Sign in with
Sign up | Sign in

Time Warner Cable's 65,000 Routers Open to Hack

By - Source: Tom's Hardware US | B 25 comments
Tags :

Time Warner Cable has acknowledged a 'major security hole' present in up to 65,000 routers in customers homes.

Time Warner Cable today rolled out a temporary patch for a security hole discovered by blogger David Chen. While helping a friend change the Wi-Fi settings on their SMC8014 series cable modem/Wi-Fi router combo, Chen noticed that the web admin for the router simply uses a script to hide certain menu options when the user does not have admin privileges.

"By simply disabling Javascript in the browser, I was able to access all the features of the router. With that access, I am now able to change the wifi settings, port-forwarding, etc.," writes Chen.

The software engineer and founder of social communications platform start-up, Pip.io, goes on to say this opened up access to a "Back Up Configuration File." With just one click, Chen reports that a text dump of the router's configurations was saved to his desktop and in there, was the login in and password in plaintext. So that's it, right? I mean, there's nothing else, is there? Wrong. Wired reports that Chen discovered the same login details could be used to access every router in the SMC8014 series on Time Warner’s network.

"Another issue which was alarming was the fact that, by default, the web admin is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, I easily found dozens of these routers, open to attack."

David says he contacted TWC's security department to warn the company and was told, “We are aware of it but we cannot do anything about it."

According to CNet the company has rolled out a temporary patch and is testing a permanent fix for the problem. It's nice to see that Time Warner Cable changed its tune.

Display 25 Comments.
This thread is closed for comments
Top Comments
  • 12 Hide
    JasonAkkerman , October 21, 2009 3:45 PM
    There is an account that can be used to access any of their routers? Sounds like they left a backdoor open on purpose. Maybe for tech support reasons, but it's still a shady thing to do.
  • 12 Hide
    SAL-e , October 21, 2009 3:51 PM
    Security by obscurity + proprietary mind set = NO SECURITY
Other Comments
  • -3 Hide
    lenell86 , October 21, 2009 3:40 PM
    lulz fail
  • 12 Hide
    JasonAkkerman , October 21, 2009 3:45 PM
    There is an account that can be used to access any of their routers? Sounds like they left a backdoor open on purpose. Maybe for tech support reasons, but it's still a shady thing to do.
  • 12 Hide
    SAL-e , October 21, 2009 3:51 PM
    Security by obscurity + proprietary mind set = NO SECURITY
  • 8 Hide
    hellwig , October 21, 2009 4:07 PM
    JasonAkkermanThere is an account that can be used to access any of their routers? Sounds like they left a backdoor open on purpose. Maybe for tech support reasons, but it's still a shady thing to do.


    Comcast was able to "remotely program" my Motorolla cable modem to be compatible with their network. I'm not sure what this means, maybe they did nothing and just added my MAC address into their system, but I wouldn't be surprised if all these devices had some sort of backdoor for the ISPs to use.

    That said, it's ridiculous that simple javascript was used to "hide" the admin features. Your average user may not know how to bypass this, but obviously anyone savvy enough to even attempt to gain access to your router would know how to do this. And a universal account that can access each router? And that can be printed out in plain text? Unbelievable.
  • 0 Hide
    doomtomb , October 21, 2009 4:50 PM
    hellwigComcast was able to "remotely program" my Motorolla cable modem to be compatible with their network. I'm not sure what this means, maybe they did nothing and just added my MAC address into their system, but I wouldn't be surprised if all these devices had some sort of backdoor for the ISPs to use.That said, it's ridiculous that simple javascript was used to "hide" the admin features. Your average user may not know how to bypass this, but obviously anyone savvy enough to even attempt to gain access to your router would know how to do this. And a universal account that can access each router? And that can be printed out in plain text? Unbelievable.

    My ISP was also able to remotely program my modem and see it. My ISP is Suddenlink.
  • 0 Hide
    intelliclint , October 21, 2009 5:02 PM
    AT&T U-verse using a similar "residential gateway" which is basically a DSL adapter and router combined. I wonder how secure it is. It even offers some remote file access. You have to use it if you’re using the IP-TV or the VoIP as it handles all of that on dedicated pipes.

