my california adventures

I’ve received incredible response from the  Time Warner modem/router security issue I wrote about last week.  It was immediately picked up by Wired, Cnet, PC World, and various other news sources. Even Time Warner themselves immediately responded to my post with: “Thanks for your post. We’ve got a temporary patch in place now while we work on a permanent solution — you should be safe.”

Wow, I thought, Time Warner took care of this problem in less than a day!  It was good to know that they actually cared about security and making sure their customers were safe… I was wrong.

In the last week, I have not seen a single bit of evidence that supports their claims of a “temporary patch.” I contacted Time Warner reps on Twitter to find out more about the measures they took to temporarily fix this issue; I have yet to receive a response.  Either they’re too busy fixing the problem to respond or they can’t come up with an answer because nothing has been done.

A quick nmap port scan of a random Time Warner subnet showed dozens of routers still open and vulnerable to attack. When the scan was expanded to more ips, hundreds of routers were found.  I spoke with Ira Victor of Data Security Podcast over the weekend about the continued problem with these routers, you can hear the podcast here.

 Here’s a couple of ideas for Time Warner to fix this right away:

• Change the default configuration of the routers to use WPA2 instead of WEP for wifi encryption.  It’s ok if you don’t want the customers to change their wifi settings, but at least use a key that’s not derived from the router’s MAC address (which is broadcasted over wifi).
• Disable access to the router’s web admin page from outside IPs.  The options are in the router (see below), a simple config change would block access to the router from the internet.
• Block traffic to port 8080, 8181, 23 (those are the ports that are open on the SMC8014 routers) at the ISP level.  This of course should be a temporary fix until the hardware can be replaced with something more secure.
• Of course the best idea would be to immediately recall those routers and issue your customers real cable modems and decent wifi routers with good security.

If you have an SMC8014 series modem/router combos, get rid of it.  Call up Time Warner and ask them to replace it with a standard cable modem and get yourself a real router.

UPDATE: Finally figured out what the “patch” Time Warner deployed was. If a user tries to login with the user/user account, it simply kicks them back to the login page with javascript. All routers are still open to the internet and all still have the same default admin password.

Robert Scoble came by the Pip.io office a few weeks ago and interviewed us for his show Building 43!  It was a really great time talking with him, we got a lot of excellent feedback.

 For those of you that know me, this is what I’ve been working on for the past year.  For those who don’t, this is Pip.io.  Here’s the video!

If you’re a Time Warner/Road Runner internet customer, and are using a SMC8014 series cable modem/wifi router combo. You should be aware of a serious security hole that allows anyone to access your private network and possibly capture and manipulate your private data.

For most Time Warner customers, unless you provide your own router, they will supply you with a cable modem/wifi router combo. It’s typically an SMC8014WG-SI, a pretty crappy piece of hardware in my opinion. Time Warner installs the device with their default configurations; It allows the customer to do nothing more than add URLs to be blocked. This is done via the web interface using a generic user/user account which is given to the customer. Wifi networking is locked into WEP mode and a random string of hex as the network name and key. If you want to use any sort of port-forwarding or advanced network configurations, forget about it.

I was asked by a friend to help change their wifi network name and password to something easier to remember. In addition to changing the network name, I wanted to change the default WEP encryption to WPA2.   We all know WEP encrypted networks can be cracked within minutes.   After poking around using the customer account, I found that access to the admin features of the router has been disabled via Javascript. You heard me correct, the web admin for the router simply uses a script to hide certain menu options when the user does not have admin privileges. By simply disabling Javascript in the browser, I was able to access all the features of the router. With that access, I am now able to change the wifi settings, port-forwarding, etc.

It just gets better from here.  The extra features that I now had access to included a little item called “Back Up Configuration File”.  When I clicked it, a text dump of the router’s configurations was saved to my desktop.  Upon examination of this file, I found the admin login & password in plaintext.  Another issue which was alarming was the fact that by default, the web admin is accessible from ANYWHERE on the internet.  By running a simple port scan of Time Warner IP addresses, I easily found dozens of these routers, open to attack.  Of course I got in touch with Time Warner’s security department and warned them about the security issue but their response was simply “we are aware of it but we cannot do anything about it”.

Now you can now put two and two together and realize that this has opened a gaping hole on every single Time Warner customer’s network that uses the SMC8014.  By forcing the customers to use only WEP encryption on their wifi network, they are allowing anyone to penetrate the network with ease.  Also by using a fixed format for the SSID, it’s extremely easily tell which wifi network is using the device.  Once inside, anyone can access the router’s web interface and login with the admin account.  What makes this even scarier, is the fact that the web interface is accessible from anywhere.  From within your own network, an intruder can eavesdrop on sensitive data being sent over the internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks.  Someone skilled enough can possibly even modify and install a new firmware onto the router, which can then automatically scan and infect other routers automatically.

I urge anyone using Time Warner for internet to call customer service and complain about this problem.  But first get rid of the SMC8014 and replace it with a real cable modem and a solid router.

EDIT: Thanks for Joe for pointing out the picture is actually not the SMC8014, it should have 5 ethernet ports on the back. I got that picture from SMC’s web page for the SMC8014WG-SI. Just more evidence that SMC is incompetent.