Archives
June 2001 Issue
From the Pipe: DSL Security Scare Could Alarm Cable Modem Subs
By Laura Hamilton, Editor, CT's Pipeline
Alcatel was clobbered with news recently that researchers at San Diego Supercomputer Center (SDSC) and Carnegie Mellon University were calling out security problems with its Speed Touch Home digital subscriber line (DSL) modems. And if you think this has nothing to do with cable modems, read on.
"These flaws can allow an intruder to take complete control of the device, including changing its configuration, uploading new (modem software) and disrupting the communications between the telephone central office providing asynchronous DSL (ADSL) service and the device," SDSC's Tsutomu Shimomura reports. Known for tracking down infamous hacker Kevin Mitnick, Shimomura discovered the problem while testing his own Alcatel modem.
Just a DSL thing?
While Shimomura's talking about a DSL product, this still could make your high-speed data customers goosey about security.
Why? The alert ran in newspapers across the country, and Alcatel defended itself by saying Internet connections are vulnerable "regardless of the type of software upgradeable access equipment being used (cable or DSL modems)."
Another researcher who discovered the flaws, SDSC's Tom Perrine, insists that the warning was not to "beat up Alcatel." Instead, the team felt there were enough weaknesses to require an alert, he says.
"Without a firewall, any PC in any configuration (home PC or in a local area network) is open to attacks by hackers. Therefore, Alcatel highly recommends the use of firewalls as a general practice, especially for those with always-on cable or DSL connections," the manufacturer explains. "Alcatel is not aware of a case where a Speed Touch modem user has been compromised due to the reported vulnerabilities."
A cable modem vendor response
"It looks like this is mostly an Alcatel problem, and maybe even a DSL industry problem," Com21 CTO John Pickens told CT's Pipeline after reviewing the supporting documentation from SDSC and Carnegie Mellon's Computer Emergency Response Team (CERT).
Pickens points out that in Com21's early proprietary cable system, the company dealt with any potential security issues by managing the modems out-of-band.
"As for Data Over Cable Service Interface Specification (DOCSIS) products, we as an industry have covered the potential security issues quite thoroughly," Pickens continues. "DOCSIS 1.1 has made the security even more robust."
"I suppose that ultimately, any device--PC or otherwise--can be compromised if the attacker works hard enough at it. But the vendors, and the industry if this is an industry problem, would be well-served to not leave unmarked doors open all over the place."
"CT's Pipeline" is a weekly HTML newsletter delivered exclusively to SCTE members via e-mail. For more information on this and other member benefits, contact the SCTE at , or visit www.scte.org.
Back to June 2001 Issue

Access Intelligence's CABLE GROUP
Communications Technology | CableFAX Daily | CableFAX's CableWORLD | CT's Pipeline
CableFAX Magazine | CableFAX databriefs | Broadband Leaders Retreat | CableFAX Leaders Retreat
|