 Good afternoon everybody. I'm Blake Self. This is Dev Delay by my taco from Surfboard Hackers. I'm glad to see so many people decided to come out. I figured, you know, you put free and anonymous in a name of a speech at DEF CON, probably a lot of people showing up. So, without further ado, go ahead and get started. Normally, I start out if I'm talking with corporations, you know, a little more serious with you guys, I figure you probably like humor. So, I said, you know, what Ted Stevens said, you know, the internet's a series of tubes, figured maybe he has a bunch of these hacked modems, you know, at his house, has them all hooked up with a, you know, a drop amp and that's why he thought it's a series of tubes. So, there's just a little bit of humor for you guys. A little bit about me. I was a separate administrator and red team pen test for the United States Marine Corps. I currently do research with the Software Engineering Research Center, which is a located main office at Ball State University. It's an NSF, National Science Foundation, Industry, University Cooperative Research Center. A much shorter version of this speech was given at the Cirque Showcase. I'd actually planned to give you guys some of the responses of the companies. Unfortunately, non-disclosure agreement is standing between that, getting that information to you guys. So, with this speech had some people like Durandal that have actually taken the methods in this speech and used them and he's put modems online, kept modems online. So far, you know, he hasn't, you know, the party van hasn't shown up, so seems to be going good. What I'm going to go over, and actually they're going over as well, we'll start out with some requirements. For examples, a network overview, which is the DOCSIS network, go over anonymous access, cloning, how anonymous you really are basically, like how the ISPs are trying to currently catch people, firmware overview, and then end with hardware and security. So requirements, what do you need? Well, obviously we're talking about, you know, you're wanting to get internet access through Kail modem ISP, so you've got to have a coax connection to the company. You need a JTAG cable for our examples as we're actually going to be changing the firmware on the modems. You can use either USB or a parallel JTAG. Now I wouldn't recommend the parallel because it's really, really slow. You need, for these examples, a surfboard 5100 or 5101 cable modem. Other modems can be modified, but just to keep it quick, we only use those two in these examples. You need some soldering skills and a 10-pin header. YouTube's a great reference if you don't know how to solder. There's a ton of videos on there, you know, you can look up and figure it out. You need applications for use for flashing the firmware onto the modem. For the parallel JTAG, which I already said is really slow, they have Schwartz-Cats, which is by TCNSO, or the USB JTAG, which is a lot faster. I think it takes maybe 10 seconds to flash a modem that you can get one of those, the software from usbjtag.com. So requirements in depth. Kind of already went over that. Here's some pictures. He's already actually shown the real deal. There's the schematics. If you want to do the parallel port, the USB one's a lot more complicated, so I wouldn't really recommend trying to make one of those yourself. I mean, if you can, then you probably, you know, you don't need me to show you how to do it. Here's the 5100. It's on the left. The 5101 is on the right. Now you can either crack those open and just solder that 10-pin header right there, or you can, you know, buy a pre-mod. They're all over the place. One of the places is sphacker.net, so where these guys are from. You can pick one up fairly cheap. You program it. This is a, you know, it's pretty much the software right there. I already mentioned those. And then the features of the firmware we're going over. You can enable factory mode, change all your associated MAC addresses, change the serial number. You can disable the ISP firmware upgrade, which basically, I mean, if you don't do that, then they could actually, you know, send you a new firmware. Overwrite your good hack firmware with the factory one, which you don't want. And disable reboots, so, you know, they're not rebooting your modem. Force network access is basically, in some cases, you can get an unauthorized message saying, hey, you're not allowed on this network. Well, if that's all they're using to, you know, for security, you can just ignore that. Yeah, it's working. Force network access just floods the DHCP server with packets repeatedly until you get in IP address, HSE IP. It's all it does. So disable and set ISP filters. Basically, like in some cases, you can have ports that are blocked at the modem level. A lot of times they're actually blocked at the cable modem termination system level, but let's say like port 139 is blocked at the modem level, well, you can remove that. You can specify a config file name. So let's say you don't like the config you're getting, config being your speed. Well, you can specify a TFTP server in an IP address, say, hey, use this one instead. You can basically, on the same lines, you can actually download a config file and then actually upload that to the modem's memory and say, hey, you know, don't even bother grabbing one each time, just use this one. And it uses that. You can get and set SNMP-OID values and factory-modo-ID values. You have full Broadcom CLI access through serial connection or Telnet. And of course, full