    First thing I did with mine is a full ip / port forward to a Linux server that functions as my router. I use a content filter / proxy for web traffic and intrusion detection. I do miss the lower latency I was getting with my old cable modem.
  • 0 Hide
    void5 , October 21, 2009 5:45 PM
    hellwig & doomtomb:

    Indeed you can upload new firmware to cable modem (CPE) remotely - but to do so you need admin access to CMTS your cable modem is physically connected too (and/or ISP servers if configuration details are stored outside of CMTS). CMTS hardware is quite costly. And any sane cable modem manufacturer would implement digital signing of firmware to thwart malicious "reflashing" attempts (so it is necessary to physically disassemble CPE and use special hardware to "flash" something non-official).

    Insanity described is this article is sad yet typical example of "security" in real world...
  • 0 Hide
    JonathanDeane , October 21, 2009 5:48 PM
    doomtombMy ISP was also able to remotely program my modem and see it. My ISP is Suddenlink.


    Cable modems download a software update to enable different modes. Its how people hack there own cable modems to "uncap" them. Basically you run a "server" on your PC and update that file to say 100mpbs or what ever. Please note that this is totally illegal and will get you disconnected in a hurry (although I have heard small bumps in speed can be gotten away with) The cable company only updated a small file on your modem with your tier information and what version of DOCSIS they are using. This is unrelated to the story though. The story is only talking about the routers that the cable company can install for you, now with access like this I wonder if it would be possible to install a custom firmware something like tomato... With that kind of access one could have an almost instant 65,000 machine broadband botnet...
  • 0 Hide
    razor512 , October 21, 2009 6:02 PM
    while it is a stupid mistake that should have never happened, at least time warner is fixing it.

    PS currently many routers provided for verizon dsl and qwest dsl (not fios)

    have the actiontec gt704wg or other actiontec series with a crappy bloated firmware from verizon. and guess what, they have remote access over the internet enabled by default and even though the password can be changed, the telnet password cant on some firmware versions, it also offers no protection against brute force attacks. a simply port scan of a range of like 100 ip's from either companies net block will lead to probably 20-30 vulnerable dsl gateways which are easy to log into

    I have called verizon to tell them about this since I used to have a actiontec, the worker didn't understand what I was telling them.
  • -2 Hide
    jellico , October 21, 2009 6:18 PM
    This wouldn't really be a problem if you put decent router between their router/cable modem and your computer or network. And for Pete's sake, CHANGE THE DEFAULT PASSWORD!
  • 4 Hide
    SAL-e , October 21, 2009 6:31 PM
    jellicoThis wouldn't really be a problem if you put decent router between their router/cable modem and your computer or network. And for Pete's sake, CHANGE THE DEFAULT PASSWORD!

    It is a big problem. If I can get access to TW router I will own your network in no time.
    1. I will change your DNS settings and redirect all your traffic to proxy that I control.
    2. I will monitor your traffic and collect all your passwords quite easy.
    3. I can perform "men in the middle" attack. None of the security protocols will protect you if I can control your TW router.
  • 0 Hide
    wildwell , October 21, 2009 6:39 PM
    Oh man, I have Time Warner's cable internet and a Time Warner modem (says Comcast actually) but I don't use their router. I have lots of friends (at least three others) who have Time Warner and I think they all use the Time Warner wifi routers.
  • 0 Hide
    leafblower29 , October 21, 2009 6:42 PM
    My isp can send me messages in my browser.
  • 0 Hide
    void5 , October 21, 2009 6:48 PM
    leafblower29, your ISP can do quite a lot of things with your internet connection. And thanks to the stupidity of some ISPs malicious folks can do a lot of damage and remain anonymous...
  • 0 Hide
    JasonAkkerman , October 21, 2009 6:49 PM
    hellwigThat said, it's ridiculous that simple javascript was used to "hide" the admin features. Your average user may not know how to bypass this, but obviously anyone savvy enough to even attempt to gain access to your router would know how to do this. And a universal account that can access each router? And that can be printed out in plain text? Unbelievable.


