On mySimon: Norelco 6940 Shaver
BNET Business Network:
BNET
TechRepublic
ZDNet

October 22nd, 2009

Gaping security hole in Time Warner cable routers

Posted by Ryan Naraine @ 9:11 am

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Exploit code, Java, Mobile (In)Security, Passwords, Patch Watch, Pen testing, Phishing, Responsible disclosure

Tags: Security, Time Warner Inc., Router, Network, Time Warner Cable Inc., Chen, Routers & Switches, Network Technology, Networking, Ryan Naraine

A gaping security hole in cable modems distributed to Time Warner/Road Runner customers could potentially be exploited remotely to access private networks and possibly capture and manipulate private data.

That’s the warning issued by David Chen, a blogger and start-up founder who discovered he could trivially access a customer’s  of Time Warner’s SMC8014 series cable modem/Wi-Fi router combo by simply disabling JavaScript in the browser to access hidden features in the router’s admin interface.


Chen explains:

After poking around using the customer account, I found that access to the admin features of the router has been disabled via Javascript. You heard me correct, the web admin for the router simply uses a script to hide certain menu options when the user does not have admin privileges. By simply disabling Javascript in the browser, I was able to access all the features of the router. With that access, I am now able to change the wifi settings, port-forwarding, etc.

One of the extra features found by Chen included an admin utility called “Back Up Configuration File” that was essentially a text dump of the router’s configurations.

Upon examination of this file, I found the admin login & password in plaintext.  Another issue which was alarming was the fact that by default, the web admin is accessible from ANYWHERE on the internet.  By running a simple port scan of Time Warner IP addresses, I easily found dozens of these routers, open to attack.

This is a really serious issue for any Time Warner/Road Runner running the SMC8014 router:

Now you can now put two and two together and realize that this has opened a gaping hole on every single Time Warner customer’s network that uses the SMC8014.  By forcing the customers to use only WEP encryption on their wifi network, they are allowing anyone to penetrate the network with ease.  Also by using a fixed format for the SSID, it’s extremely easily tell which wifi network is using the device.  Once inside, anyone can access the router’s web interface and login with the admin account.  What makes this even scarier, is the fact that the web interface is accessible from anywhere.  From within your own network, an intruder can eavesdrop on sensitive data being sent over the internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks.  Someone skilled enough can possibly even modify and install a new firmware onto the router, which can then automatically scan and infect other routers automatically.

Chen said he reported the issue to Time Warner and was told that nothing could be done about the problem.  A spokesman for Time Warner told Wired’s Kim Zetter the issue is being fixed.

* More at Threatpost and Threat Level.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 97 Talkback(s)
Hey, Quest sucks! What can I say?...
Maybe they will get a class action on Time Warner, then we can add that sloppy ISP to the list too!

