HN Gopher Feed (2017-09-03) - page 1 of 10 ___________________________________________________________________
SharknAT&To: Vulnerabilities in AT&T U-verse modems
223 points by dankohn1
https://www.nomotion.net/blog/sharknatto/___________________________________________________________________
kogepathic - 4 hours ago
I think at a certain point someone needs to be held criminally
liable for situations such as this one.A VW engineer is likely
going to jail over dieselgate.We have already seen that such
insecure internet connected devices can be easily and quickly
assembled into a botnet. The operators of such a network can direct
the attacks at healthcare institutions, national infrastructure,
and other safety critical systems.At some point, there has to be
stricter consequences for companies than simply a fine. C-levels
won't start paying attention to security until there's the real
possibility that their ass will end up in jail for this kind of
insecurity.
[deleted]
feelin_googley - 9 minutes ago
"... someone needs to be held criminally liable for situations
such as this one."What is the crime that "someone" should be
charged with?In the VW case the media reports it was fraud
against the government and violation of the Clean Air Act.To do
what you suggest, one first needs an applicable criminal statute.
What is it?(Not implying this is impossible. Only trying to
focus the discussion beyond the usual rants.)
Nomentatus - 6 minutes ago
Great question, I agree. Criminal negligence might be one
possibility; fraud in selling something not suitable for
purpose might be another. Obviously it's going to be very
difficult to draw such lines in the (continuous) sand; but we
might as well start now. How many corners can you cut?Maybe
something like certification for electronics is needed or
possible here? Where manufacturers pay for a fairly decent
inspection of their work in return for a mark of inspection?(I
don't mean to take a side re this particular crap-storm.)
QUFB - 3 hours ago
What laws would you propose to eliminate insecure software?
_rpd - 2 hours ago
A few professional negligence lawsuits wouldn't hurt.
marcoperaza - 3 hours ago
Bruce Schneier has speculated about creating mandatory legal
liability for software vendors and service providers. Liability
regimes are a major reason why physical products are so safe.ht
tps://www.schneier.com/essays/archives/2003/11/liability_c...
trapperkeeper74 - 2 hours ago
Another, less chilling effects way would be to have an
Underwriters' Laboratories (UL) or CE for software. Any
government, company or customer could then have that as a
requirement.
marcoperaza - 2 hours ago
That's what would effectively emerge from the liability
system. Companies would buy insurance from liability, and
the insurance companies would demand some kind of
certification process.
kabdib - 2 hours ago
Certification programs, when they exist, tend to become
political creatures and tools of destruction. You wind up
with byzantine and arbitrary rules, often put in place for
horse-trading reasons, often to exclude competition and
drive up prices.Want a seat at the standards table? Pony up
tons of time, plenty of money for travel to cities where
meetings are held, and be prepared for the big software
consulting firms to crush you anyway with requirements like
ISO-
before you can make a project
on github public. Want to contribute to Python? Sure hope
you have that degree, plus an engineering certificate from
your local/state/national government. Your dues are paid up
and you've passed the most recent set of exams, right?Oh,
and let's talk about your toolchain. You can license a
certified compiler for $15,000 a seat. Per year.I can't
imagine anything more chilling, other than an outright ban
on people writing software.
ryandrake - 3 hours ago
Say goodbye to open source, then, unless he proposes a
special carve-out for it.
marcoperaza - 3 hours ago
He has some commentary on this well: https://www.schneier.c
om/blog/archives/2008/07/software_liab...In summary, there
wouldn't be liability for open source developers because
there is no business contract. But if you run a website
with open source software, you of course would still be
liable for anything that happens to your customers' data.
So you would probably want to buy that same open source
software from someone (e.g. Red Hat), who would also be
liable.
icelancer - 28 minutes ago
>>But if you run a website with open source software, you
of course would still be liable for anything that happens
to your customers' data. So you would probably want to
buy that same open source software from someone (e.g. Red
Hat), who would also be liable.As others have said, this
idea is really bad.Red Hat will start charging obscene
amounts to support the legal side of the license,
especially if it is used in eCommerce platforms. What
about the wife and husband who want to sell hand-knitted
socks online, or small businesses who do less than
$250k/year online? Will they be able to afford an
alternative to the LAMP stack and fully shield themselves
from legal liability and the horde of lawyers who will
gladly step into any loophole?Like many, my servers were
affected by Heartbleed. So if I ran OpenSSL and someone
found out before I patched it (took me 24h to do so), I
could be sued in that window if I hadn't bought the
license to Red Hat - oh, and how about all the licenses
to all the open source software that depends on it
underneath, OpenSSL being one of about a hundred of those
projects? Do we license GNU toolchain? What if there are
buffer overflow exploits found in various tools?
smsm42 - 2 hours ago
Which means, hosting/supporting open source would quickly
become not worth it for any major company representing a
large target for opportunistic lawyers. When you make
millions from a product, you can afford a team of lawyers
setting up contacts just right and fighting liability
trolls. When you make zero profit, you cut the losses.
