 Okay. To get an idea of how fast I should go through some of the material that was gone over at DEF CON 16, how many of you actually attended the DEF CON 16 speech? Raise your hand. Okay. So a pretty good number. So we'll go through it pretty quick. So anyways, our old humor was the whole series of tubes of Ted Stevens. But this year, since I said like, you know, shacking doxis, I'm like, okay, are you saying like we're, you know, shacking up with our modems or something? I don't know. But anyways, it's a ‑‑ So you guys already know the backgrounds of most of you. I do research with CERC. It's actually what was CERC. Now it's S2RC, Security and Software Engineering Research Center, which is National Science Foundation Industry University Cooperative Research Center. And this is by my taco. He's a root admin over at SBHacker. And at DEF CON 16, we covered doxis 2 and below. And our last speech actually led to a huge number of people coming over to the SBHacker forums and discussing the modem technology to include ISPs and, you know, contractors and everybody else. So what we're going to cover, pretty similar format to our last talk, is our requirements for our examples. We're going to do a previous speech overview, which I'll try to get through rather quickly since most of you are already familiar with it. Then we'll get into doxis 3. Going to touch a little bit on packet cable. Then I'm going to go over the United States versus modem hackers. If you guys didn't know, after our DEF CON 16 speech, a number of people got arrested for, you know, making and selling modified modems. Then we'll go over some of the new tools and, of course, the new firmware and then kind of basically leave it open for the future. So what do you need for our examples? A coax connection to the cable company. Now, everyone wanted me to stress that had seen the last speech that I'm talking about a legitimate connection to your cable company because I guess supposedly I was telling people to climb poles or something, but I'm actually not. I'm saying go ahead and pay for your connection to your cable company. In SPIJ tag cable, then there's a number of modems. Last time we were focused on the 5100 or the 5101. Now we're talking about the surfboard 6120, SPV 6220, DPC 3000, all doxis 3 cable modems. Some soldering skills. Or if you don't have soldering skills, SPHacker actually sells, you know, pre-modified modems. So then you can get around that. Then, of course, tools for flashing, which there's a number of those, USBJ tag NT, hacksomatic, which is a new thing from SPHacker. And you can always, you know, do it yourself, cables. So as we covered last time, why is it possible? Well, manufacturers didn't really put any physical security into the modems. So it made it really easy to modify them. The software, you know, the software was very easy to modify as well. And, of course, the ISPs, CMTSs aren't configured properly. They're security falls in CMTS and in the iOS. And my stance is really, is doxis really even a good platform? I mean, in terms of security, I would say no. But, you know, it's still, they keep pushing out new versions of it, new specs, and in my opinion, it's not getting any better security-wise, but, you know, it's still in use. So you can still do this. A quick cable network overview. You've got, you know, your cable modem termination systems, which is where your internet connection is going through. Your customer database is where it's going to do a lookup and that's based on your, you know, your MAC address. You know, the operation support system is basically you call in and you have a problem, then they can, you know, hook into that, look at the CMTS, see power levels, all that good stuff. And then we have your nodes or basically, you know, out there in your neighborhoods. So the big thing we pushed last time, we're talking about anonymous internet access and we used Comcast. Comcast is still the largest ISP, so we're still using Comcast. The whole idea is if you take a modem that's not tied to an account and you hook it up online, it's going to ask you to sign up for service. But if you change the DNS service, and I don't know why this still works, I actually figured they would have done something to change this. But for some reason, this still works. You change the DNS service or servers and you're online with, you know, a modem that's not tied to an account or anything. You're completely online. So then you have some other things you can do, you know, with config files to get it faster or then, you know, we have disabling SNMP and things like that just to be a little more anonymous so that they won't be able to detect you as easily. Then once you get your anonymous access, like I said, a lot of this is all review, but anonymous access is good, but faster anonymous access is better. And as Taco says, you