|
The password can be just as easily based on a non-discoverable piece of information, like the device's serial number. I don't know why we're having this dumb argument over MAC addresses specifically.
|
# ? Dec 31, 2016 03:25 |
|
|
# ? Apr 19, 2024 06:12 |
|
Vulture Culture posted:The password can be just as easily based on a non-discoverable piece of information, like the device's serial number. I don't know why we're having this dumb argument over MAC addresses specifically. The device's serial number is not non-discoverable, it's reported both in the 192.168.100.1 modem page and in the router pages that a user can view without logging in (as you need it for setting up certain services without getting a tech sent out). All the other unique numbers associated with the devices are similarly discoverable without passwords, as they're used for various technical support and billing things. You'd need to introduce some new number, find somewhere to hide it where you can also be sure a customer can't destroy it and cause issues for a tech who does have to get called out, and then all that effort would be going to the purpose of preventing a theoretical attack by hackers interested in messing with people's wifi passwords and other things that frankly are not a problem for Comcast's network. So what they do instead of coming up with a complicated password system is to block off a lot of controls entirely to anyone but the Comcast network equipment, and when you try to login to the router when it has a default password, it asks you to change it yourself. This is really quite enough. fishmech fucked around with this message at 03:42 on Dec 31, 2016 |
# ? Dec 31, 2016 03:38 |
|
Docjowles posted:The guy posting "it me. The hacker reaching 192.168.100.1 over the internet" sure seemed to be saying that. I was referring to attacks with no user participation and being a smart rear end. And I fully admit I misunderstood what Fishmech was saying.
|
# ? Dec 31, 2016 03:39 |
|
Docjowles posted:The guy posting "it me. The hacker reaching 192.168.100.1 over the internet" sure seemed to be saying that. How the gently caress do you all know my routers ip?
|
# ? Dec 31, 2016 03:42 |
|
You guys spend a lot of time figuring out how to get on your neighbors wifi. Are you downloading illegal porn on it?
|
# ? Dec 31, 2016 03:46 |
|
jaegerx posted:You guys spend a lot of time figuring out how to get on your neighbors wifi. Are you downloading illegal porn on it? A kid who is internet famous for creating a 0day for the sole purpose of using his neighbor's wifi to watch porn unmonitored, then gets hired into a startup as their CSO on the back of that "accomplishment", sounds like a great Silicon Valley episode.
|
# ? Dec 31, 2016 04:28 |
|
flosofl posted:Yeah, I got that too on the web page (I got a Moto 6120 about 7 years ago). It's DOCSIS 3.0 and still works fantastically, but if I wanted support they won't give it. Time to get a 6190 I guess to future proof for a while. I wouldn't buy the 6190 right now if ever, if you google it you'll see it has some issues. Additionally it's a DOCSIS 3.0 device, you're unlikely to ever see gigabit speeds with 3.0. If you're trying to future proof wait a little bit for more 3.1 devices to release. PBS fucked around with this message at 05:27 on Dec 31, 2016 |
# ? Dec 31, 2016 05:23 |
|
PBS posted:I wouldn't buy the 6190 right now if ever, if you google it you'll see it has some issues. Thanks. Good advice.
|
# ? Dec 31, 2016 06:41 |
|
fishmech posted:So what they do instead of coming up with a complicated password system is to block off a lot of controls entirely to anyone but the Comcast network equipment, and when you try to login to the router when it has a default password, it asks you to change it yourself. This is really quite enough. There's plenty of ways to do it, they can set a serial number in the device at manufacture so it'd be trivial to also set some default password that is a hash of the LAN side MAC & the serial number or whatever else. or a captive portal that forces initial setup with a step requiring a password change etc, it'd be trivial. If you forget it then all you need to do is a factory reset. Plenty of routers Comcast or not get used for botnets, XSS or some other malware can use a users machine as a launchpad to attack home routers from the LAN side.
|
# ? Dec 31, 2016 06:55 |
|
PBS posted:I wouldn't buy the 6190 right now if ever, if you google it you'll see it has some issues. Comcast is doing 3 gigabit actual down and up with 3.1 modems now.
|
# ? Dec 31, 2016 08:51 |
|
lampey posted:Comcast is doing 3 gigabit actual down and up with 3.1 modems now. Nice, the 2 Gb/s is 300/mo where I am. It's weird to see cable with symmetrical connection speeds. I've got 1 Gb/s down, but my ISP limits upload to 20 Mb/s.
