[122124] in North American Network Operators' Group
Re: Insecure Cable networks ?
daemon@ATHENA.MIT.EDU (Truman Boyes)
Sat Feb 6 01:59:10 2010
From: Truman Boyes <truman@suspicious.org>
In-Reply-To: <202705b1002051843l16af5ca2qff387812f1763549@mail.gmail.com>
Date: Sat, 6 Feb 2010 17:58:30 +1100
To: Jorge Amodio <jmamodio@gmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 6/02/2010, at 1:43 PM, Jorge Amodio wrote:
<snip>
> fired nmap, tried several 10/24 networks and just playing by hand
> found hundreds of devices and every single one I tried default =
password
> it worked, not only modems, also modem/routers and some with
> integrated VoIP where if I wanted I would have been able to change
> provisioning configuration, channel scanning, browse through the call
> manager logs and see who's calling or being called, etc.
>=20
> Isn't this a huge security hole ?
>=20
> It wont take much for a kiddie to write a very simple script to drive
> crazy the noc guys taking down pieces of the network here and there =
...
>=20
> If a grownup from TWC/RR wants to get more specifics feel free to
> contact me.
>=20
> Regards
Yes this is a huge security hole. Management networks should always be =
restricted to some extent and the fact that default passwords allow you =
into VoIP gateways provides an avenue for call fraud. At a very minimum =
the devices should restrict which addresses can talk to them (ie. =
management servers in the MSO) and passwords should be non-default.
Maybe you can consult with the local MSO?
Kind regards,
Truman