shell access to the VxWorks or Ecos Unix-like operating system that's on the modem. And of course, upload flash and upgrade firmware. So, you know, you need to get a newer version. You can do it fairly easily. Just a little bit. This is a very, very simple diagram of the DOCSIS network. So you've got your cable modem termination systems. You've got operation support, which is really, you know, this is a guy you don't want to, you know, see that you're online, if you're not supposed to be. You've got your customer database, which is like, you know, your MAC addresses. And then, you know, what speeds go with those MAC addresses or, you know, generally it's a config file. But to make it easy, you could say speeds. Your internet, then you've got all your nodes, which is, you know, basically going out to all the houses. Let's go back. Okay. So for anonymous internet access, the one we're actually giving, like the full, like, you know, walk through, complete, like you could go home and get online anonymously is with Comcast. The reason I chose Comcast, I said, well, according to this ISPplanet.com, it's the second most used ISP in the U.S. It's actually the largest ISP that is DOCSIS. The number one was SBC, which is DSL. On Comcast, if you hook a non-provision modem up to the Comcast network, then basically Comcast page comes up. I don't know if anybody's ever tried that, but you can try to go to a website and, hey, welcome to Comcast. You know, you're either a technician or a member. And they want to know, you know, basically, are you just trying to order service or if you're a technician, you can sign up. An interesting thing on a side note, which I don't think it set up this way anymore, is if you click your technician, you could actually put a little bit of information up and start doing customer lookups without authentication to start looking up people's accounts. I think they fixed that, though, but that was about a year ago. It was like that. You can connect inbound. Like, let's say you have a regular modem, you want to connect to it, you can see the IP address that pooled, and you can connect to it. You just seem to not be able to connect out. So if you look, actually, you change a DNS server and you find out, oh, wow, the only security they really have keeping me offline is it gives me these bogus DNS servers that tell me every site is, you know, Comcast.net. So you change that to a DNS server other than that. Like, hey, well, I can, you know, I can get online. I mean, there was a modem, I know that Drandall had it, was like the first DOCSIS1 certified modem and hooked it up and was able to get it online, just changing the DNS server. So, bam. Okay, there you're online. Not really even having to modify the firmware, but as we go on, I'll explain why you, you know, want to change the firmware. If you disable the SNMP filters, then you're able to do, you know, pull a lot of different things like pulling other modems, getting useful information. Big thing I know a lot of people are probably going to be after say, okay, I can get online. You know, I went ahead and modified my modem. So, you know, I want to be faster, you know, of course, because like I bite my taco, that's from his little thing on the form says, don't forget kids, the faster you download, the bigger your penis is. So, you know, hey, seems to be everybody wants speed. So, you know, anonymous access, of course, it's good, but you know, the faster it is, the better it is. I know that's one of the biggest complaints I've heard with Tor is a lot of people saying, hey, this is a, this is really slow. You know, how do I get it to go faster? So, in order to increase speeds, you can force a faster configuration file from the ISP. Essentially, you're always doing one from the ISP, but it can be from their TFTP server, or you can store it on a local TFTP server, or you can actually flash it to the modem. Comcast uses static instead of dynamic configs. And really what that means is everyone uses the same config, like, okay, you get the speed, and then you get this config. It's not like a special configuration file specifically for, you know, your independent modem. Like, let's say, you have a 5100, well, everyone with a 5100 that's on the basic plan gets, you know, the basic 5100 config. So, that just makes it a lot easier, you know, especially if you're, you know, you don't have to mess with a lot of stuff. So, here's some example configuration files that Comcast uses. DOCSIS 1, they have the speed tier 2, which I think actually there's a, maybe on TheoryShare, they might talk about that, there's a site where people always seem to refer to that config, 16 down, 2 up, and you have the showcase, which is actually generally the best one, is 55 down and 5 up, and then you've got the, the NA, which is unrestricted, but an important thing to note is that generally it seems to only pull about 1.5 up, even though it, if you look in the actual config file, you see there's no restriction, it only pulls that 1.5 generally, and then you've got the same on the DOCSIS 1.1, you see the D11 on the far left, or the D10, that's DOCSIS 1, DOCSIS 11, then you have the model of modem, and the last part, the C0, whatever, dot CM, that little in part, that's actually your computer IP addresses, so if it says 5, that means you can hook that modem up to a switch and you've got 5 IP addresses, 5 statics versus just the 1, like on the showcase, it has the 1. So changing the configuration file, here's some example pictures, these slideshows also are meant to, basically