know, don't forget kids, the faster you download, the bigger your penis is. Everybody knows that. It's my form of signature. Sure. Everybody's got a big E penis. So one of the funny things to me is that even after our last talk, and we're pretty much showing them how this is all working, so you have the DOCSIS one that's really not so much in use. You can still use it on most of the network. And you have DOCSIS 1.123. The config files from the last talk are still working on DOCSIS 3. To me, there's something wrong with that. But hey, whatever, you know, I guess they're still making money so they're happy. Hacks are where, you know, basically you go to, it's got a web interface, you can configure all that stuff. When we spoke last time, it was pretty much like a beta type thing. As far as we know, all the bugs have been worked out. It's very stable. It's very good. I have a huge following over it. I think it's, you know, personally it's, you know, leaps and bounds ahead of the Sigma firmware. Then we'll go techniques for remaining anonymous. Like I said, still just going through review. To save less NMP, hide the modems HFC IP address. These are just commands you can do to do that stuff. Hide the reported software version. You know, because if you're using like some weird software version that isn't what they, because they'll actually push out updates to your modem, so you want to try to match that, because if you don't match that, they're like, hey, why, you know, we push out an update to this modem. Why is it on a different, you know, software version? So all these settings, you know, basically put them in and it will make your modem look more normal. That's the whole idea. You want to just kind of lay under the radar. Cloning. I know SB Hacker really against cloning. I still said I want to go over it real quick. Yeah, you can clone modems. That's pretty much, I think, viewed by everyone as just really illegal because you're taking someone else's modem settings and for like a true clone, taking their certificates and actually cloning that with your modem and getting on under their account. And so, you know, especially in the nature that we can get on anonymously, why would you really want to clone someone? But we'll just leave it at don't do it. So that's a quick overview of that. That because they're on different CMTSs, you can clone them. Like you couldn't clone someone from the same CMTS as you. That's really the only restriction that you have. And then, actually, I think I'm just going to skip through this just because it's on the CD if you want to do cloning. Like we're pretty much saying don't do it, but if you really want to, the information's there. And this is always interesting to me. People always ask me, well, how anonymous are you? And from what I can tell, and from texts that I've talked to, people that work higher up some of the ISPs, they can pinpoint down to a node is what I call a node, like a CMTS, yeah, a neighborhood, but not a specific house. Or a tap. Or a tap. So if you're like, you know, your big convicted hacker and you have a record, this might not be so anonymous for you. Because maybe if you pull off some large hack and they actually say, okay, we go to this IP address, it's not tied to an account, you know, it's in this general neighborhood. Are there any convicted hackers that live around here? Well, you know, your name pops up. So it's, I think it's still fairly anonymous, but it's not perfect. There's also some ISPs will pull for poor signal levels. So the solution we gave is to use a drop amp. Had a pretty good response from that for people that were trying this stuff out, said they were able to maintain good signal levels. Nobody had any, you know, impacts or party vans or anything coming out and giving them a hard time. The ISPs sometimes do perform routine audits. I mean, sure you guys are familiar with, you know, your neighbor gets cable or something, the guy goes up there. If he's a contractor, he probably doesn't care. If it happens to be somebody that does care, they might look and say, hey, that tag's not supposed to be hooked in and unhook it. And then, you know, some ISPs have adopted and implemented at a cost regional operating centers. I think he'll get into that later. But most of them haven't. So lists of precautions. If you're going to play around with this stuff doing, you know, a diagnostic modem and actually putting modems online. Personal precautions, I'd say, don't transfer personal information over unencrypted connections ever. Yeah. BPI enabled? Yeah. Okay. Keeping out for the party van. It's like to say cable technicians, FBI, whatever, you know, you see like a bunch of Comcast trucks and then you might, you know, start unhooking your modems. Just a word of advice. Pay for service. I really, and I, you know, I'm not a lawyer, but I strongly