Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

When was the last time you checked your Comcast cable modem settings?

Published: 2014-06-01
Last Updated: 2014-06-01 15:54:37 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

Many ISPs manage user's modems, be it DSL or Cable. Even if the ISP doesn't own the modem, they typically push configuration or firmware updates to the modem to keep it up to date and connected to their network. Overall, this isn't a bad idea. Keeping the firmware and configuration up to date would be rather difficult to end users. However, as some users have experienced with Comcast, these changes are not always in the customer's best interest.

For example, if you do use a Comcast provided modem with Comcast's "Business Class" access, your modem will be assigned a set of static IP addresses, but in addition, you will also receive a DHCP assigned address. This address isn't really used for any of your traffic. But, the address is reachable, and the modem's configuration screen is accessible via http (port 80/tcp) if someone connects to the address. The default (and widely known) password doesn't appear to work to log in in this case, but any bugs present in the configuration may be exposed. It wouldn't be the first time that a web based admin interface includes an authentication bypass vulnerability.

Luckily, the "dynamic" IP address that exposes the admin screen does not appear to be derived from the static address assigned to you by Comcast. So an attacker would have to scan all of Comcast's address space and would have no simple way to figure out who owns which dynamic address.

If you want to be a bit more secure, you can try and change the password from the default. However, be aware: As soon as the firmware is updated again, your new password will no longer work, neither will the default password. You will need to call Comcast support to have them reset the password.

Secondly, Comcast apparently started to enable public WiFi hotspots on cable modems that support the feature. In addition to charging users a rental fee for the modem, Comcast went ahead and turned the modems into public hotspots that can be used by other Comcast customers who happen to be in the area.

To turn off the public WiFi feature, you will need to connect to the Comcast customer portal (http://customer.comcast.com) and need to remove the option. After logging in, find the "Users & Preferences" option at the top of the screen

Then, find the "Manage Wifi" link (very small font, just below your address)

It is also a good idea to not use the default LAN IP range (e.g. 192.168.100.0/24 or 192.168.1.0/24). Instead, pick your own "random" range within RFC1918 space.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: cable modem comcast
9 comment(s)
Meet Johannes Ullrich at SANSFIRE!
Diary Archives