Tuesday, September 20, 2011

Cable ISPs

Incited by the topic of my previous post, I did a little hunting. The cable ISP I use at home bought a big chunk of their network, including that in my town, from the "upstream" ISP I mentioned earlier. I did a wee ping scan and found that I've been quite naive with respect to cable ISP security.

I discovered that at this ISP (and there's a bit of assumption here) all of the cable modems get a private IP in the 10/8 range in addition to the public and routable "WAN" IP that gets assigned to it. The unhappy part of this is that my cable modem's status web interface is available to anyone on my "local" ISP's network. If I thought about it all, previously, I guess I assumed that the CM's web interface was only local and not exposed to a fair chunk of the Net. Some cable modems only show their connection status, others provide a management login prompt... I imagine that many of them are still set to accept the manufacturers default password. This is on a network with potentially thousands of "local" users. The potential problems compound for those modems that double as wireless routers, such as mine. Once authenticated on it, one can navigate to a page that reveals the pre-shared key that is necessary to get past the WPA encryption on the WiFi side.

In case you want something to take home from this topic... if you have a cable ISP, lock down your modem by changing its default password. It may sound silly and simple, but while totally unsecured wireless routers are vulnerable to anyone who's out wardriving, your cable modem may be open to any basement dweller on your same ISP (or siphoning off a cable subscriber's WiFi).

"So?" you say. "At least the cable ISPs are limited in geographic and IP routing scope, so how much damage could be done?" Consider that pretty much *every* ISP currently has multiple subscribers whose computers are already infected with malware and may be part of a botnet. How much more difficult would it be for the bad guys to leverage an existing malware presence on your local cable ISP to wreak more harm? Plenty of room for clever, evil mischief.

No comments:

Post a Comment