you can download, you know, it's on the CD and it has the URL, you can go and download this slideshow and then kind of have a lot of nice pictures, you know, to walk you through it, make it pretty easy for you to, to work with this stuff. There's just some example picks from Sigma X2, so if you, you know, that's the one you choose to use, then those should help you. You have an example from Haxerware on the 5101, and then the better part, techniques for remaining anonymous is, is really what, I guess it comes down to why, in my mind, you're really changing your firmware and that's disabling SNMP after registration, that's, that's really useful because basically once your modem gets online, it disables SNMP, and if you've ever looked into, I guess, the Motorola, some of the software they have like Stormwatch, what some of the ISPs use saying, hey, let's see what modems are online and what they're doing, that software is like 100% dependent on SNMP, so if your modem doesn't, you know, reply on SNMP, then it's kind of like it's not there. That's one of the, I guess, one of the downfalls, sometimes the visualization software, is that a lot of times it gives them this pretty picture, you know, you can hire people for a lot less per hour saying, hey, you know, I know you don't know a whole lot, but that's pretty software you can look at and it'll tell you exactly what's going on, so if it's not there in their mind, it doesn't, you know, it's not there. You can hide your HFC IP address, you can't hide the CP IP address, which CP is the IP address on your computer that you're actually being assigned, and the reason is... This CP is a customer premise equipment that stands for... Yep, on your computer, and you have to think though, how could you hide that? I mean, if you're wanting to actually, you know, send and receive data, you know, that IP address needs to be out there, and you can hide the reported software version system OID, and these and other settings to be hard-coded into or set by firmware, you know, for the desired result, and those actually give the commands right under there, like I said, so you can download this and actually do it at home. Some field results have a lot of anonymous people that have said, you know, they've had high success rates with zero signs of detection. I know Durandal, who was originally going to be here, he has a machine on a business configuration, and he's had that thing online, I think maybe a year in like three months, and it's seating torrents, and he wanted that information to be out, but he didn't really want to be here in person saying that. He just said, you know, if they want to try to find me, you know, they can, but I'm not going to get up there and make it any easier for them. So there's, of course, like the picture you just saw of all the modems hooked up to the Sunfire server, there's some people have eight or more modems hooked up. I mean, I don't know why you need that many, but, you know, maybe Ted Stevens does, like, he wants a series of tubes. So now one important thing in all these scenarios, the individuals are actually paying for service. They do have, you know, an account that they're paying for. They just, you know, hey, spice the, you know, coaxiline and add some more modems. So then let's go from there, let's go on and get on to cloning, which you don't have to do on Comcast, but some ISPs, you know, you do have to use cloning. If you, you know, if you don't figure out the way to bypass, you know, how they're trying to restrict your internet, then cloning's a pretty easy way to get an actual, you know, look like you're a valid user. So basic cloning is just taking an HFC MAC address and basically, you know, you go in the firmware and you just change your MAC to that, to match that MAC. Due to the broadcast nature of the network, you have to use an HFC MAC on a Kail modem termination system other than yours. For reason, you know, you can't have two, you know, two modems right there talking the same CMTS saying, hey, I'm this guy and the other guy saying, yeah, well, this is, you know, that MAC address is mine also. I mean, that doesn't work. That's kind of basic networking. The method, sorry, this method allows you to force any config file, but it does associate you with that other person's account. So that's kind of the downside versus the total anonymity is you're actually, you are tied to an account, it's just not yours. One of the cool things about a Comcast and charters from the other American ISPs, you can clone a MAC address from pretty much any state in the USA that's on their network. The Magic California, you can clone MAC from New York and it'll work. Yeah, Comcast just seems to have it set up for their one big network. So there's a little nice diagram in case anyone, you know, like, hey, I don't know what he means by CMTS. Basically saying, okay, so it's a, you know, neighborhood over here on node three, you're taking their MAC address and you clone it on node one. You guys are on different CMTSs, so it works. And obtaining information for cloning, people are like, okay, well, if they're not, you know, right there where I can just sniff the traffic then how am I supposed to get this information? Well, if you didn't already know, of course, like everything, it's traded privately on forums, IRC, and you know, whatever other mediums people use to communicate. Finding HFC MAC addresses on your node can be found just by sniffing the DHCP packets that are sent from the CMTS to the modems. So you can, you know, hook a modem