feel that if you're paying for the service, then it is going to be a lot harder for them to say that you're actually breaking the law. I think at the point that you're paying for service and you're putting another modem online, it's technically a terms of service violation, but not a theft of pay for service. If you're actually paying for service, they're definitely not going to go after you as hard as they would if you're just blatantly, you know, climbing the pole, hooking it in and ripping it off. Use the modified modems to test confirm, diagnose your existing service. That's the legitimate reason for these modems. So if you're buying them, that's what you're buying them for, not for any bad stuff that you might happen to do. Be mindful of HFC MAC addresses you may choose to clone. I'm actually going to say we were giving people maybe potentially bad advice. Yeah, okay, the next one, don't do that. That's leftover. Don't cut line identifiers off of cable lines. So the previous firmware, like I said, we were a little riskier at DEF CON 16 and we're trying to, because all the people were arrested, we're really trying to get this to be more legitimate if we have everyone. There are plenty of legitimate uses that really are. Just saying if we have people running around cutting tags off and hooking up modems and, you know, get it somewhat legitimate. So the old firmware had all these different things it could do. I'm actually not really going to go over those who already went over the anonymous internet and that stuff, like I said, it's all, you can read it. And at this point I would like to hand over to Taco and let him start going over DOCSIS 3. So DOCSIS 3 has been certified by Cable Labs since our last presentation. Basically it's just DOCSIS 2 with channel bonding, native IPv6, like it says, and optional AES encryption before they've been using 56-bit DES for BPI and BPI plus. As far as the RF stuff goes, DOCSIS systems like in America, South America use a 6 megahertz wide channel for the downstream. It can handle 43 megabits per downstream channel. EuroDOCSIS, if you're lucky if you live in Europe they have 8 megahertz channels. It can handle about 55 megabits per channel. DOCSIS 3 SPET calls for a minimum of 4 downstream and 4 upstream bonded channels. So basically you're getting a lot more speed. Let's see here. I had a little too much to drink before you came up here. It's okay. In America basically if you have 4 channels down you're going to get up to 160 megabits depending on what your cable operator offers. Most upstream packages now get 10 to 15 megabits. The potential is for about 120. That'll come sometime in the future. The basic foundation being companies Broadcom and Texas Instruments. Before, with DOCSIS 2, Texas Instruments had a garbage chipset. Motorola had a big fiasco with them. The 5120, it was a piece of shit. Comcast started pulling them from the field. Blah, blah, blah, long story short. Broadcom was the leader. Well now with DOCSIS 3, Texas Instruments released the Puma 5 chip long before Broadcom released theirs. It's an ARM V6 architecture. It runs Montevista Linux, open source of course. Right now there are 4 channels down, 4 channels up bonded on that CPU. TI just recently released an 8x4 Puma 5 chip meaning 8 channels down, 4 channels up to compete with the Broadcom BCM3380 which is 8x4 which was really late to market and the current firmwares for all those modems have a lot of bugs and that runs on Ecos and it's MIPS. How many people here have hacksaware modems? Good, good, you guys see a lot of hands. You all know Ryco then, the Serbian prodigy who wrote hacksaware when he was 16 years old. He's now 18 and he plans on doing a hacksaware 3.0 probably around sometime from the end of this year for the Broadcom modems. The TI modems, Linux, open source anybody can develop for it and we're trying to find more developers because the possibilities with that are quite endless. Let's see. Every modem manufacturer has a Puma 5 modem out Motorola, Cisco, Ares, Netgear, SMC, you name it. And then the Broadcom modems. The Motorola SPG6580 it's a modem with a Wi-Fi in Gateway. They released it about a month ago to Best Buy at Retail and they've already stopped shipping it because of so many firmware bugs. They released it with a serial port and a JTAG port which they should have known better because this modem hack has been going on since about 2002, 2001. The next batch is supposed to have that stuff removed and hopefully some firmware bugs fixed. My favorite Broadcom one is the Cisco DPC 3010 works pretty well. The Thompson piece of shit but it's an option. The DCM is doxxus the TCM is Eurodoxxus. Let's see. Oh, and you know Ecosmips, you got to have somebody who's, Ryko codes everything in Assembler. He plans on doing hacksaware. The Puma 5 I think is going to be the