A small and diverse band of hobbyists steeped in the obscure languages of embedded systems has released its own custom firmware for a popular brand of cable modem, along with a technique for loading it -- a development that's already made life easier for uncappers and service squatters, and threatens to topple long-held assumptions about the privacy of cable modem communications. The program, called Sigma, was released in its final version last month, and has reportedly been downloaded 350 to 400 times a day ever since. It's designed to be flashed into the non-volatile memory of certain models of Motorola's Surfboard line, where it runs in parallel with the device's normal functionality. It gives users almost complete control of their cable modem -- a privilege previously reserved for the service provider. . . .
A small and diverse band of hobbyists steeped in the obscure languages of embedded systems has released its own custom firmware for a popular brand of cable modem, along with a technique for loading it -- a development that's already made life easier for uncappers and service squatters, and threatens to topple long-held assumptions about the privacy of cable modem communications.

The program, called Sigma, was released in its final version last month, and has reportedly been downloaded 350 to 400 times a day ever since. It's designed to be flashed into the non-volatile memory of certain models of Motorola's Surfboard line, where it runs in parallel with the device's normal functionality. It gives users almost complete control of their cable modem -- a privilege previously reserved for the service provider.

The project is the work of a gang of coders called TCNiSO. With about ten active members worldwide, the group is supported by contributions from the uncapping community -- speed-hungry Internet users who rely on TCNiSO's research and free hackware to surmount the bandwidth caps imposed by service providers, usually in violation of their service agreement, if not the law. To them, Sigma is a delight, because it makes it simple to change the modem's configuration file -- the key to uncapping, and, on some systems, to getting free anonymous service using "unregistered" modems. "I've known TCNiSO for two years now and I've done a lot of things with their techniques," wrote a Canadian uncapper in an e-mail interview. "Sigma is the greatest one I've seen."

While it's a boon to uncappers, the security implications of firmware hacking go beyond mere bandwidth-boosting and theft-of-service. The topography of cable modem networks typically puts between 500 and 1,000 homes in a neighborhood on the same circuit, their Internet traffic all mingled on the same co-ax cable. Subscribers are prevented from eavesdropping on their neighbors' traffic by their own modem, which is programmed to only pass packets destined for them. By building on TCNiSO's hacking technique, a malefactor could write custom code to forward all the raw network traffic to their PC.

Outside security experts have generally dismissed any eavesdropping threat on modern cable systems based on a belief that cable companies are encrypting customer traffic, a capability built into all DOCSIS-certified modems since 1999. But while encryption would indeed thwart any eavesdropping attempt, in the most commonly-deployed version of the DOCSIS standard, version 1.0, the encryption option is just that -- an option, and one that's turned off by default. "The security has to be there" in the modem, says Oscar Marcia, chief security architect at for CableLabs, the industry group responsible for DOCSIS. "But the [service provider] can decide when to turn it on."

And turning it on they are, Marcia says, but slowly, and in bits and pieces, even five years after the option became available. "It's kind of a gradual process... They want to make sure that they have all the kinks worked out of their system." He adds that he expects the process to accelerate as cable companies migrate to newer versions of the DOCSIS specifications, where encryption is "on" by default, instead of off.

SecurityFocus asked four U.S. cable modem service providers if they protected their customers with the encryption option. Comcast, Adelphia, and CableVision's Optimum Online declined comment; a spokesman for Time Warner's Road Runner service didn't return repeated phone calls on the question. Comcast's terms of service, however, acknowledges a risk of eavesdropping by "other subscribers," and Optimum Online's bluntly admits the company doesn't utilize encryption: "All Subscriber's ethernet traffic ... will be reflected by the cable Modem in an unencrypted form onto the cable network and be subject to eavesdropping."

The link for this article located at securityfocus.com is no longer available.