Best offers
Exclusive Interview: Nvidia's Ian Buck Talks GPGPU
With Snow Leopard and Windows 7 both offering GPGPU capabilities, we wanted to talk to Nvidia's Ian Buck. Not only is he one of the fathers of Brook, the programming language ultimately adopted by AMD/ATI, but the head of Nvidia's CUDA group as well. Read More
-
Beamforming: The Best WiFi You’ve Never Seen
Forget 802.11n Draft 2.0. The future of video-capable WiFi depends on a signal-boosting technique called beamforming. We put the pioneers in this frontier through some real-world testing to find out which technology is going to change the wireless world. Read More
-
Exclusive Interview: Going Three Levels Beyond Kernel Rootkits
Today we have the pleasure of chatting with Joanna Rutkowska, one of the top computing security innovators in the world. She is the founder and CEO of Invisible Things Lab (ITL), a boutique computer security consulting and research firm. Read More
Partners
The Games selection
violent :
Interactive Buddy
Unwind on your interactive buddy: Do anything you want to him, it will earn you money, and you can buy other stuff to torture him with.
|
crazy :
PC Breakdown
What is worst than a Fatal Error occuring during a game you did not save? Unleash your rage at your PC in this game. Blow it to pieces, it feels so...
|
Sponsored links
Time Warner Cable's 65,000 Routers Open to Hack
Next news- Email |
- Print |
- Comments (26) |
- Share
Time Warner Cable has acknowledged a 'major security hole' present in up to 65,000 routers in customers homes.
Time Warner Cable today rolled out a temporary patch for a security hole discovered by blogger David Chen. While helping a friend change the Wi-Fi settings on their SMC8014 series cable modem/Wi-Fi router combo, Chen noticed that the web admin for the router simply uses a script to hide certain menu options when the user does not have admin privileges.
"By simply disabling Javascript in the browser, I was able to access all the features of the router. With that access, I am now able to change the wifi settings, port-forwarding, etc.," writes Chen.
The software engineer and founder of social communications platform start-up, Pip.io, goes on to say this opened up access to a "Back Up Configuration File." With just one click, Chen reports that a text dump of the router's configurations was saved to his desktop and in there, was the login in and password in plaintext. So that's it, right? I mean, there's nothing else, is there? Wrong. Wired reports that Chen discovered the same login details could be used to access every router in the SMC8014 series on Time Warner’s network.
"Another issue which was alarming was the fact that, by default, the web admin is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, I easily found dozens of these routers, open to attack."
David says he contacted TWC's security department to warn the company and was told, “We are aware of it but we cannot do anything about it."
According to CNet the company has rolled out a temporary patch and is testing a permanent fix for the problem. It's nice to see that Time Warner Cable changed its tune.
Source : Tom's Hardware US
- Help! Why wont my Router Talk to my Switch?? [General Networking]
- $150 Wireless Router/access point suggestions please [General Networking]
- Need specific advice on connecting 2 pcs. [General Networking]
- General cable modem questions [General Networking]
- Wireless connexion very slow [Wireless Networking]
Questions? Ask Tom's community!
Sponsored links
Related articles
-
Another interesting idea we saw on the forums involved programming an iRobot to roam around the house and scan for intruders. Of course, this robot wouldn't have access to weapons like the Terminator, but it would be equipped with audio and visual sensors as well as wireless (802.11) capabilities to detect intruders and transmit its findings. Perhaps it could even be controlled remotely if the user wanted to direct the camera to a specific location. I think something like this would have a lot of practical uses and applications. A Robotic Surveyor I saw a couple proposals for an iRobot Create outfitted to map a location and wirelessly report its data to a PC for analysis. The most thought out of these proposals mentioned using IR rangefinders to detect the environment and create the map, and to constantly update the information to account for drift over time. Image copyright Warner Brothers Pictures A Robotic Stuffed Animal Toy Sounds cutesy, but I could see this being a commercial success. The idea is to have an iRobot suited as a stuffed animal, with tracking and following capabilities. Imagine a stuffed bear that follows your child's movements with its eyes, and follows your child from room to room. The robot would also have wireless capabilities and could be given commands from a PC. That beats a tickle-me-Elmo and reminds me of the movie "A.I." A Robot To Assist Those With Disabilities Among the ideas put forward is a really intriguing concept that would put a robot to use as an assistant for the disabled. A quadriplegic could control their living space with laser-activated household items, or the robot could even be used as a surrogate to play with their dog. It's this kind of project that really opens your eyes as to the potential benefits robotics could offer humanity.