|
# ? Dec 31, 2016 09:11 |
|
The best I can get is 120Mbps down/3Mbps up. I would love to get Comcast. Apparently, despite them being like two streets over, I'm not in the service area. The cable providers just have agreed not to compete over each other's territory, it makes no sense to me
|
# ? Dec 31, 2016 10:13 |
|
1Gb down and 20Mb up is
|
# ? Dec 31, 2016 13:04 |
|
fishmech posted:The device's serial number is not non-discoverable, it's reported both in the 192.168.100.1 modem page and in the router pages that a user can view without logging in (as you need it for setting up certain services without getting a tech sent out). All the other unique numbers associated with the devices are similarly discoverable without passwords, as they're used for various technical support and billing things. The attack isn't for hackers "interested in messing with people's wifi passwords," it's for hackers interested in rooting people's devices and uploading tainted firmware, requiring no more privileged access than some random device on their network. This extremely plausible endpoint attack can create an extremely large, latent botnet capable of shutting down any residential ISP once activated, with no obvious means of remediation besides disabling and replacing every compromised endpoint. So let's deconstruct your issues a couple of ways. 1. If the identifying information has been destroyed, and there's for some unfathomable reason no way for the ISP to either force a password reset or a complete firmware update OTA, why couldn't the tech just replace the device? 2. If we have a hard requirement to put something inside the device, where it's not going to get scraped off, why not just put the default password on a sticker inside the casing of the device, the way MACs are normally labeled? I'm mostly having a hard time understanding why you think randomized passwords are a bad idea.
|
# ? Dec 31, 2016 14:58 |
|
Vulture Culture posted:It's really not enough -- at least, not by itself. (We could talk all day about other remediating measures like CAPTCHAs on login.) Clearly you aren't paying attention. This flat out isn't possible on the device. There is no way for the customer to upload their own firmware to the device in the interface they get. If you want to go around uploading custom firmware to the Comcast modem/router combinations, you can't go in through the customer-side interface that lets you configure things like the wifi password, parental controls, and private IP range. You need to instead compromise Comcast's control channel that they use to manage the devices and do firmware updates on their own schedule. And having the customer side password gets you nothing towards that. Faffing around with making new passwords for the customer side of the router provides 0 protection to the Comcast side where all the good stuff is, and that's already being secured with other methods. Vulture Culture posted:
Because it's security theater that accomplishes nothing? Comcast already elected to restrict access to sensitive functionality so that the customer can't touch it. You're too busy thinking that these systems are just your WRT54G from 2005 where logging in gives you the keys to the kingdom, including the ability to upload new software and all. That's not what the modem/router combos do. theperminator posted:Plenty of routers Comcast or not get used for botnets, XSS or some other malware can use a users machine as a launchpad to attack home routers from the LAN side. No, the Comcast routers don't. Specifically because they've been designed to have minimum consumer controlled functionality and no way for the customer to alter the firmware, and because they're managed by Comcast directly for sensitive aspects like the firmware.
|
# ? Dec 31, 2016 17:07 |
|
fishmech posted:Clearly you aren't paying attention. This flat out isn't possible on the device. There is no way for the customer to upload their own firmware to the device in the interface they get. So you're saying there will never be an exploit for these devices that will allow for privilege escalation? Or break out from the restrictions placed on the interface? Ever?
|
# ? Dec 31, 2016 17:17 |
|
fishmech posted:Clearly you aren't paying attention. This flat out isn't possible on the device. There is no way for the customer to upload their own firmware to the device in the interface they get. Because there definitely isn't a huge history of this kind of device having exploits involving unescaped inputs on the things that are exposed to the user, or hidden admin backdoors intended for use by vendor or ISP personnel being exposed to the internet as a whole. Oh wait...
|
# ? Dec 31, 2016 17:41 |
|
Comcast's combo units are loving awful and you should just buy your own modem and router anyway.
|
# ? Dec 31, 2016 17:47 |
|
psydude posted:Comcast's combo units are loving awful and you should just buy your own modem and router anyway. gently caress letting them put a wifi hot spot in your house.
|
# ? Dec 31, 2016 17:49 |
|
psydude posted:Comcast's combo units are loving awful and you should just buy your own modem and router anyway. If only I could. ISP provides the modem. Couldn't even put it into bridge mode myself.
|
# ? Dec 31, 2016 17:49 |
|
Jeoh posted:If only I could. ISP provides the modem. Couldn't even put it into bridge mode myself. Are you in Canada or something? In the US you can definitely buy your own stuff and use it.
|
# ? Dec 31, 2016 17:55 |
|
Jeoh posted:If only I could. ISP provides the modem. Couldn't even put it into bridge mode myself. From Comcast? You can purchase your own cable modem and your own router and use those. Just make sure the cable modem you purchase is on their "approved device list" http://www.approvedmodems.com/comcast-xfinity.html
|
# ? Dec 31, 2016 17:58 |
|
psydude posted:Are you in Canada or something? In the US you can definitely buy your own stuff and use it. Not always. AT&T UVerse prohibits byod and won't allow their unit to be placed in bridge mode.