I plan on pushing them very hard on this issue, you can believe me!... (Read the rest)
Posted by: JCitizen Posted on: 11/04/09 You are currently: a Guest | | Terms of Use
how about telling us how to fix it?  Geedavey | 10/22/09
If the hacker has changed the username/password, then you're hosed.  Grayson Peddie | 10/22/09
"If the hacker has changed the username/password, then you're hosed."  TheCableGuyNY | 10/22/09
Not according to the article  jacksojm | 10/23/09
Using any ISP equipment...  JCitizen | 10/26/09
Behind? But then it won't do anything.  AzuMao | 10/27/09
Some allow them to purchase their own..  JCitizen | 10/27/09
"Allow"??? Wtf does that mean? They should give you a discount for using  AzuMao | 10/29/09
Hey, Quest sucks! What can I say?...  JCitizen | 11/04/09
"how about telling us how to fix it?"  TheCableGuyNY | 10/22/09
Google the info??  ejhonda | 10/23/09
All moot, anyway, I believe  ejhonda | 10/23/09
Sorry to disappoint you, but that is all ran by the firmware, so no.  AzuMao | 10/26/09
Fix:  blaacksheep | 10/28/09
Nice password.  AzuMao | 10/29/09
It's Firmware! Time Warner is Scary!!!  i2fun@... | 10/22/09
change settings from web side  zenofjazz@... | 10/26/09
Re: how about telling us how to fix it  cerving | 10/26/09
yeah.. uh I want to put another firewall behind a known compromised one  TG2 | 10/26/09
It's better than nothing...  JCitizen | 10/26/09
Worse than nothing, actually. Provides a false sense of security without  AzuMao | 10/26/09
I always instruct..  JCitizen | 10/27/09
Patetic simply patetic  Ceridan | 10/22/09
Pathetic, simply pathetic  ejhonda | 10/22/09
Unique passwords would be a nightmare  Lerianis10 | 10/22/09
Unique passwords would be a nightmare  TheCableGuyNY | 10/22/09
A unique password for each unit is easy  gardoglee | 10/26/09
That is assuming...  JCitizen | 10/26/09
Doesn't avoiding being sued for gross negligence help their bottom line?  AzuMao | 10/27/09
Those kind never get it...  JCitizen | 10/27/09
"Patetic simply patetic"  TheCableGuyNY | 10/22/09
Why doesn't the TW tech who installed it do that  s_southern | 10/23/09
selling people cars that all start with the same key  D Walker | 10/25/09
Javascript is so full of holes..  JCitizen | 10/26/09
Because Time Warner thought it could replace actual authentication  AzuMao | 10/27/09
HA! Good one...  JCitizen | 10/27/09
Bell does do that... and other things best recommended  TG2 | 10/26/09
I don't think ISPs need to be in...  JCitizen | 10/26/09
They haven't yet and I'd like to prevent it  Geedavey | 10/22/09
Some real advice?  cornpie | 10/22/09
Is this "cable router" different from a "cable modem"?  kd5auq | 10/22/09
Cable Modem/Wireless Router  tarek_okail@... | 10/22/09
"Cable Modem/Wireless Router"  TheCableGuyNY | 10/22/09
replacement free of charge? ...right... wink  TG2 | 10/26/09
Sounds like Quest...  JCitizen | 10/26/09
Absolutely!  wkulecz | 10/29/09
Looks like it's a combo modem-router  Doc75 | 10/22/09
Wonder about other TIme Warner connections  rhomp2002@... | 10/22/09
Oh God! Earthlink!!..  JCitizen | 10/26/09
Road runner support won't even...  RS9 | 10/22/09
Road runner support won't even...  TheCableGuyNY | 10/22/09
Dealing with RR support/control  abuse.this2@... | 10/24/09
Some really good gateway...  JCitizen | 10/26/09
One soruce to get modem setups  Roc Riz | 10/26/09
I get too many...  JCitizen | 10/26/09
Is this "cable router" different from a "cable modem"?  TheCableGuyNY | 10/22/09
RE: Gaping security hole in Time Warner cable routers  lee@... | 10/22/09
No Uncommon  djmik | 10/22/09
Horribly Uniformed Flame  nottheusual1 | 10/26/09
RE: Gaping security hole in Time Warner cable routers  seberbach@... | 10/22/09
RE: Gaping security hole in Time Warner cable routers  TheCableGuyNY | 10/22/09
RE: Gaping security hole in Time Warner cable routers  robinsys | 10/22/09
Other ISPs?  cabdriverjim | 10/22/09
Businsess Class Fiber cost?  lamapper | 10/26/09
RE: Gaping security hole in Time Warner cable routers  Lou G | 10/22/09
Arrest David Chen!  Ronny102 | 10/23/09
Comcast Business service uses these too.  XXP | 10/23/09
RE: Gaping security hole in Time Warner cable routers  itstechnical@... | 10/23/09
Not an SMC issue ...  abuse.this2@... | 10/24/09
Defiinitely agree..  JCitizen | 10/26/09
How to fix/prevent such issues with ISP hardware:  abuse.this2@... | 10/24/09
Sorry, but in this case you are *not* protected  TG2 | 10/26/09
Very true...  JCitizen | 10/26/09
Sorry, one additional step I take  abuse.this2@... | 10/29/09
LOL!  AzuMao | 10/29/09
So ...  abuse.this2@... | 10/31/09
Simple, replace it.  AzuMao | 10/31/09
other modems and services as well  pina@... | 10/26/09
Probably just a POS modem...  JCitizen | 10/26/09
RE: Gaping security hole in Time Warner cable routers  btek@... | 10/26/09
Connecting direct is the first thing they want you to do  lamapper | 10/26/09
This will still not protect you...  JCitizen | 10/26/09
RE: Gaping security hole in Time Warner cable routers  jjgusman | 10/26/09
For sure!...  JCitizen | 10/26/09
RE: Gaping security hole in Time Warner cable routers  mcerkas | 10/26/09
RE: Gaping security hole in Time Warner cable routers  zenofjazz@... | 10/26/09
Neither TW nor anyone else can be safe from negligence  gardoglee | 10/26/09
Especially when they were...  JCitizen | 10/26/09
RE: Gaping security hole in Time Warner cable routers  rahtdrgn@... | 10/26/09
Only use DD-WRT supported devices...no probs  lamapper | 10/26/09
Nice semi-SPAM  wellduh | 10/26/09
Yes, "extreme Linux advocacy"...except he never even mentioned Linux. Oops.  AzuMao | 10/27/09
Already exploited  wellduh | 10/26/09
Pretty much what I suspect..  JCitizen | 10/26/09
"Anti"-terrorist?  AzuMao | 10/27/09
RE: Gaping security hole in Time Warner cable routers  Robb1943 | 10/26/09
RE: Gaping security hole in Time Warner cable routers  suemccartin | 10/27/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here