up, run Wireshark, and easily, you know, get a list of that and you could go trade it with someone else in a, you know, on a different node, different CMTS. There's also a program that's called, it's one called coax, from TCNISO and DHCP force will do that. And the other method is SNMP scanning, but it only works on certain ISPs. Yeah, certain ISPs, you can actually get HFC MACs, you know, farther away with that. And then we have the exact clones, or some people call them a perfect clone, which are actually taking all the identifying information from the modem, the HFC MAC, the ETHER MAC, the USB MAC serial, and all the BPI plus certificates. And then you're, you know, you're actually basically taking everything from that modem and putting it on another modem. And then, you know, you have a perfect clone that way. Exact clones are usually non-provision modems, basically just to be able to pass an initial check, because dev delay is going to get into a little bit more, but with BPI plus, there starts to be some problems where if you just change your MAC and you don't have a certificate that matches it, then your modem, you know, it fails the BPI plus check. But basically this is saying, you know, in order to bypass that, you can make these perfect clones. And then getting into it more, everyone always says, well, you know, how anonymous are you? I mean, there has to be, you know, you have to find something out. Well, I mean, sure, they can pinpoint a modem, but not to an exact location. They can get it to the node and question where the modem is, which is generally, you know, neighborhood or a few neighborhoods. And really that's not, in my mind, that's really not accurate enough. I mean, I don't know, not a lawyer, but I would say I don't think it'd be really accurate enough to get a conviction if somebody was doing something bad on that, on that network. They can trace it as far as your upstream node, which is usually 100 to 200 modems. And only way to really catch someone is to go and unplug every single wire on that, on that HFC plant in a lot of time. Yeah, the ISPs, I know some of them will pull for poor signal levels. So, you know, you can, turning off SNMP, if you have that off, they're not actually going to be, you know, getting those signal levels because your modem is not going to be responding. But let's say you want to leave it on, let it respond. Well, you can use like a drop amp for Motorola, if you want to put like, let's say you want eight modems online and you want them all to have good signal levels. Well, then you can do that. There's, we gave a little bit of information on what your downstream and upstream should be. So, if you're doing this, you're like, well, are my signal levels good or are they bad? Well, there they are for you. A lot of ISPs do perform routine audits on lines saying that if you're not paying for servers. Let's say you don't pay for it at all. You just go out there, climb the pole and hook it up. Or if you're in an apartment complex, you know, you pick the lock on the box and, you know, okay. Or bribe and maintenance, man. Sure, pretty well. So, I know a lot of ISPs use colored tags to say what kind of service they have. So, hey, you know, you cut those off and, you know, there's not a whole lot of information for them. They're like, oh, man, we got to trace this stuff and, you know, figure out what account it is, what it's supposed to have. Also, there's going to be some ISPs have adopted and implemented at a cost rock, regional operational centers, which actually look like they're sitting in front of the CMTS and maintain a list of customer MAC addresses and dev delay. I don't know what you're going to touch on that a little bit more. Basically, the rock just sits on front of the CMTS. They're all independently connected to each other. And it's just a way for them to do better clone detection. So they can basically say, hey, these are all the MACs that have registered with this CMTS. And another rock will say, well, this one just registered over here. And now we can just go ahead and try to disconnect this guy, because it's obviously been identified as a clone. It's pretty straightforward. But not a lot of ISPs are using it and really, honestly, American ISPs are really lax with any security measures. Most security measures we've seen being implemented in Canada. So I don't know why that is exactly, but it's... There's a lot higher penetration rate of hacked modems in Canada than in America, for whatever reason. Until after this speech. We work with some of the suppliers who work with all the big American cable companies. And what the owners have told me is that the American cable companies aren't very concerned about it right now because there's so few hacked motor out there and it's not really costing them anything. So they just kind of ignore us. That's some that kind of touch on, I'm with Cirque. And one of the things before this speech was to be given was, hey, we have to contact these guys. To contact the ISPs, they literally just don't care. I mean, they're like, we're not losing that much money. That's a lot of cost to try to fix that stuff. I mean, I don't think they really wanted me to talk, but they're not willing to do anything to fix the problem. The cost to enforce the security measures is not worth what it would save them for as well as convenience. They lose a lot of convenience by changing their network to do this sort of thing, to stop it. So that's another factor to discuss. Anna, to just move on with throwing up a red flag. If you