Such law would spell very quick end to any corporate
support of free and open source software, for liability
reasons. There's a reason why all such software is
accompanied with "NO WARRANTY" texts, and enforcing
liability will make the corporate world to run from it.
Nobody wants to be sued because they use OpenSSL and
there was a vulnerability there, and that's exactly what
would happen with any commercial vendor using OpenSSL if
liability laws would be introduced. It doesn't matter the
company didn't write OpenSSL - as soon as they use it,
they are on the hook. IBM was sued not because they made
Linux, but because they used it and had tons of money.
And I do not see any business model that could allow
companies to charge enough to cover such liabilities.
Maybe for established powerhouses like Linux or for
corporate foundational projects like Chrome and Darwin,
but not for any lesser projects and surely not for any
starting up open source with unclear revenue potential.
It won't kill all open source, but it would severely hurt
the ecosystem and turn it into two worlds - pure hobbyist
geekery which nobody with money would touch, and formally
open-source projects with strict corporate governance
that has no ecosystem beyond the founding corporation.One
of the worst ideas I've heard lately, and I am genuinely
baffled how a person as smart and experienced as Schneier
could support it.
marcoperaza - 2 hours ago
I'm not sure you're envisioning the same thing I am. You
would only be liable for something that you sell or
otherwise make money from. You would be free to publish
software, open source or not, without incurring liability
as long as you don't make money from it. Whoever then
uses that software for a commercial product would be
incurring the full liability, and would not be able to
turn around and sue up the chain.The currently widespread
practice of trusting sensitive user data to open source
code without an audit (either internally or via a third-
party, e.g. Red Hat) is horrifying and incredibly
negligent.
smsm42 - 1 hours ago
> You would only be liable for something that you sell or
otherwise make money fromIf your business includes
software in any meaningful function, you are making money
from it. Any competent lawyer would be able to
successfully argue that. Charging money for a license is
not the only way, otherwise everybody would just switch
to charging for "consultancy service", which
coincidentally provides free software license, and avoid
any liability.> You would be free to publish software,
open source or not, without incurring liability as long
as you don't make money from it.You as a private person
would be. That's my point - that would be the only way to
do open source, any corporate support of open source
projects would imply full liability, which would be
impossible for a product the company gets to revenue
from. It would be much harder for a business to justify
supporting an open source project when liability costs
are added to the equation.> The currently widespread
practice of trusting sensitive user data to open source
code without an audit (either internally or via a third-
party, e.g. Red Hat) is horrifyingAudits cost money. Tons
of money. And they don't guarantee anything - bugs in
OpenSSL have not been discovered for years despite
thousands of people using the code, poring over it and
billions depending on it. There's no magic in "audit"
that allows code to be bug-free after it - if there was
such a magical procedure people would already be using
it, but there's no indication anybody has invented
"audit" procedure that allows to eliminate all bugs.
Existing flawed procedures are already being used - every
company that produces software that I ever heard about
uses them - and they are not enough. So what would happen
is drastically raising the costs (to the point where
having a website would no longer be affordable to an
average person) while not significantly improving
security.
ktRolster - 42 minutes ago
Audits cost money. Tons of money. And they don't
guarantee anything - bugs in OpenSSL have not been
discovered for years despite thousands of people using
the code, poring over it and billions depending on it.Any
reasonable audit of OpenSSL would have said, "Don't use
it."
smsm42 - 8 minutes ago
And instead use... what? Let's say you are creating a
company that needs website to sell stuff. On that
website, you need TLS implementation, to process user
data & credit cards. After expensive security audit that
consumed most of what your angel investors can give you,
you decide that anything based on OpenSSL can't be safely
used. Now what?
JoshTriplett - 2 hours ago
I've actually had discussions with several people,
separately and at a legal summit that specifically
discussed the topic of software liability, that proposed a
good solution to this:Make the liability proportional to
the degree to which you've given them the degree to find
and fix any issues that might arise. If you give someone
FOSS software to solve some particular problem, even a
potentially-high-liability problem, you've given them
everything they need to both analyze the software for
potential issues, and fix them themselves. (Auto
manufacturers like FOSS because it means they can always
support it themselves if the vendor won't, and they have
far longer support lifetimes than many other products.) So
disclaiming all liability there seems reasonable, for
anything short of intentional malice (e.g. backdoors).On
the other hand, if you give someone a piece of opaque
proprietary software, then you're selling them a solution
to a problem, and it'd better work because they can't do
anything but go to you if it doesn't. They also can't
introspect it, and black-box testing only goes so far. So
this should increase liability. Even more so if you supply
it in an obfuscated form that's difficult to reverse-
engineer or test, or if you lock it down to make it
irreplaceable.The same thing would go for changing software
yourself, on a high-liability device. If you don't change
it, it's not your fault; if you change it, it might be your
fault.
sitharus - 1 hours ago
New Zealand consumer law has a requirement that goods
must be 'fit for purpose'. This means that if a company
sells you a clothes washer for example it must clean
clothes, but if you try to wash your shoes and it breaks
it's not the manufacturer's fault (unless they said it
could of course).I think something like this could apply
very well to software. If someone uploads source code to
github they haven't sold it to you with any purpose in
mind, but commercial sales have functionality promises so
they could be held to them.