big popular thing since anybody can develop for it who is a Linux developer. As far as American doxxus 3 offerings, Comcast has the most D3 offered in America. Competitor to Fios and other fiber 2 whatever services. Comcast for 100 bucks a month or 80 bucks a month, you get 15 megs down, 10 megs up. There's 100 meg down, 10 meg up business packages, it's about $300 a month. If you hack your 6120, you can pull 120 megs down and 15 megs up. You can. I was saying you should do that. Charter. Yeah, I know we're going to Comcast shirt, I don't have Comcast, it's just more for the irony. Charter has a 60 meg package, 175 meg coming soon. Cablevision up in New England, they claim the fastest internet in America, 101 megs down for 99 bucks a month, it's pretty cool. Time Warner, Roadrunner. They are very slow in deploying Doxus 3 right now. They've hit New York City, I think Dallas, but they are dragging their heels. So if you've got Time Warner, feel sorry for you. I actually, I have Charter, I just got Doxus 3 about a month ago and I love it. It's great. Oh, in Europe some of those companies are already offering eight channel bonded downstreams. In the USA yet. One of my friends in Norway pulls about 170 megs down with a 6120. It's pretty sick. And the potential with eight channels bonded downstream is about 400 megabits. Yeah. Packet Cable. They really want me to talk more about this than I should. Just as a proof of concept packet cable is anyone have cable phone service, Comcast Digital Voice? That's run on packet cable, which runs on top of Doxus. Basically with the permission of the phone line owner I was able to in a couple of hours hijack their phone line completely. No need to clone the MAC address by simply cloning the FQDN which is the fully qualified domain name and a couple other pieces of information you can hijack somebody's phone line and that's cable phone service. And that's not something I recommend you do. I did it just to prove it could be done and there's a lot of flaws in packet cable. I think it's more so vulnerabilities in the call management servers. Not necessarily packet cable, but packet cables like Doxus, there's inherent flaws in it. And basically somebody pisses you off and you know enough information you can hijack their phone Let's see. I'm going to pass this back to Blake to talk about some of the people who have been arrested since 2008. There you go. All these people getting arrested actually at the end you'll see a very important lesson that is from one of my friends he's actually in prison right now unfortunately but over everybody heard of the TJ Maxx hacks Steven Watt and so I got a picture from him to show you guys just to push a message to everybody, you know, the hacker community in general. You got Tom Swingler, a.k.a. Massadog he was the first guy that was arrested I think it was actually big enough it ended up being on G4 hack of the show or whatever He's got a nose job. So anyways, that heavy media attention the case ended up being dismissed after six months without any official reason but what ended up happening is Massadog then snitched on MassMods so you also had TCNSO last speech, heard about them they kind of started a lot of the cable modem hacking in general, that's Ryan Harris, a.k.a. Deringl he was arrested in October of 2009 generally regarded the godfather of cable modem hacking. How did he get arrested? Snitched on by D Shocker he's currently out on bond awaiting trial. So we'll go on to the Deringl actually literally wrote the book it's called Hacking the Cable Modem no starch press publishes it they probably have it in the vendor area they wrote the book on it and he was the big fish and they busted him based on a snitch and we believe that he's innocent but that's my opinion So then you have MassMods.com Matthew Dallery, arrested February 2010 he advertised preconfigured modems to still service from Comcast which is obviously a no-no you don't say hey, still Comcast here but still again he was raided after being snitched on by Massadog he was arrested to plead guilty of course the way the case is set up What's that? This guy he's so freaking stupid he was on YouTube with videos how to steal from Comcast how to steal Dish Network with an FTA box on his forums he had tutorials on how to get away with murder he sold lockpicks this guy just a freaking moron so he's getting what he deserved but yeah he got snitched on so that's the bottom line where theft of service is apparently in South Florida is a joke that trafficking illegal cable modems has taken over popularity and trafficking cocaine so the people in the retirement homes down there are sitting there with chrome rims on their wheelchairs soldering up modems and shit so so a couple key things is all the current arrests have involved theft of service selling preconfigured devices set up to