don't use the techniques that we've discussed on remaining anonymous, hey, that's going to help throw up a red flag. I've listed excessive torrenting because I would believe that they would notice that. Now, Durandal, like I said, using his server and doing torrenting has said, hey, nothing's happened. Nobody showed up. So in my mind, I think that will throw up a flag. But apparently, he's using the techniques that are in this speech. And year and three months, nobody's shown up. Now maybe someone will show up tomorrow, now that the speech has been given. But right now, it looks good. FTP web servers, I said, hosting, wears, porn, things like that. I figure heavily used services would throw up a red flag. Using clone MAC addresses without discretion, committing fraud, crimes, et cetera, just seems like if certain MAC addresses if you're tied to an account and the account's being looked into, then that seems like would throw up a red flag. Like, hey, who's this guy? Oh, wait. Why is he on these two different CMTSs? Splitting the connection too many times, of course, will weaken the signal. And if you don't have SNMP turned off, then that will cause text to come out and look like, hey, why is this signal so low? Comcast doesn't actually poll for Portsignal, but one example, charter communications polls for Portsignals. And if you have a signal that's out of spec, they'll send a tech out to your house to check on it. Same thing as Time Warner. Have you looked at the description of the speech? There's a Time Warner network guy that was willing to give out pretty much all the ways they used to try to detect theft of service, and that's where that's coming from. So some precautions, of course. Don't transfer personal information unencrypted ever. Keep an eye out for the party van or cable technicians. Had a pretty... I don't know if anybody looks at 4 Chain, might have a little picture of a van with pet-a-bear and all that stuff in it, but decided not to put that in. Then, of course, pay for service on one of your modems. You have a bunch of other ones hooked up. If you're paying for service, the ISPs seem pretty content. They don't really seem to really care. It's kind of a gray area with the law on America, some of this stuff. I mean, you're paying for service, and so it's something they don't really want to mess with you. Of course, be careful, like we said already, with which HFC MAC addresses you clone. And if you are stealing service, completely stealing service, remove those line identifiers. So then it gives them a harder time to actually figure out where you're at. Like if you're at an apartment complex and all these coax lines are running through, concrete and everything else, well, you're gonna make their job a lot harder if you remove that little identifier and make them have to figure out where that actually goes to. And then, unfortunately, like I said, because of the non-disclosure, I can't get into too much detail about the response that was given at the showcase. There's Ron Buske, one of the chief security architects at Motorola right there watching my speech there. But the big thing they were concerned about that I'm able to say was the lack of privacy that your connection is actually only encrypted with 56-bit desks, not triple desks, just single desks. So I know Guy Martin has a speech later tonight about sniffing DOCSIS traffic, and it's unencrypted DOCSIS traffic. But if you think about it, well, how secure is 56-bit desks? So that's all that's protecting you. If they even have it turned on. In some cases, like with Charter, they don't have it turned on. Pretty much every ISP in America, most of the world, has BPI or BPI plus enabled. Charter is the only major ISP in America that doesn't use BPI for whatever reason. They use it for their VOIP service, but Kail modems, you can sniff your neighbor's traffic with Wireshark. And this technology's been around since 1998 or so, and they just have not implemented it for whatever reason. Sure. And with that, I'd like to bite my taco come up here and go on with the speech. Basically, this all started around 2002. A guy named Deringl runs TC and ISO. Figured out that when you get a modem from your compatible company, they can upgrade the firmware as soon as you plug it in. He figured out that you can hook it up to your Ethernet and force a firmware update to whatever firmware you want. And that's how they started with the old SB4200 models, the old Motorola surfboards. And they moved on to 5100s and whatnot. But the way it all starts is this orange modem here is a Motorola factory diagnostic modem. They're not available to the public. They're only leased to ISPs. They have Shell firmware on them, which has some of them have TeleNet. They have a little headphone port on the back that goes through a serial cable and you get full shell access to the modem. And all of these hack firmwares are based on Shell firmware that comes off of these orange modems here. And we take them and modify them and add our GUI with the features to make stuff easy to do like change your MAC address, disable BPI, et cetera. It started out with the old original Sigma, ran on the old SB4100 and 4200s. And the scene pretty much stayed on the ground until 2006. The Ringo released a book called Hacking the Cable Modem. You can go buy it at Barnes & Noble. And after that, it kind of went a little more mainstream. But before that it was... They said they have the book for sale here apparently. But yeah, the scene was underground for about four years and then he