Gaping security hole in Time Warner cable routers
A gaping security hole in cable modems distributed to Time Warner/Road Runner customers could potentially be exploited remotely to access private networks and possibly capture and manipulate private data.
That’s the warning issued by David Chen, a blogger and start-up founder who discovered he could trivially access a customer’s of Time Warner’s SMC8014 series cable modem/Wi-Fi router combo by simply disabling JavaScript in the browser to access hidden features in the router’s admin interface.
After poking around using the customer account, I found that access to the admin features of the router has been disabled via Javascript. You heard me correct, the web admin for the router simply uses a script to hide certain menu options when the user does not have admin privileges. By simply disabling Javascript in the browser, I was able to access all the features of the router. With that access, I am now able to change the wifi settings, port-forwarding, etc.
One of the extra features found by Chen included an admin utility called “Back Up Configuration File” that was essentially a text dump of the router’s configurations.
Upon examination of this file, I found the admin login & password in plaintext. Another issue which was alarming was the fact that by default, the web admin is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, I easily found dozens of these routers, open to attack.
This is a really serious issue for any Time Warner/Road Runner running the SMC8014 router:
Now you can now put two and two together and realize that this has opened a gaping hole on every single Time Warner customer’s network that uses the SMC8014. By forcing the customers to use only WEP encryption on their wifi network, they are allowing anyone to penetrate the network with ease. Also by using a fixed format for the SSID, it’s extremely easily tell which wifi network is using the device. Once inside, anyone can access the router’s web interface and login with the admin account. What makes this even scarier, is the fact that the web interface is accessible from anywhere. From within your own network, an intruder can eavesdrop on sensitive data being sent over the internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks. Someone skilled enough can possibly even modify and install a new firmware onto the router, which can then automatically scan and infect other routers automatically.
Chen said he reported the issue to Time Warner and was told that nothing could be done about the problem. A spokesman for Time Warner told Wired’s Kim Zetter the issue is being fixed.
* More at Threatpost and Threat Level.
Leave a Reply