steal service except for Durringle and using modems for legitimate diagnostic purposes is still by our belief completely legal the key factor that I like to point out is that the majority of arrests have been by snitches so it comes to my next slide which he wants me to send a picture to him in prison so if anyone takes pictures of this can actually email it to me but that's a brief message from Steven Watt he gave a speech at Def Con 10 and he's the Unix terrorist basically saying hey stop snitching that's why half of you guys end up going to jail if everybody would just not say things half the time sometimes I have evidence but a lot of the times they wouldn't now we're going to go into the new tools and firmware which taco is going to cover that ready? sorry, balancing backwards okay we got the Motorola 6120 out about a year ago started playing with it we went over before I had an orange modem with me the Motorola factory diagnostic modem with the shelled firmware we had that firmware before the modems even came out and basically Durringle the government used in ISO for a while was working on something called DreamOS which is going to be a Linux based operating system that could just do anything it never came to fruition since he got busted lo and behold, Texas Instruments released their reference firmware for all the Puma 5 modems Montavista Linux and so basically they gave us DreamOS a fully capable diagnostic firmware to consumers and that's very cool let's see we don't have a name for the firmware yet nothing cool like Haxerware we're just calling it SBH Alpha we're on build 1.1 right now it's kind of like DDWRT open WRT anybody can develop for it Motorola and all the manufacturers they've released their source code but I'm going to say this and hopefully this is not slander but they're all in violation of the GPL because they have not released compilable sources they've not released the Montavista toolchain whatever they're releasing can be compiled but it won't run on the ARM architecture so hopefully maybe someone in this room can compile it in the GPL anybody, lawyers no, I'll talk to EFF last time we spoke here there were about 25,000 users on the SB Hacker forum as of today we have about 69,000 close to 70,000 people on our forum and talk to Ryko he plans on making Haxerware 3.0 for the Broadcom modems sometime around the end of this year those of you who have Haxerware know that's going to be freaking awesome and then DOCSIS 2 modems mostly use parallel flash chips and we use the JTAG to flash those all of the new modems DOCSIS 3.0 and whatnot have SPI flash chips so we've had to switch over to new programmers that support SPI and system programming there's the USB JTAG NT it's a proven device it's very good Haxerware has been working on for six months to a year the HaxoMatic using FTDI chip it does JTAG, SPI and it has a serial port USB to TTL it's all and we'll actually have one really small oh there's a picture over there and then that works with Tom's JTAG utility the software that Ryko's writing blah blah blah you can build your own parallel port SPI programmer but that's for all the new modems have SPI flash chips basically let's see the SPH alpha firmware we really didn't have to do a whole lot to it because Texas Instruments gave us basically everything we need we just modified some of the scripting so you can force your own config file disabling firmware updates from your ISP is automatic you can do so disabling SNMP so they can't pull your modem after it's online Ryko's a MIPS guy he doesn't know arm but he actually figured out how to disable BPI plus and BPI so we're using that for people who choose to do so now if you disable BPI all of your traffic goes over the network unencrypted and the nature of HFC networks is that your neighbors can sniff your traffic and if it's not encrypted or isn't anything not secure it's going to be a vulnerable to your neighbors running Wireshark or whatever DefCon 16 there's a packet omatic speech Guy Martin actually has a tool to sniff DOCSIS traffic if anybody's interested you can look that up he gave a speech at the same time we did it at 16 and a lot of DOCSIS engineers were very concerned after they saw the video of it and they've all started enabling BPI BPI has been around since 99 took charter about 10 years to enable it but they were bankrupt so can't blame them oh let me see we have the one of the checks they use now is checking your firmware version we have the latest firmware basically we're working with Motorola 6120 firmware the latest version is spoofed so reports to the cable company we're running the latest firmware version we're trying to add a feature where you can change it to whatever you want like in hacksaware you can spoof any modem you want and it looks like you're running that modem and right now there's no web GUI