DannyBee - 1 hours ago
warranty of merchantability and fitness for a particular
purpose exist in the US. Whether it can be disclaimed is
per-state though.(Some states allow disclaiming implied
warranties, some do not).
stephengillie - 46 minutes ago
Ansible has disclaimed theirs[0]:> #!/usr/bin/env python#
(c) 2012, Michael DeHaan # This
file is part of Ansible# Ansible is free software: you
can redistribute it and/or modify it under the terms of
the GNU General Public License as published by the Free
Software Foundation, either version 3 of the License, or
(at your option) any later version.# Ansible is
distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details. #
You should have received a copy of the GNU General Public
License # along with Ansible. If not, see u.org/licenses/>.############################### [0]https
://github.com/ansible/ansible/blob/devel/bin/ansible
JoshTriplett - 36 minutes ago
That's a standard part of the disclaimer for the GPL and
other licenses.
travmatt - 2 hours ago
I believe Dan Geer also gave a keynote a year or so ago at
Blackhat (or Defcon) arguing for a similar framework.
kogepathic - 3 hours ago
CTO is criminally liable for technical breaches involving their
company. They're supposed to be responsible for this anyway,
but given that at worst they receive a slap on the wrist and
their company gets fined, clearly more needs to be done.You
might counter: well no one will be willing to be CTO if it
involves such personal risk.I would counter: companies will
find a way, through certification or lawyers, of ensuring that
their products are secure enough, or they can show sufficient
due diligence that they won't end up in jail.I personally think
making execs criminally liable for this kind of insecurity
would really force companies to start spending money on
ensuring they ship something secure and not a minimum viable
product full of holes like this.
smsm42 - 2 hours ago
> CTO is criminally liable for technical breaches involving
their companyWhich means CTOs would have huge incentive to
conceal such breaches and persecute anybody who would report
them. Also, CTOs would require huge money to cover the risks,
and probably wide insurance coverage like medical malpractice
insurance. Which is five-figure number at least. I wonder
which startup could afford that.> I would counter: companies
will find a way, through certification or lawyers, of
ensuring that their products are secure enoughThey surely can
spend money on lawyers writing tricky contracts and acquiring
various expensive certifications. As for whether it'd make
their software any more secure - this is much more doubtful.>
I personally think making execs criminally liable for this
kind of insecurity would really force companies to start
spending money on ensuring they ship something secureThat
implicitly assumes right now the problem in software being
insecure is because not enough money is spent on it, and if
software would be more expensive, it would be more secure.
This assumption does not seem to be true.
jacquesm - 3 hours ago
> well no one will be willing to be CTO if it involves such
personal risk.Of course they would. Compensation would go up
and the good ones would be readily employed.The hard part
would be to make such liability stick.
Nursie - 3 hours ago
Depends, but there's insecurity by bad design, or bad
implementation, and then there's stuff like this.I would say
that some sort of negligence laws would be appropriate here,
with a defence being that good practice was followed.Accidents
will happen even with the best of intent; but there's a line
somewhere.
jacquesm - 3 hours ago
Step 1 is mandatory reporting of breaches.Step 2 would be the
creation of an actual software engineering profession complete
with the equivalent of the 'iron ring' and a pledge to go with
it. Maybe the ring could be made of ferrite ;)Step 3 is
attaching a figure to compensating victims of breaches over and
beyond some credit score bs.Step 4 would be actual legal
liability for service providers and shrink wrap software
manufacturers which they could not get you to waive.Step 5
would be criminal liability for producers of faulty software
and especially the management layers above them.Applied
sequentially until it starts to hurt would improve software
quality in a hurry and would most likely result in massive
retraining of a large number of people now employed as
programmers as well as their management.
kogepathic - 1 hours ago
> Step 2 would be the creation of an actual software
engineering profession complete with the equivalent of the
'iron ring' and a pledge to go with it. Maybe the ring could
be made of ferrite ;)This is already possible. If you
graduate with a B.Eng in Canada you can become a P.Eng with
the appropriate training/certification. Many
Computer/Software Engineering programs in Canada are B.Eng
programs (the alternative is B.Sc though those are less
common).Software/Computer Engineers who graduate with a B.Eng
are eligible to receive the iron ring, and many do decide to
participate in the Ritual of the Calling of an Engineer.I
think it's much less common to find a P.Eng who is a software
or hardware engineer, versus say a Civil or Mechanical
Engineer, but the option exists.I'd be very surprised if
Pratt & Whitney Canada didn't have a P.Eng to sign off on
their turbofan control software. But Aerospace is different,
because it's a highly regulated industry and people's lives
can be quickly and obviously at risk due to a mistake.
jacquesm - 1 hours ago
> But Aerospace is different, because it's a highly
regulated industry and people's lives can be quickly and
obviously at risk due to a mistake.Self driving vehicles
and 'the Internet of Things' are in the same league.
protomyth - 3 hours ago
In your scenario, does all software now requires a certified
software engineer?