-
At CES, outside of the folks that actually build DVD drives, the action was on movie downloads and the beginning of HD movie downloads. At the event, in the opening keynote, Bill Gates dwarfed a slight mention on HD-DVD and focused much more heavily on "Live," Microsoft's on-line service for entertainment. At the event that eclipsed CES, MacWorld, Steve Jobs, a Blu-ray supporter, didn't even mention Blu-ray and focused, with Disney, on content downloads to the iPhone and the Apple TV instead. In fact there was vastly more activity surrounding on-line movie and TV content delivery at both shows than there was combined discussion on HD-DVD or Blu-ray. Download content is gated by two things, content access (what the studios make available) and band width. For instance it takes me about twelve hours do download a HD move on my DSL service, around four hours for a standard definition movie. As the industry gets better and better with regard to compression the extra capacity surrounding HD-DVD and Blu-ray may become less important. More importantly, many of the people backing both standards are now switching to on-line delivery which could obsolete both offerings for much of the world by year end. Porn industry tries a different approach One of the interesting announcements at CES was that the porn industry was moving to HD-DVD because Blu-ray didn't want them. What many don't realize is that at the same time, CES runs the porn industry has their big show and, in many ways, that industry is actually more profitable. While the Porn industry has also had massive piracy problems, they have focused their technical advancements on enabling a complex channel of on-line delivery outlets in what looks like a muli-level marketing format. People can, with little background, set up an on-line store to sell, legally, content from these studios. These stores specialize in their customers unique needs and, as we understand, can be very profitable while also providing strong revenue streams back to the studios producing content. I often wonder what would happen if the MPAA, instead of treating every legitimate customer as if they were a criminal in waiting, focused on actually selling more stuff like the porn industry does. My sense is they probably would generate more profit and while piracy might also go up, their primary goal should be to increase profit not be another police force. Higher capacity may actually be a disadvantage In addition, last year, according to the studios, enhanced DVD packages (like collector's editions) actually sold better if they had more physical DVDs in them. In several cases, where a dual sided release was followed by a multiple disk single sided product with the same content, people actually returned the dual sided single disk packages for the multi-disk single sided (older technology) product. People felt that more was better and, even though there was no difference in the actual content, bought the older technology disks. The Blu-ray guys in particular really need to look at their own stats on this. If their big advantage is capacity and buyers don't care, that is going to be a problem. But, if we bypass disks entirely, capacity is the least of their worries. Time Warner and LG get impatient Time Warner announced a dual-format disk at CES. This disk, which has to be relatively expensive to make, has Blu-ray content on one side and HD-DVD content on the other. If every studio were to adopt this, it would be vastly better for retailers who currently have to split the content on two shelves and for consumers who will often find the movie they want doesn't run on the player they bought. However, this move would favor the lower cost player, so you would expect the HD-DVD camp will like it and the Blu-ray player buyers won't. If only the HD-DVD side moves to this format, it would actually favor Blu-ray, because it would make more content available for Blu-ray. The fact that the second alternative is the most likely makes this very interesting given Time Warner is generally thought to be in the HD-DVD camp even though they support both formats. LG, on the other hand, announced the first HD-DVD/Blu-Ray combination player with an estimated price of $1200. While clearly expensive, this is some the Blu-Ray players started out and this price should drop. If these players catch on, it would make the whole battle pointless and studios would simply move to the least expensive format, which is HD-DVD right now. Scalers: More convincing Before CES, I had a chance to use a DVD player with a surprisingly good scalar. The Oppo DV-981HD provided an impressive picture on a HD display and I ran it against both