Time Warner Cable's 65,000 Routers Open to Hack

By Jane McEntegart
published

Time Warner Cable has acknowledged a 'major security hole' present in up to 65,000 routers in customers homes.

Time Warner Cable today rolled out a temporary patch for a security hole discovered by blogger David Chen. While helping a friend change the Wi-Fi settings on their SMC8014 series cable modem/Wi-Fi router combo, Chen noticed that the web admin for the router simply uses a script to hide certain menu options when the user does not have admin privileges.

"By simply disabling Javascript in the browser, I was able to access all the features of the router. With that access, I am now able to change the wifi settings, port-forwarding, etc.," writes Chen.

The software engineer and founder of social communications platform start-up, Pip.io, goes on to say this opened up access to a "Back Up Configuration File." With just one click, Chen reports that a text dump of the router's configurations was saved to his desktop and in there, was the login in and password in plaintext. So that's it, right? I mean, there's nothing else, is there? Wrong. Wired reports that Chen discovered the same login details could be used to access every router in the SMC8014 series on Time Warner’s network.

"Another issue which was alarming was the fact that, by default, the web admin is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, I easily found dozens of these routers, open to attack."

David says he contacted TWC's security department to warn the company and was told, “We are aware of it but we cannot do anything about it."

According to CNet the company has rolled out a temporary patch and is testing a permanent fix for the problem. It's nice to see that Time Warner Cable changed its tune.

Jane McEntegart
Topics
Security
25 Comments Comment from the forums
  • lenell86
    lulz fail
    Reply
  • JasonAkkerman
    There is an account that can be used to access any of their routers? Sounds like they left a backdoor open on purpose. Maybe for tech support reasons, but it's still a shady thing to do.
    Reply
  • SAL-e
    Security by obscurity + proprietary mind set = NO SECURITY
    Reply
  • hellwig
    JasonAkkermanThere is an account that can be used to access any of their routers? Sounds like they left a backdoor open on purpose. Maybe for tech support reasons, but it's still a shady thing to do.
    Comcast was able to "remotely program" my Motorolla cable modem to be compatible with their network. I'm not sure what this means, maybe they did nothing and just added my MAC address into their system, but I wouldn't be surprised if all these devices had some sort of backdoor for the ISPs to use.

    That said, it's ridiculous that simple javascript was used to "hide" the admin features. Your average user may not know how to bypass this, but obviously anyone savvy enough to even attempt to gain access to your router would know how to do this. And a universal account that can access each router? And that can be printed out in plain text? Unbelievable.
    Reply
  • doomtomb
    hellwigComcast was able to "remotely program" my Motorolla cable modem to be compatible with their network. I'm not sure what this means, maybe they did nothing and just added my MAC address into their system, but I wouldn't be surprised if all these devices had some sort of backdoor for the ISPs to use.That said, it's ridiculous that simple javascript was used to "hide" the admin features. Your average user may not know how to bypass this, but obviously anyone savvy enough to even attempt to gain access to your router would know how to do this. And a universal account that can access each router? And that can be printed out in plain text? Unbelievable.My ISP was also able to remotely program my modem and see it. My ISP is Suddenlink.
    Reply
  • intelliclint
    AT&T U-verse using a similar "residential gateway" which is basically a DSL adapter and router combined. I wonder how secure it is. It even offers some remote file access. You have to use it if you’re using the IP-TV or the VoIP as it handles all of that on dedicated pipes.

    First thing I did with mine is a full ip / port forward to a Linux server that functions as my router. I use a content filter / proxy for web traffic and intrusion detection. I do miss the lower latency I was getting with my old cable modem.
    Reply
  • void5
    hellwig & doomtomb:

    Indeed you can upload new firmware to cable modem (CPE) remotely - but to do so you need admin access to CMTS your cable modem is physically connected too (and/or ISP servers if configuration details are stored outside of CMTS). CMTS hardware is quite costly. And any sane cable modem manufacturer would implement digital signing of firmware to thwart malicious "reflashing" attempts (so it is necessary to physically disassemble CPE and use special hardware to "flash" something non-official).

    Insanity described is this article is sad yet typical example of "security" in real world...
    Reply
  • JonathanDeane
    doomtombMy ISP was also able to remotely program my modem and see it. My ISP is Suddenlink.
    Cable modems download a software update to enable different modes. Its how people hack there own cable modems to "uncap" them. Basically you run a "server" on your PC and update that file to say 100mpbs or what ever. Please note that this is totally illegal and will get you disconnected in a hurry (although I have heard small bumps in speed can be gotten away with) The cable company only updated a small file on your modem with your tier information and what version of DOCSIS they are using. This is unrelated to the story though. The story is only talking about the routers that the cable company can install for you, now with access like this I wonder if it would be possible to install a custom firmware something like tomato... With that kind of access one could have an almost instant 65,000 machine broadband botnet...
    Reply
  • razor512
    while it is a stupid mistake that should have never happened, at least time warner is fixing it.

    PS currently many routers provided for verizon dsl and qwest dsl (not fios)

    have the actiontec gt704wg or other actiontec series with a crappy bloated firmware from verizon. and guess what, they have remote access over the internet enabled by default and even though the password can be changed, the telnet password cant on some firmware versions, it also offers no protection against brute force attacks. a simply port scan of a range of like 100 ip's from either companies net block will lead to probably 20-30 vulnerable dsl gateways which are easy to log into

    I have called verizon to tell them about this since I used to have a actiontec, the worker didn't understand what I was telling them.
    Reply
  • jellico
    This wouldn't really be a problem if you put decent router between their router/cable modem and your computer or network. And for Pete's sake, CHANGE THE DEFAULT PASSWORD!
    Reply