Frondo - 2 hours ago
I would love for software engineering to have the same
licensing requirements as civil and structural
engineering.For simple stuff, like building a deck, you
don't need an engineer. For a lot of basic-enough
construction projects, you can just buy supplies and hammer
them together. It's only where structural or safety issues
kick in that you need to have someone sign off and approve
your plans, and that makes sense.Likewise, putting up a
brochure-ware Wordpress site, just do it yourself or have
some kid do it. But once you start collecting
customer/financial/personally-identifying information, you
should need to have a professional either do it, or review
your code and sign off on it. There's a risk involved, and
for too long we just shrug our shoulders and push the risk
off onto the consumer, onto Visa, onto whatever.I am
looking forward to when the software world leaves this
wild-west phase.
Nullabillity - 1 hours ago
No, the underlying systems need serious rearchitecting to
avoid these issues to begin with. A third-party trying to
verify your identity should never have enough information
to impersonate you afterwards.
jacquesm - 3 hours ago
No, you're fine to do whatever you want. But companies will
likely want to hire people that reduce their exposure to
lawsuits that will stick.So if your software is going to
affect lives and you feel that you can handle the fall-out
in case it does not and you are not certified then you're
more than welcome to make that combination work.
protomyth - 3 hours ago
So, basically no non-certified programmers because Apple,
etc. will just not give you a developer certificate
because of a possible lawsuit.
jacquesm - 1 hours ago
Apple isn't in the business of providing critical
software where such liability would make much sense
beyond when:(1) their phones given enough charge refuse
to call 9/11 as mandated by law at the present anyway(2)
their authentication details are leaked(3) their
operating systems suffer security bugsAt most other
levels the damage could easily be contained. Note that
even at present they could be sued for any and all of the
above, whether such a lawsuit is winnable is beyond my
expertise to evaluate but it would certainly be
interesting to see the arguments both sides put forth.So
plenty of opportunity to be employed for 'non certified
programmers'. Note that almost every big software
provider already has a certification program of sorts but
at the moment these are just used as either a revenue
stream or a way to get people to invest in the eco
system.
[deleted]
tejtm - 2 hours ago
Laws that stripped resources from share holders. Blaming a
programmer for a culture they are not responsible for creating
or maintaining is far too late in the process.If a venture has
no reason to exist if cannot produce secure products a culture
of building secure products will emerge. It may be that every
MBA with a NDA will not be able to afford the competent
programmers required, but as they are weeded out we will have
fewer less than useless things.
exabrial - 3 hours ago
Ironic how the VW engineer is going to jail... yet the middle
management is escaping scot free
jacquesm - 3 hours ago
The 'VW engineer going to jail' is actually an exec.
kogepathic - 3 hours ago
That's only in America. Thus far it seems that no one from VW
Europe will face criminal prosecution for the scandal.Germany
is too scared of hurting their economy in an election year to
consider further actions against VW.
jacquesm - 3 hours ago
It goes a lot further than that, the VW saga in Germany is
intricately intertwined with the political situation and
since 20% of the shares are held by Lower Saxony they'd
essentially invite scrutiny of their own position in the
whole ordeal.
jl6 - 3 hours ago
Or follow the automotive model: put greater liability on the end
user. End user is then obliged to pay for insurance, incentivized
to pick safer suppliers, and feels the consequences of their own
bad behaviour (it's not the ISP's fault that you keep opening
.exe email attachments).
chiefalchemist - 2 hours ago
What's the incentive for the vendor? Trying to do the best and
hoping the customer picks them? Or just maintaining the status
quo because the customer has insurance and is protected?I hear
ya. The flaw is, there isn't enough competition in enough
markets. Many rural areas only have one ISP.
wahern - 3 hours ago
The automotive model is split. The end user pays insurance
because he's the least cost avoider for the most obvious types
of accidents. And you want him to internalize the cost of such
easily avoidable errors.But the producer is also regulated and
required to include certain safety features because individual
consumers are poorly equipped to select cars based on complex
safety features. And in any event most consumers are very price
sensitive; many people (perhaps most, actually) don't have the
luxury of choosing a car based on safety features. seat belts,
air bags, crumple zones, ABS, and rear-view cameras have all
become mandatory thanks to regulation. (In some cases
voluntarily with the understanding that they'd be involuntary
if industry didn't cooperate). Collision avoidance systems are
already scheduled to be mandatory, again by voluntary
agreement.When it comes to tech, consumers just aren't
sophisticated enough to know how to choose products. And the
insurance industry doesn't know how to solve that problem,
either. It's really only the _commercial_ insurance industry
where the insurers work with the policy purchasers to help them
select the safest products and procedures. Anyone who has
worked in tech support knows that it's a lost cause trying to
educate individual consumers.
