Gaping security hole in Time Warner cable routers

Gaping security hole in Time Warner cable routers

Summary: A gaping security hole in cable modems distributed to Time Warner/Road Runner customers could potentially be exploited remotely to access private networks and possibly capture and manipulate private data.

SHARE:
TOPICS: Networking, Security
98

A gaping security hole in cable modems distributed to Time Warner/Road Runner customers could potentially be exploited remotely to access private networks and possibly capture and manipulate private data.

That's the warning issued by David Chen, a blogger and start-up founder who discovered he could trivially access a customer's  of Time Warner’s SMC8014 series cable modem/Wi-Fi router combo by simply disabling JavaScript in the browser to access hidden features in the router's admin interface.

Chen explains:

After poking around using the customer account, I found that access to the admin features of the router has been disabled via Javascript. You heard me correct, the web admin for the router simply uses a script to hide certain menu options when the user does not have admin privileges. By simply disabling Javascript in the browser, I was able to access all the features of the router. With that access, I am now able to change the wifi settings, port-forwarding, etc.

One of the extra features found by Chen included an admin utility called "Back Up Configuration File" that was essentially a text dump of the router's configurations.

Upon examination of this file, I found the admin login & password in plaintext.  Another issue which was alarming was the fact that by default, the web admin is accessible from ANYWHERE on the internet.  By running a simple port scan of Time Warner IP addresses, I easily found dozens of these routers, open to attack.

This is a really serious issue for any Time Warner/Road Runner running the SMC8014 router:

Now you can now put two and two together and realize that this has opened a gaping hole on every single Time Warner customer’s network that uses the SMC8014.  By forcing the customers to use only WEP encryption on their wifi network, they are allowing anyone to penetrate the network with ease.  Also by using a fixed format for the SSID, it’s extremely easily tell which wifi network is using the device.  Once inside, anyone can access the router’s web interface and login with the admin account.  What makes this even scarier, is the fact that the web interface is accessible from anywhere.  From within your own network, an intruder can eavesdrop on sensitive data being sent over the internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks.  Someone skilled enough can possibly even modify and install a new firmware onto the router, which can then automatically scan and infect other routers automatically.

Chen said he reported the issue to Time Warner and was told that nothing could be done about the problem.  A spokesman for Time Warner told Wired's Kim Zetter the issue is being fixed.

* More at Threatpost and Threat Level.

Topics: Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

98 comments
Log in or register to join the discussion
  • how about telling us how to fix it?

    Can the customer log into their own router and
    change the vulnerable settings? Please advise.
    Geedavey
    • If the hacker has changed the username/password, then you're hosed.

      A simple reset with a paper clip will reset your
      router and you can now login to your TWC router.
      Grayson Peddie
      • "If the hacker has changed the username/password, then you're hosed."

        No u are not.you always can reset the router.Every router has a reset switch in the back.
        TheCableGuyNY
        • Not according to the article

          In the article, he suggests that the firmware can be flashed. If the flashed router default password changes; then your hosed.
          I THINK.
          jacksojm
          • Using any ISP equipment...

            exclusively is an invitation to be pwned. I always advise my clients to buy their own hardware gateway/firewall, to put behind the ISP source for protection.
            JCitizen
          • Behind? But then it won't do anything.

            If the firmware on your modem is hacked to send a
            copy of everything to hackers, or redirect
            software update requests to their own servers (to
            trojan your computer), or just to shut it off, or
            whatever else could be done with it.. nothing
            [i]behind[/i] it is going to help any!
            AzuMao
          • Some allow them to purchase their own..

            modem, and these are the ones I bother with.

            Although I'm stuck with one that won't however, she is my sister, and I'm trying to shield her in anyway I can.

            It's basically me just praying she doesn't get cracked, and I told her that too. The only extra mitigation for her, if she's lucky, that is - is that it is a services gateway, and is blocking viruses and spam before they get to the LAN. However, as you point out, that won't stop today's parasites.
            JCitizen
          • "Allow"??? Wtf does that mean? They should give you a discount for using

            your own rather then renting one from them..
            AzuMao
          • Hey, Quest sucks! What can I say?...

            Maybe they will get a class action on Time Warner, then we can add that sloppy ISP to the list too!

            I plan on pushing them very hard on this issue, you can believe me!
            JCitizen
    • "how about telling us how to fix it?"

