The ARRIStocrats: Cable Modem Lulz

Presented at HOPE Number Nine (2012), July 14, 2012, 10 p.m. (60 minutes).

The ARRIS TG852G is a DOCSIS 3.0 cable modem/router that’s being deployed en masse by Time Warner and Comcast. If you’re a customer with this hardware, then you may be saddened to find that your service provider won’t give you a login to configure the box. This talk will walk you through two different methods to gain access to the device by exploiting weakly implemented authentication mechanisms on it. You’ll see how a three-year-old documented “feature” designed to keep customers out can quickly become a provider’s worst security nightmare. The talk will also go a step further and show you how aggregating some publicly available datasets would allow an attacker to use the vulnerability to quickly and effectively build an army of thousands of routers.


Presenters:

  • Chris Naegelin
  • Charlie Vedaa
    Charlie Vedaa is a fork and spoon operator for the federal government and runs the online CTF game pwn0.com. He’s living proof that they’ll let anyone present at hacker conferences.

Links:

Similar Presentations: