensure confidentiality. A related threat is network access through stolen authentication credentials, e.g., cloning of MAC addresses, a problem that is hard to tackle in networks where endpoints are under complete control of the customer . In this paper, we give another example for this fact. Since one of the main applications of cable networks is digital telephony (voice over IP, VoIP), attacks on the corresponding protocols like the Session Initiation Protocol (SIP) have also been investigated in the cable network environment [3, 8]. These attacks include tampering of SIP message bodies like malformed SIP messages, hijacking dedicated SIP accounts or interrupting sessions by injecting fake messages into the network traffic. While being relevant to VoIP technology, they are only specific to cable networks as far as these attacks use access techniques that only exist in cable networks. In this paper, we present such an attack on SIP that is specific to cable networks. 1.4 Contributions In this paper, we describe the context and specifics of the system of cable networks as an evolving complex system that is in regular use all over the world. We show that different mindsets and threat models can be used to explain past and present vulnerabilities in such networks. As a confirmation, we present a new attack on VoIP in cable networks that allows an attacker to extract SIP credentials and therefore misuse the VoIP system in such networks. More specifically, our attack exploits the DOCSIS provisioning requirement that every cable modem needs a provisioning file that contains the configuration of SIP credentials. By gaining access to the management network and partial exhaustive search of the namespace of configuration file names, we are able to extract SIP credentials and take over telephone acounts of other customers. We also show how this attack can be mitigated by adjusting network management policies in cable networks. At the time of writing, our attack was possible in one major (cooperating) cable network in Germany. Since many other CNPs all over the world use the same hardware and software configurations, we believe that the attack is relevant not only in Germany. However, the wish to point out that the attack is just a vehicle to transport the another insight, namely that threat models must be checked regularly. And if they turn out to be unrealistic, they (and all affected security procedures) must be adapted. 1.5 Paper Outline This paper is structured as follows: We give a brief introduction into cable network technology in Sect. 2. In Sect. 3 we show how threat models for cable networks have evolved in the past and the effect of this process on the provisioning process. We present the resulting attack in Sect. 4 and possible countermeasures in Sect. 5. We conclude in Sect. 6. 2 Background In this section we give a brief introduction into the basics of modern cable networks. 2.1 System Overview The cable network is a complex system consisting of multiple interconnected networks (see Fig. 1). The customer network connecting the end user devices with each other is a broadcast network that can be used to transport analog and digital signals in an integrated fashion over distinguishable frequency bands. It can be thought of as a long wire to which many receiving stations can be connected, similar to the early Ethernet technology (10BaseT). Technically, the customer network is a hybrid network consisting of optical fiber and coaxial cables that is connected in a tree-like topology. Consequently, this network is called hybrid fiber coax (HFC). 2.2 Physical Aspects and Frequency Bands Inside the HFC network, the frequency spectrum is divided into channels. The channels can be divided into downstream (towards end user) and upstream (from end user). Originally, all channels were downstream and carried either radio or television signals. Subsequently, frequencies were defined for data (i.e., Internet) communication. Since this communication is bidirectional, the CNP will need to provide at least one channel in each direction. On top of this digital channel, digital telephony services (VoIP) can be offered. For Internet communication, the digital Fig. 1. Cable network reference figure. signal has to be modulated on to and demodulated from the physical medium at each connected station. This is done at the side of the end user by a cable modem. At the side of the cable network provider, this is done by the cable modem termination system (CMTS). This is similar to how DSL technologies work over the telephone network. 