like with hacksaware you can change all the settings it'll also be done via serial port or SSH there's two reasons for that one is because hacksaware invited a lot of morons who don't even know how to run a computer into this community who started stealing service and just trying to ruin the hobby for everybody so one of the reasons is that the other reason is toolchain issues like I said some of those companies are filing the GPL not releasing the Montevista toolchain we only know one person with a working toolchain for the Puma 5 but I'm sure plenty of people in the audience here are gifted Linux developers and could write their own toolchains let's see I'm going to set up a demo and show you guys the 6120 shell and the hacksawmatic how many of you guys show of hands heard of DDWRT so this is kind of the same thing what's going on with this now that you have Linux on your modems you have a whole world of potential that you could do so you can port all this stuff to it run all the different types of tools and whatnot so what SBHackers really looking for is to get more people that could build into DDWRT to put this onto the modems and really give you a lot of power on your modems and I mean who knows what all I mean I don't know if they could handle snort or whatnot but I remember people using DDWRT with snort and things like that all the current modems have 8 or 16 meg flash chips and 32 or 64 megs of RAM so there's plenty of power there to be used so that's really looking for people to get more involved with this project that's the new port hacker firmware since it does run on Linux the idea is instead of having just one guy coding it like Ryco actually having a community of people contributing and helping to develop it this is a Motorola SB6120 this is the most popular DOCSIS 3 cable modem you can buy it at Fry's best buy whatever it's the most popular one it's really hack blah blah blah let's see I'm going to load up it has a breakout board we've got a USB to serial port and we've got a little port here for flashing the SPI chip and inside it's the board is wired directly to the SPI chip and when we power it on and cut the cable it cuts the power to the CPU for those of you who are familiar with SPI programming so you can program the chip directly and it's quite a bit faster than using JTAG is this going to work? boot loader is decompressing the firmware the process is it's maximized you're not missing anything and this has a a busy box Linux shell and also a Texas Instruments shell here we go so what TI has given us is basically like I said fully capable diagnostic firmware type you on the shell and type in prod show you've got the you know the hardware vision serial number file names for spoofing firmware versions change the modems IP the MAC addresses basically and if you type prod set you can go in and change all those parameters and then save it and it's very simple you're done doing something let's see and outside of that we have the standard busy box Linux console here so basically you know it's very powerful you know Linux on the modem you can do whatever you want with it next I'm going to show you guys Hax-O-Matic after Hax-O-Matic has been working on this programmer Hax-O-Matic does SPI JTAG and has a serial port as well where is it he was up apparently all night last night programming this for me just he has a DEF CON demonstration and there's a lot of people who are working with this FTDI chip making their own programmers this one's just targeted for it does Kail modems Xbox 360 NAND anything with SPI he programmed Acer one of those new 3D monitors with it just because he felt like it no, USB JTAG has a Cypress chip and some other chip in it this is FTDI just one chip I have a USB JTAG NT with me it's a good thing but the software sucks it really does this software is gooey and more user friendly and this is actually about twice as fast on SPI it reads and a little bit faster on writes it generally reads about 2 megabytes per second and writes the 6120 will write about 200k a second the newer expansion flash chips will write about 475k a second I do not have one of those modems with me that has one of the newer chips I plug it in, it cuts the power to the CPU and let's see on Hax-O-Matic lets you choose your clock speed for programming 30 megahertz right now and detect we got a expansion flash chip and then just reading the flash right now right now he's still finishing up the software we're beta testing it see it's pretty fast read 8 megs right there so we're going to put this into mass production once the software is finished and it's a really cool device so I just read the whole flash I can write it back I can program any of these areas flash the firmware whatever what have you there's another application that does you can program PIC controllers as well basically anything that