released his book and all the ISPs have read it and it just got a lot more people into the scene. A couple years ago they released Sigma X for the SB5100, one of the best firmwares ever. And then around October 2006, PCNSO has a forum where you discuss the information that you need to get on your ISP. It wasn't very good. So my partner, his name is SNMP Rape, he started at surfboardhacker.net for people to come and discuss information freely. And we're basically... We were reselling PCNSOs from her for a while. They created Sigma X2. Sigma X was DOCSIS 1.0 only. Okay, the diagnostic factory firmware. Basically you can do everything you want to hack a modem with it if you know what you're doing, but everything's command line either through Telnet or the serial interface, the hyperterminal or DTK term. But the shell firmware is not available to end users. You have to get it from 3Motorolla. Durengo's got some special connection with them where he gets all this stuff, doesn't like to share it with the public. And there's no GUI for this where you can make changes and that's what makes it easy. Sigma X2, very easy to use, got a lot of features. It was based on the SB5100 shell firmware DOCSIS 2.0. Durengo didn't actually... He has a team of coders who did this for him and he charges $20 for a license to use Sigma firmware. And supposedly there's some backdoors in there that he created to basically sell to the ISPs if they wanted to shut down all the hack modems. He was gonna sell out his own firmware so far this hasn't been confirmed. Yeah, we just assembled it and can't find anything but he claims there's backdoors in there for all kinds of stuff or backdoors for destroying a firmware flash. Like I said, Sigma X is DOCSIS 1.0 only so it doesn't work on every ISP but it was very stable. Sigma X2 has a bug where these modems only have 8 megs of RAM and when you start torrenting and you get too many connections open, too many peers, the modem will actually crash and reboot because it runs out of memory, has a buffer overflow. The new Sigma X2 kind of fixed that and then Sirport Hacker's new firmware for the SB5101 doesn't crash. Also a guy from Europe named Tom created something recently called SB5100 Mod. The interface looks kind of like DDWRT. Very easy to use, same features and it's free. Also based on the same Motorola diagnostic firmware but there's a few bugs and there's so many features it can be confusing. And a few months ago we came across a source for these little orange beauties right here and we got the SB5101 shell firmware which I've been looking for for a very long time and found a developer and he created the firmware called Haxerware and it was built for the SB5101 but it basically runs on any modem with a Broadcom BCM3349 chipset, an RCA DCM425, the Ambit 250. There's some other ones that'll run on as well that Webstar, DVC2100R2. It's got a TFTP Enforced Bypass. It's got a built-in TFTP server where you can store your configuration file of choice in the flash and instead of having to pull it off your ISP TFTP or your computer, it just, it boots the modems and pulls the config from the flash, it's a pretty cool feature. You can set a static HFCIP subnet and gateway instead of using the one that the ISP assigns you. You can spoof the vendor, the model, the firmware version. You can change the SNMP port so the ISP really can't, DOCSIS is completely managed by SNMP and if you change the SNMP port, the standard port's 161 and 162 for traps and if you change it, your modem won't respond to the ISP trying to contact it and they really can't get any information from it. Of course, when we add to the firmware a GUI that makes it easy to use, we add to the web shell that it works kind of like Telnet. It's got very detailed diagnostic output. It's got username and password. You can upgrade the firmware from the web interface, back up your flash and you're not of all the settings, store your tuner settings, your frequency, other stuff like that. He also put a feature in to skip the modem config checks. At every config, there's an MD5 hash at the bottom that the CMTS verifies to make sure the config, back in the day, you could edit the config to have any speed you want and that hasn't worked for a very long time. The skip modem config check basically ignores the MD5 hash so you can use and edit the config but that only works if the CMTS is not properly configured. It doesn't work in America. There's some ISPs in Europe where it works. We're working on a way to basically ignore the CMTS controls where you have access. We're basically trying to make it so you can ignore the CMTS telling the modem, no, you can't have access and just force it. Basically, this all started with TC and ISO, many things to derangle for making this possible for everyone and surfboard hackers taking it to the next level. We've got the 5101 firmware out that runs on all these different modems and we've got a 5102 we're working on and the next step is DOCSIS 3.0 and derangle is actually working right now importing Sigma X2 to the 5101 but that's not out yet. And then it's a devilish turn to talk about hardware. Sure. Hey guys, thanks for coming out. I just want to cover basically stuff listed here. I don't know if all of you guys can read that but basically I'm going to cover some hardware, I'm going to cover some of the encryption authentication measures that the modem uses. Why is this possible and who's at fault? I've got kind of perspectives and objectives here just to make the topic a little more honest because it's