2.3 The Interfaces of the Cable Modem Internally, the cable modem consists at least of two interfaces, each with its own MAC address: – The first interface is used for remote management of the cable modems from the side of the CNP. It has a unique MAC address called C-MAC. – The second interface is used for realizing the Internet service for the customer. It’s MAC address is called E-MAC. After the cable modem has been connected to the cable and turned on, the cable modem will configure itself. This process is called provisioning and will be explained later, since it is in the center of our attack. The result of a correct provisioning process is that both interfaces will receive its own IP address, each IP address being in a seperate IP address range. 2.4 CMTS and Access Control If a cable modem is provisioned and tries to communicate, every communication request of the cable modem is handled by the CMTS. The CMTS plays the role of a central router, guiding network packets from the customer network to the Internet and vice versa. At the same time, the CMTS acts as a firewall, enforcing filter rules to, for example, separating the network traffic from the different IP address ranges belonging to the different interfaces of the cable modem. Filtering is even performed on packets that are “routed back” into the customer network. This happens, for example, if two cable customers communicate with each other. So even if the cable network environment is a shared medium every upstream communication is only possible over the CMTS. The filtering rules of the CMTS are one of the most important parts of cable network security. For example, one of the most important rules is one that forbids normal users (via their E-MAC) access via SNMP to the management interface of the cable modem (C-MAC) of other customers. Without this rule it would be possible for every customer to access (and manage) the cable modem of other customers via SNMP. Since the filtering rules on the CMTS are the only reliable way to restrict the customer’s communication abilities, it is important to invest a lot of time into the right setup, making sure that the customer is only able to act in the way intended by the CNP [9, 14]. 2.5 IP Layer As mentioned above, the cable modem and the CMTS function as endpoints to transport data over the physical HFC network. The CMTS routes the IP data from the fast Ethernet backbones of the ISP to the cable network and vice versa. The cable modem works as a bridge between the network of the ISP and the local area network of the customer (see Fig. 2). 2.6 VoIP via SIP The Session Initiation Protocol (SIP) is the most commonly used VoIP protocol today. SIP phone calls use two different protocols, SIP for the connection handling of the calls, and Realtime Transport Protocol (RTP) for the voice stream. SIP was designed for the IP world, and since IP addresses are not as static as telephone numbers, the clients have to register themselves at a SIP server, to let the SIP server know where it should route the incoming call to. To register an account on a SIP server, the customer needs (1) his own phone number, as well as (2) the corresponding username and (3) the password for that phone number. He also needs to know the SIP server managing the connection. Note that these three items have to be known to the cable modem in order to allow seamless telephone service over VoIP for the cable network customer. Therefore, these credentials are contained within the configuration file during the provisioning process (see below). Fig. 2. IP traffic via cable modem and CMTS based on. 3 Different Threat Models and their effects on the Provisioning Process A threat model is a precise description of the possible threats to the system . It usually consists of a set of security issues a system designer cares about together with a set of expected attacks. Often, threat models only exist implicitly in the mindset of the people working at the network operator and are therefore not documented within organizations. In such cases the threat model used in an organization can only be inferred through interviews and from analyzing existing security mechanisms. 3.1 Traditional Threat Model of the CNP Traditionally, the context and mindset of the CNP is a closed, physical network with rather static functionality. Before upstream data communication was possible, the cable network was a pure “broadcast” network. The endpoints (antenna sockets in houses) were usually protected by physical means like tamper-evident seals. This was also the way how access control to the cable network worked. Since the transmitted data was the same for everyone and the selection of which channel to watch was performed at the endpoint (the television set), there were also no real privacy or confidentiality problems. Possible attacks involved only physically breaking the seal of the endpoint and accessing the service without paying. 