Archives
January 2003 Issue
Bandwidth Burglary in Broad Daylight
How to Prevent a Simple Hack
By David Jacobs, Steve C. Lee, and Mark Millet, Cisco Systems
Unless you implement all of the available DOCSIS security features, hackers may plunder your high-speed data network for bandwidth that they're not paying for.
At this moment, hackers are busily attacking your high-speed data networks. Numerous articles and postings on the Internet describe how individuals have "bypassed" their cable operators' provisioning processes, and increased throughput on their cable modems. Web sites exist that show in extreme detail, often with pictures and step-by-step instructions, how to compromise the modem.
Cable modems installed in the past few years all adhere to the Data Over Cable Service Interface Specification (DOCSIS) standard, and DOCSIS was built by people who understood that the standard must protect against this type of hacking.
So, how can hacking happen anyway? The answer is that most cable operators have not enabled the DOCSIS security features.
Modifying config files
A recent article explained how a cable subscriber we'll call him Fred because that's not his real name -- was able to exploit his cable provider's lack of interest in protecting its network. Fred increased his access to bandwidth by creating a new configuration file, and downloading it into his modem.
Fred had observed that his download speed was only 75 kilobits per second, so he studied the publicly available DOCSIS specifications that describe how cable modems are configured. After determining how his provider had configured his modem, he reconfigured it to enable a much higher throughput.
DOCSIS modems are configured using a configuration file. When the modem boots up, it requests an Internet protocol (IP) address and configuration parameters by using the dynamic host configuration protocol (DHCP). The DHCP server supplies an IP address, the DOCSIS configuration file name to download, and the IP address of a trivial file transfer protocol (TFTP) server from which to transfer the file. DOCSIS configuration files specify the maximum download and upload bandwidth for a modem. The ability to configure modem bandwidth on individual modems enables the provider to sell and charge for various tiers of service.
Fred created his own configuration file, then set up a TFTP server on his local network. He rebooted his modem several times to confuse it as described in "hacking Web sites." The TFTP server on his local network responded with the filename of the configuration file Fred had created and used the IP address of the cable's TFTP server. The modem downloaded Fred's file locally instead of his cable provider's file. By creating and loading his own configuration file, Fred could obtain more bandwidth than the cable provider intended. Now Fred could consume a large fraction of the capability of the cable network.
Shared secrets add protection
Fred's approach to his network performance problems can create obvious problems for cable providers. Such attacks were anticipated when the DOCSIS standard was created, and a technique to prevent it was made part of the standard. Fred's cable provider did not take advantage of this feature of the standard. To use the DOCSIS standard's protection, the cable provider specifies a shared secret to both the cable modem termination system (CMTS) and the software that creates the configuration file.
A value called the message integrity check (MIC) is added to the configuration file when the shared secret is enabled. The MIC is a checksum that is generated from the valid configuration file, and the shared secret. The DOCSIS configuration file never contains the shared secret value. In addition to the bandwidth parameters, the configuration file may contain a time stamp indicating when the file was created and the IP address of the modem for which it is intended. This would prevent Fred from borrowing the premium service file from his friend George across town.
After the configuration file is downloaded to the modem but before data transfer can begin, the modem uploads the configuration file to the CMTS in a step called registration. The CMTS applies the shared secret to compute the expected value of the MIC. If the CMTS finds that the MIC doesn't match, the time stamp is expired, or the IP address in the file does not match the IP address assigned to the modem, then the modem is not using the operator's specified file, and it is denied access.
Fred doesn't know the operator's shared secret, so he cannot include a valid MIC value, and he will be denied access. However, if the operator didn't use a secret value, Fred gains access.
If Fred were able to obtain a modem configuration file from someone who had paid for a higher level of service and loaded it into his modem, the CMTS would notice the expired time stamp or IP address not matching Fred's cable modem. If Fred paid for a higher-level service for a month, saved the configuration file and then downgraded his service and tried to reuse the saved configuration file, the time stamp would again be expired. Fred's network access would be shut off.
