|
By Cara Garretson
Customers of Time Warner Cable's Internet service using the company-supplied cable modem/wireless router box could easily have their home networks infiltrated and taken over by hackers, a blogger reports.
The security hole was found by David Chen, co-founder of software company pip.io, who was helping a friend change the password protecting his wireless network to something easier to remember.
According to Chen's blog post on Tuesday, Chen was attempting to change the default WEP (wired equivalent privacy) encryption setting on his friend's SMC8014WG-SI cable modem/router, supplied by Time Warner, to the more secure WPA2 (Wi-fi Protected Access 2) setting. For customers who don't supply their own device, the SMC cable modem/router is installed by Time Warner Cable with a default configuration that only allows users to add URLs to block lists using a generic user account on a Web site.
When Chen logged on to the site with the user account, he discovered that access to the admin features of the cable modem/router were disabled by JavaScript. Once he disabled JavaScript in the browser , he was granted access to a variety of menu options, he writes. Among those options is one called "Back up configuration file," which when clicked on saves a copy of the router's configuration settings to the desktop, including the admin's login and password.
Not only did Chen find the login credentials written in plain text, but he also discovered that the Web admin page for the cable modem/router could be accessed from anywhere on the Internet, which means these devices could be controlled from anywhere on the Web. He then ran a port scan of Time Warner Cable IP addresses currently on the Internet and "easily found dozens of these routers, open to attack."
With this kind of access, an intruder could eavesdrop on sensitive data sent across the Internet, manipulate the DNS address that redirects traffic from trusted sites to malicious ones, and possibly even infect other routers automatically.
Chen says he informed Time Warner's security department of the hole; they responded that they were aware of the problem but couldn't do anything about it.
Since then, Time Warner Cable has pushed out a temporary patch and is working on a permanent fix, according to Jeff Simmermon, director of digital communications with the company.
"Our customer's (sic) security is of the utmost importance to us, and we are constantly working to identify and repair holes and flaws as we discover them. This is not the sort of thing where we'll roll the fix out, go 'okay, done, phew,' and go back to our comfy armchairs," Simmermon wrote in a comment to Chen's post.
Time Warner Cable is the second-largest cable operator in the U.S., serving 8.7 million high-speed data residential customers in 28 states.
Only registered users can write comments.
Please login or register. |