    It wouldn't take anyone that savvy. Using Firefox with the noscript plugin will disable javascript on all site, including local addresses.

    I bet he was using the same setup and just stumbled on this security hole.
  • 0 Hide
    hemelskonijn , October 21, 2009 7:15 PM
    Nearly all ISP's have this kind of problem since they all want to be in control over there clients.
    Any dutch ISP at the time of writing gives out a box they can remote update and reset which in my humble opinion that it is insecure.
    Another downside to this would be all my carefully chosen settings are reset as soon as they update my modems/routers.
    In my case since i have a multi-wan setup (2x(a)DSl + cable) i simply have to reset an exposed host (my dedicated multi-wan router/firewall).
    But it should be in my control since no end user should be forced to reset port assignments every 14 days or so.

    ISP's should just let go of their need to control our routers or at least give the end user a choice between being controlled or taking control.
    At the moment your allowed to use your own hardware so you can eliminate needless updates that way, however it wont stay this way forever and even though i bought my own stuff there should be an option to kill remote updates/resets.
  • 0 Hide
    huron , October 21, 2009 7:37 PM
    This is simply amazing. It's hard to believe that in such a major company that a hole this large would be allowed to happen.

    Isn't someone in charge of network security there? Something like this, even for the sake of remote access, should not happen. There are much more secure ways to make this happen.
  • 2 Hide
    wildwell , October 21, 2009 8:02 PM
    So Time Warner is working on a patch for their routers; are they going to use their backdoor to update the firmware with this patch? More importantly, will they close the door behind them when the leave?
  • 0 Hide
    jellico , October 21, 2009 8:09 PM
    SAL-eIt is a big problem. If I can get access to TW router I will own your network in no time.1. I will change your DNS settings and redirect all your traffic to proxy that I control.2. I will monitor your traffic and collect all your passwords quite easy.3. I can perform "men in the middle" attack. None of the security protocols will protect you if I can control your TW router.

    First of all, if you re-route DNS, the change will show up in the logs of the secondary router which you don't control. The secondary router will prevent you from directly infiltrating my network from the compromised TW router. So even if I wasn't aware of the gaping security hole in the TW router, I would know something is up. You would have control of my network traffic for maybe a few minutes, and the only thing you would be seeing with your packet sniffer is ping and network traffic tests as I try to figure out the sudden increase in latency of my Internet traffic. It wouldn't take long to figure out that there was a problem with the TW router, and then I would focus my attention there. Since I still have physical control of the hardware, I would perform a reset and then monitor incoming traffic to the TW router.

    Anyway, that's what I would do. Someone less sophisticated would still benefit by putting another router between the TW router and their network because the second router prevents a hacker from COMPLETELY infiltrating their home network. All banking and credit card transactions use SSL and TLS encryption protocols, so you won't gain anything from there. I don't know if online games take the same precautions, so you might be able to hijack someone's World of Warcraft account.

    Honestly, though, if your intention is to do any of this, your efforts would bear more fruit if you went war driving and attacked networks with unsecured wireless APs. If they don't secure their wireless routers, then chances are their computers are going to be under-protected as well. Or, another thing you could do is go to someplace like a university campus, or airport where there is free wi-fi and plenty of people using it. Setup your laptop to look like local AP, and then being your packet sniffing and MitM attacks.

    As I'm sure you well know, no amount of network security will prevent the intrusion of a determined and skilled adversary. It's more like putting bars on the windows and doors of your house. Sure, a burglar could still get in if he really wanted to; but why waste the time when the neighbor's house has no bars, and... look at that, the back sliding door is unlocked. That's the point I was trying to make with my original post.
  • 3 Hide
    ravewulf , October 21, 2009 8:39 PM
    I'd like to say that I'm surprised by this idiocy, but I'm not.
Display more comments