ISP Gateways Flaws Let Hackers Remotely Tap Web Traffic

Website Hack

This year’s DEF CON taught us about many things, like how to hack voting machines, airborne drones or Internet-connected car wash systems. But it would seem that one particularly important story from DEF CON has been overseen.

The story started as a short discussion on how to track what is happening on your home network, but made a sudden turn and showed to be of much bigger importance. David Holmes of SecurityWeek was the one who noticed the importance of the talk, named “Cable Tap: Wireless tapping Your Home Network”.

26 flaws and weaknesses have been identified by Marc Newlin, Logan Lamb, and Christopher Grayson with Bastille Networks and Web Sight in the ISP network devices. These weaknesses could easily give access to the majority of home networks used in the US to a remote admin.

Research showed that there is a high number of weaknesses in ISP provided, RDK-based wireless gateways and set-top boxes, found in devices made by Arris, Cisco, Motorola, and Technicolor.

The team of researchers at DEF CON showed how it was possible to remotely and wirelessly tap voice and Internet traffic that passes through an active gateway. What’s worrying is the fact that the research showed that the findings could be applied to tens of millions of ISP customers. Hacks could go anywhere from reverse-engineering the Comcast Xfinity routers’ MAC address generation process to exploit the flaws present in the FastCGI Subsystem.

Until DEF CON, it was believed that Xfinity access point grants you your private network and offers Xfinity wifi, which is a public wireless network that gives an access point to roaming Comcast customers. But then DEF CON happened and showed that there is, in fact, a third network which is named XHS-XXXXXXXX. The Xs indicate the lower four bytes of the cable modem/CM MAC and this hidden WiFi network is generated deterministically through the interface’s MAC address.

There have been four different methods identified to get the MAC address, with one of them is using the Xfinity wifi public network connectivity since the DHCP ACK contains the CM MAC address. When researchers used this method, they were able to understand the passphrase and gain access to the Xfinity wifi network without using personal Comcast credentials.

This all means that if a malicious activity is seen on the network, it will be connected to the cable modem owner. One more flaw in the chain of the attacks is brute-forcing of the radio frequency pairing of remote voice control of Comcast, which could be used for attacking or infecting Xfinity set-top boxes.

Comcast has stated that they appreciate Bastille notifying them of the issues found and that they are working on fixing them since the security of their customers is the most important issue.