Blu-ray (PS3) and HD-DVD (Xbox) content. While the true HD content obviously was a little better (except for some of the poorly done Blu-ray movies, which were actually worse), if you didn't have the displays side by side you likely wouldn't notice the difference. In effect, the Oppo is an expensive DVD player at $230, but an inexpensive alternative to the HD players which will cost you at least twice as much. And don't forget, this DVD player makes all the DVDs you already have look better. At CES DVD players, TVs, and monitors with good scalers were all over the place. Gateway started selling monitors last year with a similar scaler to the one Oppo uses built in, Dell announced a 27" monitor with a very strong scaler built in as well, suggesting this trend is going well beyond just TVs and DVD players (scalers in monitors allow you to get better images from lower cost graphics cards and notebook computers). One interesting fact is that the Xbox 360 has a built-in scalar, while the PS3 does not. As a result, DVD movies played on an Xbox 360 are likely to look better than if they were played on a PS3. While not in the same class as the Faroudja scalar used by Oppo, the Xbox 360 version does improve how a DVD or older game looks on an HD set and is one of the advantages the Xbox has and we don't talk about much. With more and more content coming from services like YouTube scalers increasingly become important because, without scalers, these videos will look like crap on our HD TVs. In addition much of what we currently have is standard definition and no one really wants to re-buy all of their movies. Not if they have a choice and scalars give you that choice. So, my view of CES is - regardless of HD-DVDs market leadership, and Blu-ray's better marketing - standard DVD with an up-converting scaler is the technology that makes the most sense right now. Rob Enderle is principal analyst for the Enderle Group. He can be reached at renderle@enderlegroup.com.
-
Scalers beat HD DVD and Blu-ray at CES 2007 - analysis
San Jose (CA) - The high-def age is upon and if you are buying a TV this year anyway, why not buy a HD player as well? And, do you buy HD DVD or Blu-ray, if you are looking for the technology that makes most sense right now? We were looking for clues at CES and found a very convincing answer. Just not the one we expected. With unbelievable drama both the HD DVD and Blu-ray camp claimed victory at CES, but it quickly became clear that the market was moving on as even supporters started drifting to the next "big thing". HD DVD takes the lead, in numbers Much of this year's Consumer Electronics Show focused on the high-def battle between HD DVD and Blu-ray - and we saw some interesting developments that may not have been so obvious. Take, for example, the introduction of Toshiba's announcement of low cost HD-DVD players and recorders. Besides the fact that HD becomes a bit more affordable to the consumer, this move really upset the Blu-ray vendors: This aggressive pricing comes at a relatively early point and it was going to destroy the cushy margins that typically come with the entry of any new technology. When something is "new," vendors can charge high prices for the related hardware for some time and while they won't sell many products, they do make a tasty profit on each unit that changes hands. Toshiba is penetration pricing - you could think that they actually want to win this battle against Sony and they are foregoing the healthy margins to get there. Toshiba knows that Blu-ray has a significant cost disadvantage right now anyway; but I doubt the other HD-DVD manufacturers are particularly happy (though they weren't vocal about that at CES) about this rapid drop in prices either. If this wasn't enough, there was a lot of discussion on just how badly many of the first Blu-ray movies were done, mostly out of the Sony studios. This wasn't a Blu-ray technology problem, this was a studio problem. Blu-ray movies, for example, from Time/Warner, who releases in both formats, are well done. Folks were wondering whether Colombia Pictures, Sony's studio, was actually trying to torpedo Blu-ray by releasing bad conversions. Sony has a historical problem with divisional infighting and this may be another example of that infighting breaking out into the real world. It is interesting to note that Sony/BMG and Columbia have both been the most aggressive in the use of DRM. Columbia movies are known for having problems with some players and Sony/BMG got nailed for tying a rootkit based anti-piracy attack last year. From a standpoint of the facts, HD-DVD ended the year as the clear leader. And, with an apparently increasing