mysterydip - 3 hours ago
What about in this case? Some areas only have one internet
provider. Are the users liable because they chose "have
internet" over not?
mjevans - 3 hours ago
How's the customer going to pick when their market, if they're
lucky, has only two fixed link ISPs? When most have only one
(really crappy cable one) that if they're lucky provides more
than 25Mbit down and who knows what up. (Yeah it's nearly 2018
and those speeds would have been 'OK' 15 years ago.)A lot of
the reason Americans are in this mess is the complete lack of
competition in 99+% of the country. /That/ lack of competition
comes from a broken investment model. Like roads, water/sewer,
and other systems regulated as utilities the physical plant is
a natural monopoly; it isn't effective for society or companies
to build parallel infrastructures. If the base platform (last
mile 'wires') were owned by the community and competition
occurred on top of it (like with package delivery) then the
context of your comment would make more sense.
crmd - 2 hours ago
>If the base platform (last mile 'wires') were owned by the
communityIt's not necessary for the wires to be owned by the
people. They could be owned by a private, highly regulated,
capital intensive, infrastructure utility company, that is a
legally separate entity from the ISPs who compete to provide
your data services.Private is not necessarily better than
community ownership, but may be more politically viable.
posguy - 2 hours ago
Even in areas with heavy fiber penetration like Seattle,
where Centurylink has 70+% of the city covered with Fiber,
Comcast is still capping users to 1TB and Centurylink feels
little competition. Hell, they're trying to kill off their TV
service right now, and pitching DirecTV (with a much slower
guide, missing multi-channel preview, and with a dish bolted
to your house) as the new thing they're pushing.
floatingatoll - 2 hours ago
I agree with all of your points except one, the severity of your
listed "corollary" situation:Dieselgate is tentatively assessed
to have resulted in thousands of human deaths due to air
pollution. AT&T modem vulnerabilities have not been assessed
similarly.While I concur with everything else you've said, I
encourage selecting a different example with a more evenly-
matched fatality rate.
stanleydrew - 1 hours ago
Why is fatality rate the only legitimate metric on which to
judge prison sentences? People are put in prison for all sorts
of lesser offences all the time.
mrpippy - 3 hours ago
Agreed. I think that point was also reached with the tens of
thousands of Dodge/Chrysler/Jeep car radios/head units that were
wide open to the Internet over cellular.The staggering
incompetence responsible up and down the chain for that should
have been investigated fully and publicly, and certainly would
have been if anyone had been injured/killed.
posguy - 2 hours ago
Its the internet of vulnerable things! Most of which will never
see an update to resolve the security vulns that crop up with
time, let alone receive proper software stack maintenance for
more than a brief period of time.
cmurf - 3 hours ago
We don't yet have cybersecurity expertise in government that
approaches the environmental science expertise in the EPA (or
California's equivalent). And thus far we have a Congress that
doesn't recognize the importance, or see a role for the
government to regulate these aspects, so they just let the
industry write their own rules. And so we've got exactly the
system everybody who isn't a consumer wants us to have.Update: 4
of 535 members of Congress have computer science degrees.
ktRolster - 37 minutes ago
Update: 4 of 535 members of Congress have computer science
degrees.That's higher than I expected.
mlosapio - 3 hours ago
This is terrifying
chrissnell - 58 minutes ago
I have AT&T U-verse (Gigabit fiber product) at home and I believe
that I an not vulnerable to public Internet attacks because I've
configured my modem in pass-through mode. The AT&T pass-through is
pretty weak and is really only a 1:1 NAT, not a bridge, but as far
as I can tell, the modem does not answer to the Internet when
configured in this mode.
matt_wulfeck - 3 hours ago
Here[1] is a 802.1x proxy you can use to hide your incredibly
vulnerable residential gateway behind a firewall of your choosing.