3.2 Adapted Threat Model of the CNP/ISP The threat situation changes dramatically if individual communication is handled via the cable network both upstream and downstream. The typical threat model used by CNP/ISP in these scenarios, however, is very similar to the original threat model. As mentioned above and from our experiences, the threat model is usually not explicitly documented. So we inferred the following assumptions from interviews and an analysis of the literature on known attacks [1–3, 11, 15]: – The endpoint is physically protected. This means that only original cable modems are attached to the cable endpoints and these cable modems always correctly follow the provisioning process. – The end users are untrustworthy, i.e., they may send and receive arbitrary packets via their E-MAC to/from the Internet. This implies that the management network (accessed using the C-MAC) needs good protection from the user network (accessed using the E-MAC). The second point is realistic and the main reason for the complex filtering rules within the CMTS. The first point, however, does not hold in todays networks and can be exploited in most cable networks today, as we now explain. 3.3 The Provisioning Process and its Weaknesses The DOCSIS standard describes the steps each modem has to fulfill to register itself on the cable network. If a step in the process fails, the modem has to repeat the step until it succeeds. Since it is up to the CNP where he will place the digital channels that are in use for realizing the Internet service, the first step of the cable modem is a large frequency scan to search for the downstream channel. After that, the cable modem will get the parameters for the upstream by searching for a special packet in the downstream channel called upstream channel descriptor. Since the cable modem now has knowledge about both the down- and the upstream channels, the modem now has to synchronize itself to the channels in a step called ranging. In this step, the cable modem adjusts the timing, power, and frequency to balance the network delay. Subsequently, the cable modem establishes IP connectivity. Therefore it sends a Dynamic Host Configuration Protocol (DHCP) discover packet with option code 60 (vendor class identifier) for the C-MAC and a normal DHCP (without option 60) for the E-MAC interface. The cable modem listens for a DHCP offer packet that contains the needed data. Option 60 of DHCP allows the interfaces to tell the DHCP server which kind of network devices they are  by attaching a message to the DHCP request. This is used to ensure that every interface gets an IP address in a separate IP address pool. The DHCP offer for the cable modem contains an IP address that is assigned to the cable modem management part (C-MAC). Usually, this IP address comes from the cable modem address pool 10.61.0.0/16 . The DHCP offer also includes the IP address of a TFTP server in the management network and the name of a configuration file residing on the TFTP server. The content of a typical DHCP offer is shown in Fig. 3. The client IP address (assigned to the C-MAC) is the entry in the field “your client IP address”, in this case it is 10.61.151.101. The name of the TFTP server that hosts the configuration file for this cable modem is contained in the field “Next server IP address” and is 172.30.*.* in this case. The name of the configuration file itself is encoded in the “Boot file name” field. Fig. 3. Excerpt from the DHCP offer sent by the DHCP server within the configuration process (captured and visualized using Wireshark, identifable data is obfuscated). As next step, the cable modem will download the configuration file from the TFTP server. After this step the modem has to send the file to the CMTS in a step that is called transferring the operational parameters. This has to be done to authenticate the modem as modem of the CNP. If the modem is in the database of the CNP, the CMTS sends a message to the modem that it has passed registration. Now the modem is fully provisioned and able to act as bridge between the cable network and the LAN of the customer. A sample configuration file is shown in Fig. 4 where critical data (like passwords) has been sanitized. The SIP username (“0305338890”) and the SIP password (“ABCDE123456”) are directly stored in cleartext. This shows that access to configuration files opens complete access to a SIP account. 4 Attacking the Provisioning Process There are many reasons for an attacker to steal configuration files, but only the SIP credentials are profitable for an attacker. Therefore, we aim to steal the configuration files that contain SIP credentials from the provisioning servers. With the SIP credentials, the attacker can make free telephone calls, hijack and spoof phone calls, and do anything that the real owner of the SIP account can do. 4.1 The Attack The steps of an attacker are as follows: PCMA comm1 public comm1 @mtaprov comm1 comm1 comm2 5g21wm7sdl comm2 @mtaprov comm2 comm2 ’x[0-9]*.[t#]|11|[*#][2-9]x|[*#]1xx &My Small Company My-Small-Company.com SIP.Registrar.IP SIP.Registrar.IP ABCDE123456 0305338890 0305338890 0305338890 Fig. 4. Example DOCSIS configuration file extracted with strings. 