Inert Ramblings

I originally wrote this article in October, 1996 and it was published in issue 14.2 of 2600 Magazine: The Hacker Quarterly. Due to the incredible amount of email I’ve received regarding this article, let me state that I realize that the risks outlined within are basic network-related problems, but I’m just trying to open the eyes of end users and ISPs still using outdated cablemodem equipment. If you want, you can jump right to the sniffer information.

Note: All references to the specific Internet Service Provider effected have been censored and replaced with [ISP] due to the nature of this article.

The advent of cablemodems has opened up a wealth of security nightmares for Internet users in this area. Unfortunately, most of these users have never touched a UNIX machine and have no idea how packet transport works over wide area public networks such as the Internet. Because of this, hundreds of new Internet users may be at risk from extremely old security issues.

In the past, virtually all home Internet users connected to their Internet Service Providers (ISPs) or colleges using standard modems and logged into UNIX or VMS shell accounts. Due to the fact that these shell accounts required at least a rudimentary knowledge of computers and networking, most users logging into these accounts had an understanding and respect for the Internet and its limitations. The majority of these users also understood the security issues at hand and took the proper precautions to safeguard their data.

Over the past few years, UNIX and VMS shell accounts have been slowly phased out in favor of SL/IP and PPP dialup connections. The advantage of this type of dialup protocol was that the Internet and its resources was now within reach of novice Windows and Macintosh users. The downside of this, however, was that many of these users didn’t understand how the Internet worked and were ignorant of the dangers posed by sending confidential and private data over their connections.

The introduction of cablemodems and WebTV has created a whole new breed of novice Internet users who no longer need to know how to set up a modem connection and, in a lot of cases, no longer even need to know how to use a computer. This trend is pushing the commercialization of the Internet and most companies and ISPs seem to be more interested in making a profit than making sure a secure and reliable service is being released.

Of all the security issues at hand today, the hottest topic right now seems to be the ability for malicious hackers to take advantage of problems with TCP/IP and sniff network traffic going over the Internet and corporate Intranets. Companies such as Netscape Communications Corporation and Open Market, Inc. are pushing secure commerce servers so conducting transactions over the Internet and corporate Intranets can be safe and secure.

The problem with this approach is that only transactions via SSL equipped WWW browsers can take advantage of this security. Most other forms of connections are left unsecured because not all clients are capable of SSL or encryption. Another problem is that these extreme novice Internet users don’t understand what sniffing is and don’t know why they should only use SSL equipped WWW browsers to conduct transactions and send confidential data over the Internet.

In the past, the risk of someone sniffing Internet data was relatively low. In order for a sniffer to be successfully set up, a key gateway machine sitting in between the client and server had to be compromised and superuser access had to be attained. Once superuser access was attained, the intruder had to then hide their tracks from the systems administrators and find a way to silently retrieve sniffer logs from that compromised host. Usually, these gateway machines were UNIX based and vast amounts of knowledge about the UNIX operating system were required in order to keep oneself hidden.

The routing used by cablemodems in this area (Zenith HOME*Works Universal transceivers), however, completely bypasses the need to compromise a gateway machine in order to sniff. Each cablemodem network interface (NI) acts as an ethernet transceiver and directly connects each cablemodem user’s machine to the Internet via 10BaseT. Because of this, each machine a cablemodem user has connected to the Internet is considered a local node on whatever subnet has been assigned to that user’s geographical area.

This trend was first noticed when the cablemodem NI was installed and powered up at this site. The TX, RX and NET-ACTIVE status LEDs had immediately lit up and started reporting network traffic even though the cablemodem NI had not yet been plugged into the ethernet card of the firewall/gateway machine. It was then hypothesized that it may be possible for cablemodem users to sniff all traffic passing over the same subnet.

Software such as sniffit and tcpdump was used to test this hypothesis and, not surprisingly, every other cablemodem user on the same subnet could, in fact, be monitored. Due to the fact that this type of major security hole could put the privacy of hundreds of cablemodem users at risk and quite possibly destroy the reputation of an ISP, it was decided that [ISP] should be contacted regarding the sniffing issues.

After playing phone tag and being on hold for nearly an hour, I was finally connected to someone within [ISP]’s security group and explained exactly what was being tested and the methods being used. I was then told that the ability for any cablemodem user to sniff network traffic on their subnet is a “known bug, and no fix is available at this time.”

According to [ISP]’s security group, the fact that cablemodem users can sniff network traffic was not publicized because “this cablemodem service is not being sold as a secure service and no such claims are being made in the service agreement.” Baffled by this, I posed the question that “since this isn’t a secure service, [ISP] has decided upon the policy that it’s the sole responsibility of the end user or systems administrator to make sure that all connections are secured and encrypted by third party software?” The response was, “hrm…that’s actually a pretty good way of phrasing it.”

This is an extreme display of [ISP]’s inability to plan ahead and take steps to keep their networks reasonably secure. Topped off by a seemingly intentional cover-up to keep cablemodem users from finding out that virtually every single keystroke that goes across their Internet connection could very well be monitored, it’s frightening to think that most end users are ignorant to the fact that any problems such as this even exist.

With today’s threats of credit card fraud and the widespread value of personal information, [ISP] should have taken all steps possible to make sure that cablemodem subscribers were educated and aware these dangers. With more and more users transmitting confidential and personal information over the Internet and World Wide Web, more security issues need to be addressed and publicized.

The issue of sniffing does not stop here, however. With cablemodem technology being pushed as the next “big thing,” ISPs and cable companies should take as many precautions as possible to make sure cablemodems become a secure and reliable service. If current technology is not updated to reflect these problems, thousands, if not millions, of future users could be at risk.