this chip will handle let's see sorry I'm trying to figure out where we left off probably went over that stuff oh new tools there's some various tools that some of our admins and members have written this is called this one SNMP cert grabber will scan the HFC network for modems that are in factory mode if it finds one it'll grab the certs the max and whatever you need if you're going to be cloning of course like we said don't do that exactly yeah the way I see this if you pay for you know say Comcast you pay like a bit of service you're paying $100 a month if you want to run a diagnostic modem for whatever reason it shouldn't matter you're paying them and you know it's not illegal it's just against the terms of service if they catch you they will ban you for life but it's not against the law so there you go that's the way I see it but they probably don't agree with me because I called a monkey last time I was here and there's a Comcast executive who's like their head of broadband who's an active member of the SP hacker forum and when noobs come on and say oh my modem's not working anymore why blah blah blah he comes on and talks shit to him and laughs at him but they actually Comcast and the rest of the big ISPs use our forum to find out what the holes in their system are and how to fix them but they failed to fix them after two years this is true I thought after speaking you know in 2008 that they would immediately increase security the major companies you know Comcast, Charter, Time Warner, Cox really have not started increasing security until this year enforcing BPI plus which verifies the MAC address based on a certificate which is issued by Verisign and the reason for all the security holes still is that they're still allowing DOCSIS 1.0 modems on their networks DOCSIS 1.0 had no way to verify all it has is BPI which encrypts your traffic but they did not have BPI plus which verifies the MAC and serial number to the certificate and Comcast has tried to get rid of all the 1.0 modems on their networks but there's still holes in Comcast because their walled garden is not configured correctly and the rest of the ISPs you know there's just so many holes in DOCSIS 1 and they don't want to spend the money to go out in the field and replace all these modems with DOCSIS 2 modems, 3 whatever what's that? depends on where you are though I've heard COXLoss Vegas is fairly secure but it really depends what's that? I don't know I don't have them but I know people are hacking DOCSIS 3 on COX but some ISPs take more time than others to figure out how to do it he's right this is a program one of the other admins wrote it allows you to back up if you're going to hack your modem you want to back up the flash chip before you do that because if you just fuck it up you want to have an original backup if you don't have an SPI programmer you can use utility to back it up via the virtual comport they're using the U-boot bootloader for the Puma 5 modems that's pretty cool how do I back up my full flash without buying the $60 programmer? well, we have an application for it now can I stay here? basically the future I'm not really sure what they're going to do the problems will actually fix them or not but one thing that we had thought the faster the home users internet connections get the bigger threat botnets will be if you think about it botnets on like dial up you have to have a huge number of machines that cause sufficient denial of service attack if you have people on DOCSIS 3 with these really high speeds you don't need as many computers I'm sure some of you have dedicated servers average port speed is probably 100 megabits some of you have a gigabit take 10 DOCSIS 3 modems on Comcast with 10 megs up that's a 10 modem botnet to knock out your server so they just have to be really mindful of that because if people are getting exploited and being used for botnets it can get bad or on the other side not just botnets but if somebody we're inclined to get a number of diagnostic modems and put them all online like you said put 10 diagnostic modems online all of a sudden you can start taking down pretty heavy servers in terms of denial of service attack also with the features I think there's a good possibility they're going to keep trying to crack down on the modem hacking but it's kind of tough and I haven't actually seen any real convictions that's what I'm wondering what's going to happen with these cases Master Dog's case got thrown out Mass Mods he told me he's going to plead guilty and he is guilty so he should Deringle will not plead guilty he's going to go to trial if he has to he's lost my train of thought you can go on to the next slide if you want I'm sorry I had too much to drink I'm so sorry actually skip this just role playing it's not too fun all stuff we've already went over okay so problems and solutions