October 20, 2009 2:45 PM PDT
Time Warner testing fix to hole in home router


This is the SMC8014WG-S cable modem/Wi-Fi router provided to Time Warner cable customers that has a security hole.


Time Warner has rolled out a temporary patch and is testing a permanent fix for a security hole in a combination cable modem/Wi-Fi router that could allow anyone to access the private network of its customers, snoop on sensitive data, and direct customers to malicious Web sites.

The vulnerability in the SMC8014 cable modem/Wi-Fi router provided to customers was detailed in a blog post written by David Chen, a software engineer and co-founder of the Pip.io social communications platform start-up.

"We are aware of the issue and we are hard at work on a solution and have been for quite some time," Alex Dudley, a Time Warner Cable spokesman, said on Tuesday.

"The manufacturer has developed a fix," he added. "We believe it will work and we are testing it now to make sure it won't affect our network in other ways."

In the meantime, customers should be protected by a temporary patch, he said. Time Warner will push the permanent fix out to the affected devices from its regional data centers, possibly as soon as a matter of days, Dudley said.

About 67,000 devices across Time Warner's network are affected out of 14 million devices total, according to Dudley.

Chen wrote that he discovered that the administration features of the router had been disabled via JavaScript and that he was able to access all the features of the router by disabling JavaScript in the browser.

In addition, the device relied only on WEP encryption, which can be cracked easily, and it used a fixed format for the SSID (service set identifier), which makes it easy to tell which Wi-Fi network the device is using, he wrote.

"It just gets better from here. The extra features that I now had access to included a little item called 'Back Up Configuration File,'" Chen wrote. "When I clicked it, a text dump of the router's configurations was saved to my desktop. Upon examination of this file, I found the admin login & password in plaintext. Another issue which was alarming was the fact that by default, the web admin is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, I easily found dozens of these routers, open to attack."

Chen said he contacted Time Warner's security department and warned them about the security issue and that they weren't helpful at all.

Asked to comment, Dudley said: "Security is a primary concern and also a constant effort. So while we are currently working hard on ensuring this particular vulnerability is addressed as soon as possible, we are generally always working to improve and ensure the security of the network."

I was asked by a friend to help change their wifi network name and password to something easier to remember. In addition to changing the network name, I wanted to change the default WEP encryption to WPA2. We all know WEP encrypted networks can be cracked within minutes. After poking around using the customer account, I found that access to the admin features of the router has been disabled via Javascript. You heard me correct, the web admin for the router simply uses a script to hide certain menu options when the user does not have admin privileges. By simply disabling Javascript in the browser, I was able to access all the features of the router. With that access, I am now able to change the wifi settings, port-forwarding, etc.

It just gets better from here. The extra features that I now had access to included a little item called “Back Up Configuration File”. When I clicked it, a text dump of the router’s configurations was saved to my desktop. Upon examination of this file, I found the admin login & password in plaintext. Another issue which was alarming was the fact that by default, the web admin is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, I easily found dozens of these routers, open to attack. Of course I got in touch with Time Warner’s security department and warned them about the security issue but their response was simply “we are aware of it but we cannot do anything about it”.

they have been doing something for business customers lately that I support, partially. The business DSL routers they send out do not have easily guessed default usernames/passwords. The username is still admin, but the password is a 10 digit number located on a sticker on the bottom of the router. These 10 digits provide 9 billion possible passwords (from 0,000,000,000 to 9,999,999,999). The drawback is that the password is on a sticker on the bottom of the router. Just turn it over and there it is. It's a start to securing the router by not using a blank password or the word password which is usually the case.

Still not fixed. Way to go Time Warner

Time Warner Routers Still Hackable Despite Company Assurance

Some excerpts:
....according to Chen, the routers have not been fixed. Writing Monday at his blog, chenosaurus.com, Chen said he ran a scan over the weekend and found 500 routers still vulnerable to attack and that he had not found “a single bit of evidence that supports their claims of a ‘temporary patch.’”

“I’m sure they have an automated system to deploy these things, and it shouldn’t take them more than a week to push out a critical fix,” he said.

“Of course the best idea would be to immediately recall those routers and issue your customers real cable modems and decent wifi routers with good security,” Chen wrote on his post.

Time Warner Cable told Threat Level last week that it planned to change the administrative user name and password that Chen exposed. But Chen says the credentials are still the same on every router he’s examined.