Lack of Security in Routers Distributed by Time Warner

Around 67,000 insecure devices deployed to customers

By on 21 Oct 2009, 08:31 GMT
Time Warner is working to develop and deploy a patch to plug gaping security holes in thousands of home routers previously distributed to its customers. The devices' default and locked configuration allow hackers to go rampaging on local home networks.

Customers of Road Runner, Time Warner's Internet service, who do not own a cable modem of their own, are supplied with a default one by the company. Around 67,000 of these are cable modem/wireless router combo devices from SMC Networks' SMC8014 series.

David Chen, one of the founders of Pip.io, a new social networking platform, reveals on his blog that these routers are highly insecure and not because they are not capable devices, but due to mainly poor deployment decisions on the ISP's part.

Chen's experience was with a SMC8014WG-SI device installed by Time Warner for one of his friends. Judging by the specs listed on the SMC website and in its manual (PDF), this gadget might not be state-of-the-art or up to speed with the latest of technologies, but it should make for a decent solution.

It supports the 802.11 b and g standards with WEP and WPA encryption, packet inspection, firewall port forwarding, custom LAN access rules, parental control and basically all the common features one would expect to find in a home router by default. However, the Time Warner devices come pre-configured and locked, with URL blocking being the only feature available to the customer through the web administration interface.

Chen does not mention whether the firmware is a custom one maintained by Time Warner or is provided by SMC Networks, but one thing's clear – the user limitation is poorly implemented and the default settings are highly insecure. First of all, the customer's account on the web interface is prevented from accessing administration features by hiding menu items via JavaScript.

"You heard me correct, the web admin for the router simply uses a script to hide certain menu options when the user does not have admin privileges. By simply disabling Javascript in the browser, I was able to access all the features of the router," Chen writes.

But let's step away from this seriously inadequate method of enforcing access control for a moment and take a look at the larger picture. Why would Time Warner enforce this limitation in the first place? We can speculate that it probably doesn't want clueless customers messing around with the configuration and then calling its support lines to report service problems. Or maybe it doesn't want its customers exposing their networks to outside threats by setting something incorrectly.

We could live with that, if only Time Warner had bothered to provide a secure setup in the first place, which is clearly not the case here. These routers are configured to use WEP encryption for WLAN access by default, even though they also support WPA-PSK. The Wired Equivalent Privacy (WEP) is an outdated and insecure algorithm that can be cracked within minutes with freely available tools.

In addition, the WLAN Service Set Identifier (SSID) is fixed and publicly broadcasted, when even the most basic wireless security guides recommend hiding it. Ironically, this router supports SSID hiding and while this doesn't make attacks impossible, it certainly limits exposure to them.

Furthermore, the web administration interface is accessible from anywhere on the Internet. Why this is configured as such is anyone's guess, but it means that an attacker can run a port scan on Time Warner's IP address space and identify these vulnerable routers.

And as if this wasn't bad enough, Chen also notes that opening the file generated by the "Back Up Configuration File" option will reveal the password for the administrative account in plain text. The aforementioned serious security holes combined make penetrating home networks protected by these devices extremely easy.

Once inside the network, a hacker can perform all kinds of malicious actions from intercepting sensitive data, to launching man-in-the-middle attacks, poisoning the DNS requests and infecting LAN computers with malware. In the context of 14,000,000 devices, which the company claims to have "in the field," 67,000 might not mean much, but it’s still enough to raise a decent botnet or affect a lot of people.

"From what I understand, our QA [Quality Assurance Department] got a list of fixes for the identified issues on Friday, and are currently testing (if not finished with testing) and preparing to hand this off to our Ops team at this very moment," Jeff Simmermon, the director of digital communications for Time Warner Cable, said yesterday. "Our customer’s security is of the utmost importance to us, and we are constantly working to identify and repair holes and flaws as we discover them," he stressed.

Comments

67,000 home routers deployed by Time Warner with insecure configurations
   67,000 home routers deployed by Time Warner with insecure configurations