one thing that we brought up last time and DOCSIS 3 does have the spec for AES but so far it doesn't look like many people are using it is that if you're using a 56-bit desk that's crackable that's kind of scary for your privacy when you already have the packet omatic it can watch your traffic your neighbors can see your traffic if it's unencrypted with the BPI plus if it's just a 56-bit desk probably only a matter of time if somebody is motivated to actually write a plugin for packet omatic and go ahead and start sniffing all the encrypted DOCSIS traffic which maybe people already are doing it I want to add something Haxerware has the ability to create and generate a self-signed BPI plus certificate so if you change your Mac it's actually something that Motorola added to the SB 4100 I believe it's a DOCSIS 1 modem they wanted it to be DOCSIS 1.1 compliant so Motorola wrote these code where you can sign your own certificates and we took that and Ryco put it into Haxerware however it doesn't really work because like a Cisco CMTS by default will not accept self-signed certificates but I like to say a third world country where they want to have 4100s keep working they want to enable self-signed certificates to work and there you go so there is code to generate the self-signed ones but if you want a real certificate you got to get it from VeriSign and nobody has yet to crack BPI plus sure we had clone detection last time really hasn't been anything that I've seen that's come out to try to really detect that with the actual perfect clones meaning you actually clone the certificates and get away with it so from my perspective situation for the ISPs is pretty bleak that's why I said I don't really think DOCSIS is a good protocol in terms of security on providing people with internet access I mean it's great for us as hackers if you want anonymous internet or you want to be able to put as much stuff online as you want or get whatever speed you want but from an ISP perspective I'd say it's pretty bleak with any solution in the at least immediate future the way I explained this to Blake DOCSIS 1.1 was certified about 10 years ago DOCSIS 3.0 was certified in 2008 basically all the US cable operators are running DOCSIS 1.1 networks with channel bonding so they're using 10 year old technology and just bonding the channels to give you more speed and they're not using the AES security or anything else and bad men's don't know what the hell they're doing they're getting better at it because they're going to SP hacker and seeing what they need to do to fix the holes but they just don't know what the hell they're doing I'll see there's a little bit of stuff for you guys to remember how to get anonymous fast internet on DOCSIS network the equipment used how to stay anonymous different firmwares we're at this point pretty much for using the older like 5101 the Haxware Alpha why it's possible hardware security what DOCSIS 3.0 really is bonding at faster speeds development and reversing is as easy as your sister was added by Dev Delay he couldn't make it here this year Dev spoke with us last time but he couldn't make it out and these new security adoptions so far they can be defeated it seems to be a recurring trend the same problems every time there's a new device or new technology it still has problems from the past it just keeps repeating itself people just keep breaking it enabling one security feature on a CMTS may mean disabling or sacrificing another it seems like every time Cisco releases a new code train for their CMTS IOS it creates new security and then opens up old bugs Cable Labs has a tiered qualification system for the CMTS is they have bronze silver and gold I believe like Olympic medals Cisco and Eris which is the majority of use in the world they're all bronze certified they can only do downstream bonding not upstream CASA Systems has gold certification for theirs but they're really a small company and nobody's using them I have a friend down in south Florida who has upstream bonding and he's the only person I know who's been 5 megs up but it's coming and potential for upstream speed is doxxus has become more symmetrical as opposed to the past where it's been really asymmetrical sorry about that we have our thanks and I have a couple minutes left all the anonymous network technicians that answered questions about OSS for me Deringl you know essentially started this whole thing so a big thanks to him for that got Ryco DevDelay for Detox, ScanMan1 BMHoff, Spender, Snaggle PureUp, Cisco Ninja the UT and the entire surfboard hacker community the anonymous cable modem hackers who shared their stories with us and actually gave us enough information to verify that that was the case of course to manufacturers for creating such insecure hardware and software sbhacker.net and soldrex.com thank you everybody