1. In a first step the attacker fakes the MAC address of his own computer using standard tools  for anonymity and maybe also to avoid access control restrictions in the CMTS (for example, if only certain vendors are allowed). Then he attaches his own computer to the HFC network to the LAN port of the cable modem. 2. Now the attacker accesses the provisioning network. The attacker has to spoof the device information of his computer in a way that the DHCP server that is responsible for the cable modems “thinks” that the attacker is in fact a part of the cable modem. This can be realized by configuring the DHCP client to send the right form of option 60 with his DHCP request. One correct form of this option is for example to set the vendor class identifier to the value "pktc1.0" . This tells the provisioning server that the device sending the request is a cable modem that is only capable of the DOCIS 1.0 provisioning process. After issuing this request using appropriate tools , the attacker will receive the corresponding DHCP response including an IP address inside the HFC access network. The DHCP response also includes the IP address of the TFTP server hosting the configuration files, and a route through the CMTS to the provisioning network. 3. Depending on the MAC address of the attacker, the name of the configuration file within the DHCP response will be some default configuration file name pointing to a location on the TFTP server that will not contain anything important. If by chance, the MAC address is known to the TFTP server, it will point to a configuration file containing the credentials of the corresponding user. Since the name scheme of the configuration files is up to the CNP, it could require some reverse engineering to find out the mapping of MAC addresses to configuration file names. One approach, for example, is to sniff the provisioning process by using the real MAC address of the attacker. In practice we observed different naming schemes. One scheme concatenated the MAC address with the suffix d u.cfg. Using this knowledge about the configuration file naming scheme and with access to the TFTP server, the attacker can easily enumerate configuration file names by using tools like TFTP brute to brute force MAC. 4. After the successful download of one or more configuration files, the attacker can extract the SIP credentials from the configuration files easily, e.g., by using the Linux command strings. Now it is possible to abuse that SIP account. 4.2 Why is the Attack Possible? There are two specific points in the attack that are critical for its success. First, the names of configuration files are deterministic and can be enumerated. This problem can be easily fixed by giving configuration files a new random name when they are distributed. In a sense, this also ties a specific configuration file to a specific MAC address. But even if this is done, the second problem remains, namely that end users can impersonate any other device by spoofing their MAC address. In summary, the attack exploits exactly those weaknesses that result from an inadequate threat model. The main point is the inadequate assumption that endpoints are physically protected and therefore impersonation is impossible. That this attack exists is surprising since it is well known how easy it is to attach computers instead of cable modems to the network endpoints. Similarly, it is usually possible to reprogram cable modems by installing manipulated firmware. As shown in the attack, this opens the path for MAC address spoofing and impersonation of specifically weak end devices. 5 Countermeasures There are many obvious technical countermeasures to the attack described above. The basis for good countermeasures, however, is a more realistic threat model. 5.1 Adapted Threat Model The adequate threat model for cable networks takes into consideration that the CMTS is the last (physically) controllable point in the cable network and that the cable modem is an untrustworthy device that could do anything and act different from the way that is expected. In particular, it is not possible to bind service usage to particular physical endpoints as it can be done in classical telephone networks. 