It allows the eap packets to pass through.I honestly knew this was
going to be a problem when I first port-scanned my residential
gateway and saw exposed who-knows-what ports, but for symmetrical
1Gb internet for $79.99 a month what can you do?[1]
https://github.com/ShadwDrgn/eap_proxy/blob/master/eap_proxy...
nmjohn - 1 hours ago
I had the exact same thought after port scanning my own uverse
gigapower connection - so seeing real exploits actually be found
on it is not surprising in the slightest to me.Though instead of
going with the 802.1x proxy approach, it's also possible to spoof
the mac address of the RG with your router and swap it in place
after 802.1x authentication has occurred. (You have to swap
without the link to the ONT going down however, the easiest way
to do so being a switch with VLAN support. You put the RG and ONT
on one vlan, and then once the connection is up, you swap your
router in place of the RG.)Then you can unplug the RG and put it
in your closet (until you have a power outage and have to do it
again, which is the main drawback to this approach. However since
AT&T provides a UPS for the ONT, if you have a UPS for your
router you should be good there too.)
hedora - 3 hours ago
What really ticks me off about this is that for FTTN access around
here, you have to use their crappy routers. This is true even if
you go through a third party like sonic.net.Worse, their routers
seem to do something to defeat attempts at two-level NAT setups.I
thought one of the network neutrality principles said you couldn't
discriminate against compatible network hardware. Too bad Pai is
in now.
mikeash - 3 hours ago
This is one reason why I really like FiOS. I get ethernet
straight into the house. Sometimes you get coax instead, but you
can use a MoCA adapter to convert it to ethernet. And their
provided modem is actually pretty decent! I had planned to bypass
it when I signed up for the service, but after using it for a bit
I decided to just keep it in place.
sp00ls - 3 hours ago
Not nearly as large as ATT U-Verse but I found a similar
vulnerability in the modem I was provided from a rural DSL provider
a few years ago.It all started when I called to get the admin
credentials so that I could open a port. They refused, stating that
they use the same PW on all of them so they couldn't provide it to
me.After a day or 2 I found a vulnerability in the WebUI that
dumped the password to my browser. Did a shodan scan and found
hundreds of these modems connected to the internet. What they said
was true, that password worked on the 2-3 I tried just out of
curiosity.I tried reporting my findings to them but they didn't
seem to care. So I just changed the password on the one provided to
me and let it be.Now I live elsewhere and use my own purchased
modem/firewall/wap. Can't trust ISPs to care about your security.
samstave - 3 hours ago
>Can't trust ISPs to care about your security.This is the kicker
here:You SHOULDN'T trust an ISP to care about your security -
just like you shouldn't trust a the water company to select which
Faucet/Shower head you install in your bathrooms.Raw pipes to
info == raw pipes to water (interesting aside, the Mayans always
equated thought as being symbolized by water)I am paying the
water company for pipes to my house, I choose which faucets
/shower-heads and use the water is consumed for.Imagine if the
water company charged me a different rate for Kohler Faucets used
in the kitchen for washing my dishes, vs a Home Depot Hose used
in the garden to water my plants? I pay the water company for the
volume of water consumed. I pay the ISP for the bandwidth (volume
of data) consumed.Further, if the ISP is ostensibly providing my
security to literally anything, then, by contract, they are
assuming some of the risk? If "what we do is for your protection"
-- then they assume full/some liability.The water company
provides zero such assurances. A broken pipe/leak/flooding/damage
has no affect on the water company, my agreement/bill with
them.Further, the water company isn't injecting "paid
supplements" (aside from fluoride, which we can equate to NSA
backdoors in this example) into my water supply without my will
(ads) -- they don't feed me a % of Gatorade in my water supply
because Gatorade has a deal with the main faucet - or
fertilizers into the garden hose because of a deal with
Monsanto.Source: My family owns an actual water company.
CrendKing - 2 hours ago
If the water company is the only water provider and they
require you to use the specific faucet or they don't give you
water, good luck arguing them with the fancy words and
ideals.In reality, water is considered utility but internet is
not. Therefore water company can do much less than ISP.
madez - 1 hours ago
How is internet not a utility?! Some day people will look
back at today and shake their head.
samstave - 39 minutes ago
If the INTERNET company is the only INTERNET provider and
they require you to use the specific MODEM or they don't give
you INTERNET, good luck arguing them with the fancy words and
ideals.--WTF state do you live in?
astrodust - 3 hours ago
We're talking about the water equivalent of having the feed to
your house that first goes through an open rain barrel at the
front of your house, something anyone passing by could lob
cigarette butts or other garbage into.You'd ask the water
company "can't I provide my own connection to the water" and
they'd say "No". Then you'd want another water company, but no
such company exists because they're a monopoly.At that point
you'd be better off collecting water from your roof and
filtering it yourself. The water company is not helping.
samstave - 2 hours ago
uh... no we are not.Please explain yourself further, if I am
missing your point.Thanks
jlgaddis - 3 hours ago
Unfortunately, on Uverse you are required to use the ATT-provided
CPE (due to 802.1X authentication).