cost advantage, this scenario is unlikely to change. Over on Amazon's Product Wars, which provides some clues how HD media sales are developing, HD DVD had the clear lead in most categories, though Blu-ray did close the gap for a short time towards the end of last month. Blu-ray declares victory We are used to rather strange and unexpected announcements in the HD industry. And here is another one: The numbers didn't keep the Blu-ray camp from declaring victory at CES. Using some questionable statistics sourced from one of the Blu-ray exclusive studios (Fox), they came out with a brilliant PR effort that reminded me a lot of textbook campaigns in politics. Twice recently wrote about a rather creative lead in titles and some really aggressive PS3 numbers. There was also talk about a controversial GFK report stating that Blu-ray had 96% of the Japanese market, which led to the conclusion that this technology would have the clear lead by 2010 Blu-ray. At CES, HD-DVD folks suddenly looked like a deer caught in the headlights as they moved from what they believed to be a clear victory to a defensive position battling the Blu-ray message. This battle is far from over and just because you have a clear victory doesn't mean you can kick back and let the other side own the message. Fox did a brilliant job of taking the fight back to the HD-DVD camp and also provided a reminder that marketing will probably play a huge role in whether either of these formats actually makes it. In 2008, the PS3 is expected to ramp to volume and even though the Xbox 360 has an HD-DVD attachment there will likely be more PS3 sold than HD-DVD accessories for the Xbox largely because Sony actually markets the PS3 while Microsoft continues to underfund demand-generating marketing (I should note that the HD-DVD player did sell out in some markets). While we know that most PS3s won't be used for movies, the market moves on perception. This could allow Sony to balance the ramp of low cost Toshiba HD DVD players and recorders hitting the market. Granted, the real metric will be on movies sold. HD-DVD should have the advantage here, but that will both depend on the number of actual players and the quality of content because it doesn't matter if the player is cheaper if the content you want is on the other kind of player. For example, this week's hottest movie, Crank, is on Blu-ray. One huge discord was that Disney, the only studio that people ask for by name and a big asset for Blu-ray, seemed to be more interested in Apple TV at MacWorld than Blu-ray at CES.
lulz fail
There is an account that can be used to access any of their routers? Sounds like they left a backdoor open on purpose. Maybe for tech support reasons, but it's still a shady thing to do.
Security by obscurity + proprietary mind set = NO SECURITY
Grass is green.
There is an account that can be used to access any of their routers? Sounds like they left a backdoor open on purpose. Maybe for tech support reasons, but it's still a shady thing to do.
Comcast was able to "remotely program" my Motorolla cable modem to be compatible with their network. I'm not sure what this means, maybe they did nothing and just added my MAC address into their system, but I wouldn't be surprised if all these devices had some sort of backdoor for the ISPs to use.
That said, it's ridiculous that simple javascript was used to "hide" the admin features. Your average user may not know how to bypass this, but obviously anyone savvy enough to even attempt to gain access to your router would know how to do this. And a universal account that can access each router? And that can be printed out in plain text? Unbelievable.
Comcast was able to "remotely program" my Motorolla cable modem to be compatible with their network. I'm not sure what this means, maybe they did nothing and just added my MAC address into their system, but I wouldn't be surprised if all these devices had some sort of backdoor for the ISPs to use.That said, it's ridiculous that simple javascript was used to "hide" the admin features. Your average user may not know how to bypass this, but obviously anyone savvy enough to even attempt to gain access to your router would know how to do this. And a universal account that can access each router? And that can be printed out in plain text? Unbelievable.
My ISP was also able to remotely program my modem and see it. My ISP is Suddenlink.
AT&T U-verse using a similar "residential gateway" which is basically a DSL adapter and router combined. I wonder how secure it is. It even offers some remote file access. You have to use it if you’re using the IP-TV or the VoIP as it handles all of that on dedicated pipes.