5.2 Technical Countermeasures Binding service usage to particular users is known as the problem of authorization. A prerequisite for authorization is authentication. The DOCSIS standard specifies a set of features that can enforce authentication within the provisioning process (BPI+ and DOCSIS shared secret [1, 10]). Most of these features are, however, not used or only optional and not enforced in practice. These features at least prevent other known attacks such as uncapping of cable modems, clear text network traffic on the downstream side and normal protocol attacks that are not specific to cable networks by not only enforcing authentication but also encryption. The fact that they are almost never turned on points again to an insufficient threat model but possibly also can be explained by the cumbersome effort to set up a public key infrastructure and equip modems with certificates. While enforcing authentication, both BPI+ and DOCSIS Shared Secret do not prevent the mass downloading of configuration files. One approach to prevent this is to hide the location of the TFTP server from the customer. By using cable dynamic-secret mode (DMIC), the CMTS will change the DHCP offer in the way that it will point to the CMTS and not to the TFTP server. The CMTS then will download the configuration file from the real TFTP server and insert a HMAC based on a onetime password and a cryptographic hash of the file. The modem then only is allowed to register itself if it contains the correct HMAC. The important aspect is that the TFTP server is hidden from the customer. This makes it impossible for the attacker to brute-force configuration files and extract the SIP credentials . A similar result can be achieved by using randomization in the following way: Whenever a cable modem sends a DHCP request, the name of the configuration file is chosen in a random fashion and uploaded to the TFTP server. The space from which the filename is chosen must be large enough so that it is hard to guess real filenames (e.g., a 64 bit number). But this method has not been standardized in DOCSIS yet. The DOCSIS standard also does not specify any procedures for the secure provisioning of cable modems that use VoIP since there is no well-tested and accepted procedure for this yet. It is not clear whether there will be a clean and working solution in the near future. Therefore, at least a fast detection approach for such attacks has to be implemented. 6 Conclusion As shown in this paper and in the literature, the security problems of cable networks are not only the result of a weak DOCSIS standard, it is the way how DOCSIS is “implemented” within an organization that causes the attack vectors to persist. Many security features such as BPI+ are often not enabled. Since such actions are consistent with the current threat model that assumes the user endpoint as trustworthy, we have argued that the risks in modern cable networks are mainly due to inadequate threat models at the side of the CNP. While this point is true in general for all systems that allow attacks, cable networks offer a particularly interesting case study because they show how adding certain features (Internet access) to a secure system (TV cable networks) results in an insecure system if the threat model does not evolve too. Acknowledgments We thank Andreas Dewald and Martin Mink for helpful comments on a previous version of this paper. References 1. Security on Data-over-Cable Systems: DOCSIS, BPI+ and Beyond. http://www.3com.com/ other/pdfs/infra/corpinfo/en_US/50301102.pdf, November 2000. 2. Hacking the Cable Modem: What Cable Companies Don’t Want You to Know. No Starch Press, San Francisco, CA, USA, 2006. 3. PacketCable 2.0: Security Technical Report. Technical Report PKT-TR-SEC-V05-080425, Cable Television Laboratories, Inc., April 2008. 4. S. Alexander and R. Droms. DHCP Options and BOOTP Vendor Extensions. RFC 2132, 1997. 5. Bundesnetzagentur. Tätigkeitsbericht 2008/2009 Telekommunikation, December 2009. 6. Cable Television Laboratories, Inc. Cable Modem to Customer Premise Equipment Interface. Technical Report CM-SP-CMCI-C01-081104, November 2008. 7. Cable Television Laboratories Research Consortium. DOCSIS Website. http://www. cablelabs.com/cablemodem/, 2010. 8. D. Endler and M. Collier. Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions. McGraw-Hill, Inc., New York, NY, USA, 1 edition, 2007. 9. M. S. Johns. DOCSIS Cable Device MIB Cable Device Management Information Base for DOCSIS compliant Cable Modems and Cable Modem Termination Systems. RFC 2669, 1999. 10. P. S. Latini. Avoiding Piracy in DOCSIS Networks. Canitec Conference and Exhibition, April 2010. 11. J. McKelvey. Combating security risks on the cable IP network. Cisco Systems, Inc., Whitepaper, June 2002. 12. M. Millet. Theft of Service — Inevitable? CableFAX: The Magazine, December 2005. 13. P. Pahwa, G. Tiwari, and R. Chhabra. Spoofing Media Access Control (MAC) and its Counter Measures. International Journal of Advanced Engineering & Application, January 2010. 14. D. Raftus and E. Cardona. Radio Frequency (RF) Interface Management Information Base for Data over Cable Service Interface Specifications (DOCSIS) 2.0 Compliant RF Interfaces. RFC 4546, 2006. 15. N. Shah, D. Kouvatsos, J. Martin, and S. Moser. A Tutorial on DOCSIS: Protocol and Performance Models. In International Working Conference on Performance Modeling and Evaluation of Heterogeneous Networks, July 2005. 16. F. Swiderski and W. Snyder. Threat modeling. Microsoft Press, 2004.