a little illegal some of the stuff we're talking about here. I also want to talk a little bit about the future and some problems and some solutions. Why is she guys listening to me? I'm cool. I do IT and IS consultant work. I'm actively pursuing CISSP although I'm hearing that that's null and void soon with the PI requirement kind of lame. I'm an active member of Sirport Hacker and I've been there. I also assisted Rajko Hacker, the Serbian Prodigy on Development Design, debugging testing of the latest hackerware firmware which was financially backed by Byte Mitako. This kid is 17 years old and he knows every programming language known to man. IQ's got to be above 200. Dev Delay here did most of the testing and made all this possible. Spent a lot of hours and hard work on making it possible. So anyway, onto our objectives for honest discussions. Basically I just think it's important that we discuss that we should provide an open forum for users, hackers, professionals of law enforcement to discuss that hacked modems exist, warrantless wiretaps are illegal I guess. And these modems are used for anonymous free and fast internet. They're virtually undetectable, they can be used for evil. The other thing that's important which basically is partly why this is possible is understanding and evaluating the DOCSIS network as a viable telecommunications protocol. Essentially part of this is possible because of the nature of the network, security flaws in the network, and also best practices of the ISP. A lot of it is due really to the fact that ISPs do not care and they do not configure their CMTS properly. So that's really improper use and abuse by everyone. Most of the network admins are complete idiots, quite honest. Truth be told, they're more ons. And how can we make it better both from the ISP side or from our side and can we coexist? I don't even know if that's possible, but it seems to be working out so far for five years. Anybody in this room could configure a CMTS better than these cable company employees and stop it, stop to it. So what is the DOCSIS cable modem? Well, it's basically just a computer. We've got a Broadcom chipset, either BCM3348, 3349. It's got a 200 megahertz processor, RAM16 bit, 8 megabytes of RAM. It can be upgraded. I actually haven't heard of anyone upgrading past 16 megabytes, but I don't think it's necessary. You can upgrade it to 32, but the boot loader can only address 16 megs. Right. And before the Sigma X2 firmware was fixed to stop the torrent crashing, we actually offered a memory upgrade to 16 megs that eliminated that problem, but now it's kind of obsolete with the Haxware and new X2 versions. So we've got a 2 megabyte flash ROM, and all of them operate pretty much on a real-time operating system, which is either VxWorks or ECOS. I got you. All right. So trust, encryption, authentication. Basically, I'm just going to talk about BPI and BPI Plus. BPI is just a method for encrypting traffic between the CMTS and the modem. Uses 56-bit DES, which is pretty weak. It's not even a problem to crack that. A lot of ISPs don't even use it. Baseline privacy interface plus is basically implemented in DOCSIS 1.1. It's backwards compatible, meaning it uses still encryption between the CMTS and the CM. But it adds X509 digital certificates, which basically is used for authentication between the modem and the CMTS, basically proving your identity. That's really what it comes down to. Motorolla calls this the trust ring. I've heard other companies call it the web of trust. These are stored in the non-vol settings of the modem. They contain a public, private root key, a CM, and a CA certificate. CA certificate is a manufacturer's certificate. An ISP can actually grab from cable labs. They can ask by a CA certificate for themselves and then issue their own certificates for all of their modems. The one important thing, too, is that on CMTS by default, they actually accept self-sign certificates. This is really important because we essentially can create our own certificates and then tell the CMTS, hey, I am who I say I am, even though the MAC is not provisioned at all. So why is hacking cable modems possible and who's to blame? I basically look at blame for three people, the manufacturers, the developers, and administrators. And really, for the manufacturers, there's no physical security at all. That's probably the most important thing there. Developers, initial hacks that involved with cable modems. We're using factory modes. And really, you can use SNMP to enable a factory mode. That's one of the add real quick. Motorola, one thing that can be said is Ron Buske actually did write a paper on secure JTAG. But when Motorola wanted to use that, the ISPs, they didn't really want to pay the extra money that it would cost to have that on the modems. So I do know it is the, yeah, the developers did. It isn't secure, but they did have a solution that the ISPs didn't want to use. Right. So, and then we can also blame the ISPs because they don't want to spend the money. It's too inconvenient for them. They improperly config their CMTS. And there's also flaws that are in the iOS for the CMTS. Another one of the things with the ISPs is there's still millions of DOCSIS 1.0 modems out in the field and the cost to replace them all with 1.1 or 2.0 modems is sometimes not worth the benefit to them. So they can't really enforce security when there's still that many 1.0 modems out there in the field they have to replace. And also, I think it's important to discuss the perspectives here. You know, coming