First thing I did with mine is a full ip / port forward to a Linux server that functions as my router. I use a content filter / proxy for web traffic and intrusion detection. I do miss the lower latency I was getting with my old cable modem.
hellwig & doomtomb:
Indeed you can upload new firmware to cable modem (CPE) remotely - but to do so you need admin access to CMTS your cable modem is physically connected too (and/or ISP servers if configuration details are stored outside of CMTS). CMTS hardware is quite costly. And any sane cable modem manufacturer would implement digital signing of firmware to thwart malicious "reflashing" attempts (so it is necessary to physically disassemble CPE and use special hardware to "flash" something non-official).
Insanity described is this article is sad yet typical example of "security" in real world...
My ISP was also able to remotely program my modem and see it. My ISP is Suddenlink.
Cable modems download a software update to enable different modes. Its how people hack there own cable modems to "uncap" them. Basically you run a "server" on your PC and update that file to say 100mpbs or what ever. Please note that this is totally illegal and will get you disconnected in a hurry (although I have heard small bumps in speed can be gotten away with) The cable company only updated a small file on your modem with your tier information and what version of DOCSIS they are using. This is unrelated to the story though. The story is only talking about the routers that the cable company can install for you, now with access like this I wonder if it would be possible to install a custom firmware something like tomato... With that kind of access one could have an almost instant 65,000 machine broadband botnet...
while it is a stupid mistake that should have never happened, at least time warner is fixing it.
PS currently many routers provided for verizon dsl and qwest dsl (not fios)
have the actiontec gt704wg or other actiontec series with a crappy bloated firmware from verizon. and guess what, they have remote access over the internet enabled by default and even though the password can be changed, the telnet password cant on some firmware versions, it also offers no protection against brute force attacks. a simply port scan of a range of like 100 ip's from either companies net block will lead to probably 20-30 vulnerable dsl gateways which are easy to log into
I have called verizon to tell them about this since I used to have a actiontec, the worker didn't understand what I was telling them.
This wouldn't really be a problem if you put decent router between their router/cable modem and your computer or network. And for Pete's sake, CHANGE THE DEFAULT PASSWORD!
This wouldn't really be a problem if you put decent router between their router/cable modem and your computer or network. And for Pete's sake, CHANGE THE DEFAULT PASSWORD!
It is a big problem. If I can get access to TW router I will own your network in no time.
1. I will change your DNS settings and redirect all your traffic to proxy that I control.
2. I will monitor your traffic and collect all your passwords quite easy.
3. I can perform "men in the middle" attack. None of the security protocols will protect you if I can control your TW router.
Oh man, I have Time Warner's cable internet and a Time Warner modem (says Comcast actually) but I don't use their router. I have lots of friends (at least three others) who have Time Warner and I think they all use the Time Warner wifi routers.
My isp can send me messages in my browser.
leafblower29, your ISP can do quite a lot of things with your internet connection. And thanks to the stupidity of some ISPs malicious folks can do a lot of damage and remain anonymous...
That said, it's ridiculous that simple javascript was used to "hide" the admin features. Your average user may not know how to bypass this, but obviously anyone savvy enough to even attempt to gain access to your router would know how to do this. And a universal account that can access each router? And that can be printed out in plain text? Unbelievable.
It wouldn't take anyone that savvy. Using Firefox with the noscript plugin will disable javascript on all site, including local addresses.
I bet he was using the same setup and just stumbled on this security hole.
Nearly all ISP's have this kind of problem since they all want to be in control over there clients.
Any dutch ISP at the time of writing gives out a box they can remote update and reset which in my humble opinion that it is insecure.
Another downside to this would be all my carefully chosen settings are reset as soon as they update my modems/routers.
In my case since i have a multi-wan setup (2x(a)DSl + cable) i simply have to reset an exposed host (my dedicated multi-wan router/firewall).
But it should be in my control since no end user should be forced to reset port assignments every 14 days or so.
ISP's should just let go of their need to control our routers or at least give the end user a choice between being controlled or taking control.
At the moment your allowed to use your own hardware so you can eliminate needless updates that way, however it wont stay this way forever and even though i bought my own stuff there should be an option to kill remote updates/resets.
This is simply amazing. It's hard to believe that in such a major company that a hole this large would be allowed to happen.