      It`s very easy to fix.Just get the model # of the router,do a search from google: SMC8014 user manual.
      then find the ip address from the router.log in,the disable the REMOTE MANAGEMENT.from the user manual u can change all Hidden features of the router.you can do the same with the verizon router.
      TheCableGuyNY
      • Google the info??

        This is the same Google & Internet combo I know that offers up malware infested sites and allows any nut to publish anything they want as gospel fact? "I made the router change. And I also installed AntiVirus 2010 because the site said I was infected!" Umm, not a well thought out plan...

        The better option would be to direct TWC customers to a TWC site so there would be some validation of the info provided. You know, a pro-active approach.
        ejhonda
      • All moot, anyway, I believe

        Since according to the story you can view the password in clear text when disabling javascript and no amount of complex passwords applied would currently address the underlying issue.
        ejhonda
      • Sorry to disappoint you, but that is all ran by the firmware, so no.

        Try again.
        AzuMao
      • Fix:

        turn off javascript in your browser

        (This will allow you full admin options when you login as the customer)

        type "192.168.0.1" in your address bar
        username: cusadmin
        password: password
        change the settings any way you like them to protect your network.

        Here's the manual: http://www.google.com/url?sa=t&source=web&ct=res&cd=2&ved=0CA0QFjAB&url=http%3A%2F%2Fwww.smc.com%2Ffiles%2FAA%2FMN_SMC8014-BIZ.pdf&ei=kgbpSpyIHMzd8QaWsaSJDw&usg=AFQjCNEzAVt2O3FYEar-FjNUluWLtMt32A&sig2=iMQEA01cKeU5xsSDfg1AaA
        blaacksheep
        • Nice password.

          Great American minds at work, as usual.
          AzuMao
    • It's Firmware! Time Warner is Scary!!!

      By using a default web accessible OS that uses scripts that make it vulnerable to web based attacks on both wired (though cable) and wireless, what evil lurks in the company. Close the door with the setting change for private network access on wired control connectivity and you still have wireless attacks coming in, if you just use WEP.

      Only real option is to change both the settings or not use wireless at all and change Web access default, so the device can't be administered from outside your own network at all.

      That's a crying shame, that it's setup this way by default. Makes you wonder what Time Warner had in mind, when they handed these modems out! Scary!!! 1984 anyone? ;)

      How many of you actually need to change router settings from the web side? 1 or 2 if not none! :D
      i2fun@...
      • change settings from web side

        Aka: Remote Administration by Time Warner... Comcast doesn't provide the customer with credentials to administer the WiFi routers they provide, they ONLY administer them remotely for you. Meaning that this kind of situation is great, as long as NO one knows about this kind of security hole.. oops, too late. Shame that Time Warner didn't see any need to disclose this in their Terms of Service, but that they disclaim all liability for unintended problems.
        zenofjazz@...
    • Re: how about telling us how to fix it

      Get another router and put it behind the T/W router. The $50 Linksys routers work fine for this. Be sure you set a REAL password on it, and ditto for the WiFi setup (you ARE using WPA-PSK2 with AES-256, right?) This won't prevent you from getting into something bad like Trojans and the like (no Layer-3 firewall will), but it WILL keep people from making a connection to your PC unless you inititate it first. If you feel adventurous you can ALSO turn on Windows firewall; don't use it as a replacement for a hardware firewall, however.
      cerving
      • yeah.. uh I want to put another firewall behind a known compromised one

        Yeah I'm with McFly here (sorry "cerving") I want to put another firewall/router behind a KNOWN exploited/exploitable one..

        hmmm.. lets see... man in the middle works HOW?

        Oh yeah.. by BEING IN THE MIDDLE OF THE NETWORK CONVERSATION!

        Whats to stop someone from putting in bogus routing information to have all traffic from the 2nd router, sent to a third party site first, and then out to the net?

        AND if they develope a firmware that would install on the device, and allow even more controls.. redirecting traffic in various ways, DNS one way, http another, and SMTP .. well you're dead there ... your behind your additional firewall and all your packets are still sent elsewhere .... yup.. that works..

        Think McFly ...
        TG2
        • It's better than nothing...

          and if you buy the right router/gateway/firewall hardware, and lock it down, at least you can mitigate it.

          As far as Time Warner, class action lawsuit anyone?
          JCitizen