|
# ? Dec 31, 2016 17:59 |
|
Comcast doesn't let you buy your own modem where you live? Weird.
|
# ? Dec 31, 2016 18:08 |
|
SeaborneClink posted:Not always. AT&T UVerse prohibits byod and won't allow their unit to be placed in bridge mode. That's a bummer. Cox, Comcast, Verizon DSL, and Verizon FiOS all let me use my own stuff when I had them.
|
# ? Dec 31, 2016 18:16 |
|
SeaborneClink posted:Not always. AT&T UVerse prohibits byod and won't allow their unit to be placed in bridge mode. We're talking about Comcast. Specifically because Fishmech thinks the combo devices they supply are invincible from exploitation from the LAN side.
|
# ? Dec 31, 2016 18:17 |
|
flosofl posted:We're talking about Comcast. Specifically because Fishmech thinks the combo devices they supply are invincible from exploitation from the LAN side. I didn't get the impression fishmech was trying to say they were invincible at all. Are you referring to a conversation outside this thread?
|
# ? Dec 31, 2016 18:18 |
|
Sickening posted:I didn't get the impression fishmech was trying to say they were invincible at all. Are you referring to a conversation outside this thread? quote:If you want to go around uploading custom firmware to the Comcast modem/router combinations, you can't go in through the customer-side interface that lets you configure things like the wifi password, parental controls, and private IP range. You need to instead compromise Comcast's control channel that they use to manage the devices and do firmware updates on their own schedule. And having the customer side password gets you nothing towards that. quote:No, the Comcast routers don't. Specifically because they've been designed to have minimum consumer controlled functionality and no way for the customer to alter the firmware, and because they're managed by Comcast directly for sensitive aspects like the firmware. Proteus Jones fucked around with this message at 18:25 on Dec 31, 2016 |
# ? Dec 31, 2016 18:23 |
|
I guess I find a difference between restricted firmware changes on certain ports and stating a router is totally unexploitable certain ports. Maybe I am being pedantic.
|
# ? Dec 31, 2016 18:28 |
|
Sickening posted:I guess I find a difference between restricted firmware changes on certain ports and stating a router is totally unexploitable from all ports. Maybe I am being pedantic. It's possible I'm over reacting as well. It's just phrases like "can't be done" and "no way" get my hackles up. Because usually that means the Gods of Poetic Justice are about to strike and release a 0-day that does precisely what is supposedly not possible.
|
# ? Dec 31, 2016 18:30 |
|
flosofl posted:It's possible I'm over reacting as well. Truth. Considering how much monetary value there is through these types of exploits I doubt anything is that far away at this point.
|
# ? Dec 31, 2016 18:31 |
|
flosofl posted:So you're saying there will never be an exploit for these devices that will allow for privilege escalation? Or break out from the restrictions placed on the interface? Ever? When you have an exploit like that, it probably also isn't going to be defeated by the username/password login you're so insistent about. I don't know why you think the exploit that gets past the total lack of access to firmware updates in the customer facing area would be stymied by the credentials. wolrah posted:Because there definitely isn't a huge history of this kind of device having exploits involving unescaped inputs on the things that are exposed to the user, or hidden admin backdoors intended for use by vendor or ISP personnel being exposed to the internet as a whole. There isn't for these Comcast modem/routers for a very good reason! The admin backdoor isn't on the customer facing side, it's on the Comcast facing side, and is what's actually used to handle sensitive things like firmware updates. Having a "secure" password on the customer side doesn't protect that. Sickening posted:I didn't get the impression fishmech was trying to say they were invincible at all. Are you referring to a conversation outside this thread? It is "invincible" - on the side that they're whining about, the customer facing side. The firmware update and other sensitive settings are on a separate interface, which isn't protected by the customer facing side's username/password login flosofl posted:It's possible I'm over reacting as well. You, as the user, literally and truthfully can't do firmware updates on the devices through the interface people are complaining about, the passworded web page interface that you also use for changing the wifi settings etc. It's all managed remotely by Comcast through their network. They did this specifically to ensure that they could keep the router firmware et al up to date, and to prevent people from doing something like install DDWRT or similar software on the modem/router combo. If you really wanted to, you could crack the thing open and get at the JTAG ports or other things onboard to force on new firmware, but that's hardly something that changing the default user/password can protect against!