Isn't someone in charge of network security there? Something like this, even for the sake of remote access, should not happen. There are much more secure ways to make this happen.
So Time Warner is working on a patch for their routers; are they going to use their backdoor to update the firmware with this patch? More importantly, will they close the door behind them when the leave?
It is a big problem. If I can get access to TW router I will own your network in no time.1. I will change your DNS settings and redirect all your traffic to proxy that I control.2. I will monitor your traffic and collect all your passwords quite easy.3. I can perform "men in the middle" attack. None of the security protocols will protect you if I can control your TW router.
First of all, if you re-route DNS, the change will show up in the logs of the secondary router which you don't control. The secondary router will prevent you from directly infiltrating my network from the compromised TW router. So even if I wasn't aware of the gaping security hole in the TW router, I would know something is up. You would have control of my network traffic for maybe a few minutes, and the only thing you would be seeing with your packet sniffer is ping and network traffic tests as I try to figure out the sudden increase in latency of my Internet traffic. It wouldn't take long to figure out that there was a problem with the TW router, and then I would focus my attention there. Since I still have physical control of the hardware, I would perform a reset and then monitor incoming traffic to the TW router.
Anyway, that's what I would do. Someone less sophisticated would still benefit by putting another router between the TW router and their network because the second router prevents a hacker from COMPLETELY infiltrating their home network. All banking and credit card transactions use SSL and TLS encryption protocols, so you won't gain anything from there. I don't know if online games take the same precautions, so you might be able to hijack someone's World of Warcraft account.
Honestly, though, if your intention is to do any of this, your efforts would bear more fruit if you went war driving and attacked networks with unsecured wireless APs. If they don't secure their wireless routers, then chances are their computers are going to be under-protected as well. Or, another thing you could do is go to someplace like a university campus, or airport where there is free wi-fi and plenty of people using it. Setup your laptop to look like local AP, and then being your packet sniffing and MitM attacks.
As I'm sure you well know, no amount of network security will prevent the intrusion of a determined and skilled adversary. It's more like putting bars on the windows and doors of your house. Sure, a burglar could still get in if he really wanted to; but why waste the time when the neighbor's house has no bars, and... look at that, the back sliding door is unlocked. That's the point I was trying to make with my original post.
I'd like to say that I'm surprised by this idiocy, but I'm not.
Comcast was able to "remotely program" my Motorolla cable modem to be compatible with their network. I'm not sure what this means, maybe they did nothing and just added my MAC address into their system, but I wouldn't be surprised if all these devices had some sort of backdoor for the ISPs to use.That said, it's ridiculous that simple javascript was used to "hide" the admin features. Your average user may not know how to bypass this, but obviously anyone savvy enough to even attempt to gain access to your router would know how to do this. And a universal account that can access each router? And that can be printed out in plain text? Unbelievable.
Come to think of it, I used to use Comcast, and they were able to remotely access info off my Motorola Surfboard at the time. I think they were even able to force it to perform a power cycle (reboot).
I have to say though, with regards to this news article. It's pretty pathetic that a company like Time Warner is using Javascript to protect sensitive features. Lots of browsers these days disable Javascript by default, and sometimes business machines may have Javascript disabled as part of their own virus protection to keep employees from inadvertently downloading trojans and such.
I'd like to say that I'm surprised by this idiocy, but I'm not.
Same here. I used to use TW where I used to live because they had the fastest internet around. (plus a decent phone/cable/internet package deal) Unfortunately, I had all sorts of problems with them. I remember having to call tech support a few times to try and report a problem that was occuring on their end. The operator kept trying to insist that it had to be my problem. What took the cake was when she asked me what OS is used. When I responded with Linux, she said: "Linux? This is an operating system?" And then tried to tell me that was my problem. Needless to say, a few days later it got fixed, and sure enough it was their equipment and not mine. I hate ISPs.
Whateverrrr.
I believe TW secretly calls this their "remote management" (spy) option.
Noscript would do this anyway...
So go to the router page with noscript enabled, and bam, instant access.
what do you think you are doing oleave it ot me i am crash override