from customer, your customer, you hate your ISP, all right? Just by default, you probably do. You want them to, you know, protect and respect your privacy. You want quality service. And you want them to stop charging when it doesn't work right. Hackers say, hey, you might expect this to happen because we can do it. And we demand anonymous internet access. And if we can find a way to do it, we'll do it. It seems like they make it so easy just for the fact that they don't care or they don't do it right. That's another reason why it happens. And it's not our fault. And even when they do try to configure everything properly, they're still not going to stop it. ISPs, I think I've basically covered that. They don't want you to have unlimited bandwidth. They lie about being secure or being properly configured and cut corners. And unofficial bandwidth caps. Yeah, they want to stop your torrents, interfere with that sort of thing. And your information could be sold. So that's just one reason why we want to be anonymous. All right. Next, I'm going to talk about disassembling the firmware. Basically, there's three types of firmware, assigned and compressed, compressed binary image, and RAM dump images. RAM dump images are basically stored in the RAM in the last four megabytes. A dump image can be loaded into IDA Pro for reversing or manipulation. And current firmwares use VxWorks or ECOS. Both are coded in MIPS. That's really fun. Here's an anatomy of the flash contents just so you guys can get an idea of what this two megabyte dump actually looks like. There's a bootloader here, 32K. There's also, in some modems, they use another 32K to store settings for that bootloader. Next, 960K is the first firmware image. The next 960K is another image. Basically, the reason there's two is so that the ISP can upgrade while the existing firmware is running. The next is dynamic volume. This basically stores logs and that sort of thing. So, reverse into simple tools. You've got an unsigned firmware image. That's basically what you need. If it's signed, you can actually remove the signed header from it. And then you can use LZMA to basically decompress that into a dump. There's other tools that people have made. Next, you're going to need your favorite hex editor. You're going to need IDA Pro Advance, your favorite compiler. I know Rajco, he actually wrote his own, specifically to build Hackerware. You're also going to need a serial console cable just so you can get the bug output from the fat shell or the shelled factory firmware. And a lot of time and patience because it takes a long time to do this stuff. All right, next I want to talk about the future. Future, basically, so far, we haven't really seen any interrupts with ISPs making changes. So what you can expect is better firmware, better firmware to stop, prevent checks that they might implement. The other thing that we have seen, basically in Canada, is ISP lockdowns. They are able to lock this stuff down to a certain point. And they give up the expense of that, and also they give up, basically their convenience of being able to monitor the network. And it's pretty much due to Craigslist. It's full of people trying to sell super modems. $300. People were selling illegally pre-clone modems on Craigslist in Canada. And rotters and shock control about 90% of the Canadian market. And they both started forcing BPI Plus so everybody with a hat modem got knocked offline unless they really know what they're doing and when the clone starts and all that good stuff. And next thing we're going to start seeing soon, maybe, is DOCSIS 3.0. Although I've heard Comcast say, you know, we're going to have DOCSIS 3.0. Really all they've been doing is testing DOCSIS 2.0, which just involves channel bonding, which they just take two or more downstream and upstream signals, bond them together in order to get faster speeds. Charter and cable vision also announced in the past recently that they're rolling out 3.0 this year and following Comcast. The other thing involved with DOCSIS 3.0 is advanced class of service mappings, which basically you can stop like, you know, hey, I want to grab this config, force the speed, and it tells you no. So really you're kind of stuck at a speed that is assigned specifically to that MAC. And then also maybe in the future we'll see purposely design anonymous networks. That would be a perfect world, but who knows if we'll ever see it. Some problems we're seeing too is VPI plus. And I'm actually running out of time guys. So like I said, we can use self-sign certificates with VPI plus. We can also reverse the VPI manager, which could be a possibility in the future. And you know, we talked about rock, which is advanced clone detection. And like I also said, the situation is really that the more that they try to lock it down, the less convenient it is for them. So with that said, we're going to have a question-answer session. If you guys want to attend, we're going to be giving out some swag and that sort of thing. And if you guys want to get more in depth, I can talk for hours. Yeah, we've got, if you're on Motorola Modem, or Modem of the JTAG port, you can mod it yourself with the JTAG cable. If you've got one of these, something like this, use a serial cable, or USB serial cable to flash it. Pretty much any Modem with a Broadcom tip set can be modified. And we'll talk about more in the Q&A. We've got some free surfboard hacker and Soldier X t-shirts to give out and answer your questions about how to mod your own Modem. Hey guys, thanks for coming.