Spivak - 2 hours ago
Nah, all you have to do is redirect 802.1X traffic to their
device and you can use whatever device you want.I have my
EdgeRouter performing this function currently.
wil421 - 1 hours ago
How much bandwidth do you lose? I have AT&T fiber and I want
as close to 1Gb as I can. Someone else else I saw online did
something similar with an EdgeRouter and he lost a ton of
speed.
jlgaddis - 1 hours ago
Any tips or pointers on how to go about this?EDIT: Nevermind,
I have (bonded) VDSL running through a 5268AC so I don't
think I'll be able to do it. If it was "normal" Ethernet it
would be possible.
toast0 - 36 minutes ago
Theoretically, it should be possible for vdsl too. If you
can find something to do bonded vdsl in real bridge mode,
you could probably hook up the 5268ac to that with the
Ethernet want port, and if that works, you could proxy the
802.1x auth there too.
krallja - 3 hours ago
You can put a firewall behind it, which will at least protect
you from the inexplicable open proxy.
milankragujevic - 43 minutes ago
Can you explain what is Uverse and how does it work?
CodeWriter23 - 2 hours ago
I applaud Hutchins' choice to use Full disclosure instead. Let that
be a lesson to all Big Corps, there are White Hats out there who
won't be bullied by your "Responsbile disclosure" propaganda. The
writing is on the walls, Big Corps, take responsibility and secure
your gear by design or be pilloried.
JL2010 - 2 hours ago
I can't seem to find any information on how or if this was
disclosed to AT&T. Does anyone know how the blogger proceeded here?
rwbhn - 1 hours ago
Comments at the bottom indicate it was not pre-disclosed.
matt_wulfeck - 3 hours ago
Can someone please use this to lift the EAP certificate so that any
individual can authenticate themselves with AT&T instead of having
to put the gateway in the very entrance to the home network?
userbinator - 3 hours ago
It's always annoyed me that ISPs seem to like giving customers
these horribly overcomplex modems as well as other "value-added
features" like "inject advertisements into the user?s unencrypted
web traffic" --- especially since customers are already paying them
for the service.My vision for an ideal modem is more like a dumb
Ethernet to coax/fiber/etc. adapter, and is otherwise as
unobtrusive as possible. Ditto for an ideal ISP: just sell access
to the raw, unfiltered Internet, and nothing else.
Fnoord - 1 hours ago
You'll love The Netherlands. Your ISP is forced, on your request,
to put your modem in bridge mode. Ie. the ISP isn't able to force
customers to use a certain modem as router.
milankragujevic - 44 minutes ago
TBH, in Serbia, Telekom does give you a modem that you have
full control over, it's just a shame that everyone else who
types in your IP gets the same control too... Basically they
can change any setting that you can, but you can request they
give you xDSL config params and buy your own modem which
doesn't have routing functionality...
trapperkeeper74 - 2 hours ago
Dumbish DOCSIS cable and dumb DSL modems exist, they're just not
default because most people aren't technically-literate enough to
deploy them. However, cable ISPs often can update the firmware of
DOCSIS modems, so who know what potential is there for backdoors,
malware, NSA diodeing and weak security. DSL modem management may
vary.
chinathrow - 3 hours ago
Thats what I have via my FTTH provider: plain DHCP enabled
ethernet - a media converter is all what is needed. After that:
the customer gets to decide what equipment to use/own.
josteink - 3 hours ago
> My vision for an ideal modem is more like a dumb Ethernet to
coax/fiber/etc. adapterYou'd like Europe then.You know where we
have competing ISPs and this is the standard.
[deleted]
hedora - 3 hours ago
In fairness, comcast (big US ISP) allows you to buy your own
cable modem. However, they are terrible for multiple other
reasons that would not fly in Europe (data caps, lobbying to
resell browsing history, opaque pricing schemes, etc)
insulanus - 2 hours ago
Deep packet inspection, network throttling based on traffic
type, ...Sources:https://arstechnica.com/tech-policy/2009/12
/comcast-throws-1...https://www.cnet.com/news/fcc-formally-
rules-comcasts-thrott...
simonh - 3 hours ago
But at least they have the freedom to do so, unlike Europe
where their right to screw over their customers is unfairly
infringed.
skummetmaelk - 2 hours ago
Sarcasm?
simonh - 2 hours ago
Is it though? Freedom and regulatory overreach arguments
are being used right now, with a straight face, to
eliminate net neutrality rules that prohibit ISPs from
screwing over their customers. Is it really sarcasm if
it's actually happening?
skummetmaelk - 2 hours ago
That's why I ask. I legitimately cannot tell because
people actually think this.
mrbill - 2 hours ago
Not if you're on a Comcast Business plan with static IPs;
you're limited to what they'll give you, even though people
have shown that their static IP-setup works with customer
provided gear.
amluto - 2 hours ago
By which you mean that Comcast will let you buy an approved
device to which (I believe) they fully control by design.
posguy - 2 hours ago
Pretty much, Cable Modem Hacking is extremely uncommon and
even an owned modem is out of your control. Look at all the
Intel PUMA cable modems with bufferbloat issues where the
cable ISP refuses to update said modem to fix the software
bug causing bufferbloat.
trapperkeeper74 - 2 hours ago
DOCSIS modems are a standard, but cable companies often get
to manage them with their firmware and/or settings.
milankragujevic - 46 minutes ago
I don't know, my friends from Croatia would disagree, as would
I, but I'm not in the EU, only in Europe (Serbia), you get a
black box modem/router from the provider which they can access
in any way, and it has open Telnet and HTTP admin with
credentials like "admin/ztonpk; admin/tzlkisonpk;
admin/telekom; telekom/telekom; and let's not forget
admin/admin"... I think this is just in large EU countries that
you don't get shitty modems full of security holes... But I'm
not even sure of that anymore...