|
# ? Dec 31, 2016 18:36 |
|
Since you apparently need this poo poo spelled out in crayon: http://sethsec.blogspot.com/2014/12/forging-my-way-into-xfinity-home.html There's a Comcast-provided modem/router where the combination of a CSRF vulnerability on the internal LAN-facing web interface combined with a default password to allow any malicious web site to enable remote management, forward ports, and change any settings the user has access to. If the device has any unescaped input vulnerabilities on that interface those can then be exploited by the same attack. fishmech posted:When you have an exploit like that, it probably also isn't going to be defeated by the username/password login you're so insistent about. I don't know why you think the exploit that gets past the total lack of access to firmware updates in the customer facing area would be stymied by the credentials. A common place to find an unescaped input vuln is a router's "ping" page. I've never seen that exposed without logging in. quote:There isn't for these Comcast modem/routers for a very good reason! quote:It is "invincible" - on the side that they're whining about, the customer facing side. The firmware update and other sensitive settings are on a separate interface, which isn't protected by the customer facing side's username/password login Again, if the device has any vulnerabilities on that interface those can then be exploited by the same attack. Just because the customer-facing interface isn't intended to allow the customer to change certain things doesn't mean that's actually the case. Setting pages not actually disabled but just not linked from the main interface are common. Unescaped inputs being passed through to unsafe places as I mentioned earlier. Sometimes a page that's had options removed on the frontend hasn't actually had the backend updated and a customized POST with the right parameters will still change those settings. These are not hypotheticals, these are all things that have been repeatedly documented and exploited in the past, both by people trying to get more out of their own routers and people trying to get control of someone else's. This literally goes back to day one of home router hacking, the initial entry point in to the WRT54G was through unescaped input in the "ping" page. wolrah fucked around with this message at 19:40 on Dec 31, 2016 |
# ? Dec 31, 2016 19:38 |
|
lampey posted:Comcast is doing 3 gigabit actual down and up with 3.1 modems now.
|
# ? Dec 31, 2016 19:52 |
|
anthonypants posted:DOCSIS 3.1 modems are out? Yeah for ISPs, I haven't seen any consumer purchasable devices yet.
|
# ? Dec 31, 2016 20:18 |
|
wolrah posted:Since you apparently need this poo poo spelled out in crayon: http://sethsec.blogspot.com/2014/12/forging-my-way-into-xfinity-home.html And those settings the user has access to do not include anything really important, because Comcast locked that poo poo off from it. So trying to put up a system of shipping different default passwords isn't going to do anything to help. As we've already established, all the ways they'd have to easily deploy unique but knowable passwords for the systems are going to be vulnerable to just such an attack as that. So once again, Comcast did the actually smart thing and restricted as much things from user control as they could get away with it, putting it on a separate interface entirely. And thus any attacks to get a that aren't affected by the kind of password that's on the customer facing interface. And that's why all you can point to is this guy saying "well maybe you could actually do something interesting with this, I can't". wolrah posted:This literally goes back to day one of home router hacking, the initial entry point in to the WRT54G was through unescaped input in the "ping" page. The "initial entry point" to the WRT54G was that you could straight up upload firmware to it and it barely checked it for signing or anything like that, actually.
|
# ? Dec 31, 2016 22:50 |
|
fishmech posted:And those settings the user has access to do not include anything really important, because Comcast locked that poo poo off from it. So trying to put up a system of shipping different default passwords isn't going to do anything to help. As we've already established, all the ways they'd have to easily deploy unique but knowable passwords for the systems are going to be vulnerable to just such an attack as that. Hence why the unit shouldn't work until at a minimum the user logs into it for the first time and changes the password.
|
# ? Dec 31, 2016 23:25 |
|
fishmech posted:And those settings the user has access to do not include anything really important, because Comcast locked that poo poo off from it. So trying to put up a system of shipping different default passwords isn't going to do anything to help. As we've already established, all the ways they'd have to easily deploy unique but knowable passwords for the systems are going to be vulnerable to just such an attack as that. I think if you can't see the danger presented in the article then you probably shouldn't be posting on this topic. There are plenty of knobs on the box you can turn that can cause harm. Changing the default password is a simple precaution that reduces the risk of you being outright attacked. Are you just arguing for arguments sake or are you really this dopey?
|
# ? Dec 31, 2016 23:30 |
|
1000101 posted:I think if you can't see the danger presented in the article then you probably shouldn't be posting on this topic. I see you're unfamiliar with forums poster "fishmech"
|
# ? Dec 31, 2016 23:35 |
|
|
# ? Apr 19, 2024 06:12 |
|
1000101 posted:I think if you can't see the danger presented in the article then you probably shouldn't be posting on this topic. The danger presented in the article is expressly mitigated by Comcast locking off options that can cause harm to their own network. That's the point. ratbert90 posted:Hence why the unit shouldn't work until at a minimum the user logs into it for the first time and changes the password. That is stupid, it works fine as it is, since Comcast manages the routers themselves. Why rely on the idiot user to do it?
|
# ? Dec 31, 2016 23:52 |