Dynamic configuration eases implementation
The obvious answer for cable providers is to use the techniques defined in the DOCSIS standard. However, this requires per-modem configuration files dynamically created with the current time stamp and the proper IP address. Many providers use static configuration files because they do not have the ability to generate a new file for each modem registration. This means that they cannot take advantage of these added protection techniques.
There are solutions to this problem -- so-called "registrars" that provide the ability to generate configuration files "on the fly." The registrar creates a configuration file template for each available level of service. When a cable modem connects to the network, a new configuration file is created for that specific modem. The registrar is configured with the same shared secret as the CMTS serving the same portion of the network. The registrar also adds the time stamp and the IP address of the modem to the file and computes the MIC using the shared secret. The file is then forwarded to the modem and subsequently uploaded to the CMTS.
When the CMTS computes the expected MIC, it can verify that the file was created by the registrar and not by an end user such as Fred. To reduce the possibility that the shared secret is revealed somehow, the registrar permits a different shared secret to be configured for each portion of the network. The CMTSs for that portion of the network are configured with the same shared secret, while the CMTSs for another part of the network are configured with a different shared secret.
Using the features within the DOCSIS spec is important for controlling theft of service, but it is important to take additional precautions. Cable providers need to regularly change their shared secret and ought not use the same shared secret throughout their network.
They must also monitor their networks on a regular basis to watch for any signs that indicate possible theft of service. To facilitate changing the shared secret often, some CMTS units are able to store multiple shared secret strings for future use. The ability to configure multiple shared secret strings helps a cable operator thwart brute-force computational attacks on the shared-secret.
Keeping track of time
Another useful CMTS feature is called "TFTP-enforce," which monitors cable modems each time they register, and ensures that they did in fact download a file from the network. Even if the modem has a valid registration file, it can be denied access because it did not download the file each time it attempted to register.
Fred also took advantage of another area of vulnerability, his cable modem itself. Fred provided his own TFTP server and connected it to his cable modem through the local Ethernet port. The software in Fred's modem sent out the initial TFTP request on both the cable port and the local port. The server on his local network responded more quickly than the cable provider's TFTP server so the modem accepted the configuration file from his house. While not explicitly prohibited in earlier versions of the DOCSIS specification, this is now forbidden. Most modem vendors have provided updated software to prevent issuing the TFTP request via the local port. But, the operator is responsible for deploying that software before the hackers (Fred and friends) modify the cable modem to prevent the operator from upgrading it.
Protection against theft-of-service will become an issue of increasing importance as cable operators move beyond the residential market and into the small- and medium-sized business market and begin to provide voice over IP services to residences and businesses. The standards organizations understand the importance of the issue and are careful to provide protection techniques, but no protection mechanism helps if it isn't utilized.
BOTTOM LINE
DOCSIS Thwarts Theft
The bad news is that hackers are busily attacking your high-speed data networks. They are modifying their modem configuration files to exceed the bandwidth limitations placed upon them. The result: a loss of potential revenues you might earn from the sale of ultra high-speed service and a degradation of bandwidth available to legitimate customers. The good news is that you can prevent this by implementing all of the security provisions within the DOCSIS specification.
David Jacobs is an engineering manager in the Systems Deployment Methodology Group at Cisco Systems. Email him at .
Steve C. Lee is the manager of broadband network engineering in the Cable Business Unit at Cisco. He can be reached at .
Mark Millet is the senior system architect for the Cisco CMTS platforms. Email him at .
Back to January 2003 Issue

Access Intelligence's CABLE GROUP
Communications Technology | CableFAX Daily | CableFAX's CableWORLD | CT's Pipeline
CableFAX Magazine | CableFAX databriefs | Broadband Leaders Retreat | CableFAX Leaders Retreat
|