Mister_Snuggles - 3 hours ago
My ISP seems to do the best of both worlds.The modems, by
default, do WiFi, NAT, and have a 4-port switch on the back. The
default WLAN name and password is printed on a sticker that's on
the modem, they're unique per modem. Same for the admin user. I
don't know if they allow SSH and if the SSH password is unique
per modem however.If you ask for the modem to be put into bridge
mode, which they will happily do, the WiFi and NAT get disabled
and whatever you plug in to the modem gets assigned a real IP
address. When I upgraded my service and required a new modem
they actually asked if I wanted it in bridge mode. All of this
is configured on their side and the modem seems to pull the
configuration when you first boot it.
dqv - 2 hours ago
I am not joking when I ask this question: will this open me up to
potential CFAA charges if I run the commands to check if I'm
vulnerable and run the self-mitigation commands?
feelin_googley - 2 hours ago
In a world where users should have control over their own
computers, it is the customer who should have SSH access, not AT&T.
But as you all know, most times the customer does not own the
modem. One well-known workaround is for the customer to use their
own modem or to use their own router as a gateway to the modem.
But does this really give the user more contorl over the
modem/router?These user-owned modems/routers usually do not
encourage SSH access by the user, if they even provide it. Instead
they promote a "web interface". Indirect control of the settings.
Better than SSH? That is for you to decide.The "market" seems to
love the "web interface". But this often the easiest vector for
successful attacks. Less control, and less safety. Is the
tradeoff still worth it? That is for you to
decide.https://threatpost.com/vulnerability-disclosed-in-ubquiti-
ne...https://www.sec-consult.com/fxdata/seccons/prod/temedia/advi..
.http://www.securityweek.com/worm-infects-many-ubiquiti-
devic...Relying on "Keep up to date with patches" or "Enable
updates" as a strategy to improve the safety of a product that was
unsafe to begin with is a bit of cognitive dissonance given that
its safety was deemed "good enough" for the renter/purchaser at the
time of rental/purchase. To achieve a safer product requires not
only manufacturers to set new priorities but also consumers as
well.How important is that "web interface"? More important than
safety? And why not configure using SSH instead? Whatever the
reasons, tradeoffs have consequencesre: safety.
FiveSquared - 2 hours ago
Well I have AT&T and the hack it worked for me! Words could not
express the feelings of terror that I have right now.
wu_tang_chris - 2 hours ago
> Words could not express the feelings of terror that I have
right now.have you tried the word "hyperbolic" ?
saagarjha - 1 hours ago
> a kernel module whose sole purpose seems to be to inject
advertisements into the user?s unencrypted web trafficUgh?why is
this even a thing? Like who thought it would be okay to add this
"feature" to a modem, let alone at the kernel level where it would
be difficult to disable and easier to be compromised?
fluxsauce - 3 hours ago
This is a shocking and overly broad title.I have Sonic Fusion,
which includes a Pace 5268AC modem which is provided by AT&T
U-verse and I cannot replicate the issue.The title should be "Some
AT&T U-verse modems..."
sctb - 2 hours ago
Thanks, we've updated the title from ?SharknAT&To: AT&T U-verse
modems all have Internet-facing hardcoded ssh password? which is
editorialized.
jsoo1 - 2 hours ago
i have the 5268AC modem and i just did a quick nmap -PU . open
ports from that are 80, 8443, and 49152
jlgaddis - 3 hours ago
I also have a 5268AC (on Uverse) and have been unable to
replicate these issues (but, TBH, I haven't tried very hard at
all), although I have mine in "almost-bridged-mode" ("real"
bridged mode can't be done, but I have it as close to bridged
mode as I can get it).
ronnier - 1 hours ago
1. SSH exposed to The Internet; superuser account with hardcoded
username/password.2. Default credentials ?caserver? https server
NVG5993. Command Injection ?caserver? https server NVG5994.
Information disclosure/hardcoded credentials5. Firewall bypass no
authentication
chx - 2 hours ago
This is why, if I can, get bridge mode on the ISP provided device
and put in an OpenWRT router. I am still on 802.11n but who cares,
most of my devices are not 802.11ac either.I want to know what runs
on my router, damnit! It's my biggest vulnerability if done wrong
and one of the more important security features of the home network
if done right.