back to article Virgin Media to battle modem hackers

More than a thousand hackers are using reconfigured cable modems to fraudulently access free high speed Virgin Media broadband, sources have revealed. The hack has been made possible by the recent launch of Virgin Media's 50Mbit/s "XXL" package. It relies on new equipment running the upgraded DOCSIS 3.0 data transmission …

COMMENTS

This topic is closed for new posts.
  1. Jacqui

    outages

    Ah I *knew* there was a reason why my perfectly legal bog standard 2Mb/s NTHell link

    is up and down like a yoyo - the engineers are probably trashing things as I write.

    Of course getting them to give you access to your 6 year old webspace or getthem to replace the wrecked street cabs is pretty much impossible without using thier 1UKP/min call centre.

    And yes I did include pictures of the three street cabs withou covers (in one case without entire cab). Wiring looked very odd covered in snow over the Jan period :-)

  2. matt williams
    Unhappy

    Hmmm

    Maybe they ought to investigate why they fraudulently offer a service that then never supply or fix

  3. Joel Mansford
    Thumb Down

    Fibre?

    On a separate note can anyone explain how they market it as fibre when it's clearly just an aerial cable (coax) to the house??

  4. Anomalous Cowherd Silver badge

    Untraceable?

    er, it's a landline.

  5. lIsRT

    Out of interest...

    ...what would happen, legally, if you used this hack, but throttled your own connection so it was never higher that your legitimate "up to" speed?

    Or would it not make a difference in speed anyway?

  6. Anonymous Coward
    Anonymous Coward

    Have To Love PR

    'We have a range of tools that can detect fraudulent modems and service profiles on our network and a number of technological features which assist us in successfully addressing the challenge of fraudulent activity.'

    Right, so how exactly did this happen in the first place?!

    Only the 50M being ripped off is new, people have been getting extra 20Mbit services for ages, and tracking them down is extremely difficult, you can only guesstimate a radius from the terminating router based on timing.

    If Virgin could actually address the security on their cable modem network properly people wouldn't be able to do this in the first place. Cloning is bad but people changing configurations and VM allowing them to do it with the security measures in place in the cable modem standards is farcical.

    You can even do it in areas that don't have 50Mbit rolled out, that's how secure VM's network is.

  7. James Thompson
    Unhappy

    same here

    My 27mb connection has been off for two days now and this is the second time in two weeks wonder if their routers are blocking legitimate users by mistake. cable light is just flashing all the time.

  8. Thomas Kenyon

    Broken Cabs

    If you report broken cabs on their support newsgroups, they get forwarded to the relevant people (and even chased up if need be).

  9. Dave
    Pirate

    Nice to see

    "Virgin Media takes the issue of fraud on its network very seriously" so does this mean that they will stop over selling their bandwidth, stop throttling (sorry managing) and not send all my data to a turd-party (Phorm)?

    Thought not!

  10. Graham Jordan

    speeds

    Bizarrely my speeds plummeted the day they announced 50mb was available and I'm not even in an area supporting it. Yet.

  11. A J Stiles
    Paris Hilton

    Untraceable?

    Of course you're traceable on a wired network! They just need to follow the cable with all the packets going down it. All the way to your computer .....

    Paris, because you'd have to be dumber than her.

  12. Frank

    How difficult can it be?

    "..It added that recent network upgrades allowed it to detect modems cloned in this way .."

    If a destination is getting data at 30Mb/s, and the registered user is only paying for a 4Mb/s service, then surely that's all they need to indicate fraud? It's not rocket science. Or maybe the technical department doesn't talk to the user accounts department?

    Can someone from VM (posting as AC) advise on this?

  13. James Le Cuirot

    Upstream

    Surely this should be controlled upstream? Maybe there's some reason why this is not possible but I can't think of one.

  14. Danny

    just block

    I'm surprised thy dont mac lock down. Block all the macs, let the genuine customers phone up. Its not like virgin are the most reliable connections anyway.

  15. Anonymous Coward
    Thumb Down

    One thief to another.

    I'd like to see broadband providers thrown in jail for 12 months when they don't deliver the speeds promised too.

    Not that I advocate theft of service, I just think end users are not the only ones doing the stealing.

  16. AJ
    Alert

    Maybe...

    It's time for VirginMedia to invest heavily in their network to better secure it from hacked modems and set top boxes - the fact its easily done makes them a laughing stock...

    ... It all boils down to money, and the reluctance to spend in better security to avoid this issue!

  17. Anonymous Coward
    Anonymous Coward

    Chase the hackers, fair enough, whatever...

    ...but give us some decent upload bandwidth, please! It's only a matter of time before I move to BE Pro.

  18. Anonymous Coward
    Happy

    On the other hand...

    ...*my* perfectly legal bog standard 8MB/s NTL link works well, and I get a real actual honest-to-god throughput of 900-odd kB/s downloading from a sufficiently fast web server at the far end(*), so I'm quite happy.

    (*) actually quite a rare occurrence. 300-odd kB/s is more frequent.

  19. Anonymous Coward
    Thumb Down

    You can just imagine the meeting about that

    "What? They're not letting our existing customers access their total bandwidth? But that's OUR job!"

    Also, how could a cabled modem possibly be annonymous and untraceable? I mean for about a thousand people they could just track it back up the cable. Or just look at who's modem has just logged in (they almost certainly have a logged unique ID tracked against a customer account).

    Alternatively, can't they modify the firmware on the modem remotely to disallow the hack?

  20. Anonymous Coward
    Anonymous Coward

    More than a 1000?

    I should coco; practically every shared-house living student I've met pulls this trick.

    Abuse of the work "hacker", btw.

  21. Anonymous Coward
    Anonymous Coward

    Scare Tactics...

    So they can Identify a router... but they cant tell which house on the cable run has the bad MAC.

    even if they could identify at street cabinet level thats still 50+ houses

    All they can do is disable the Duped MAC and inconvienience (read cut off) a legit customer... There is no way they will be knocking on a door...

    I used to be a Cable customer from 1999 when Diamond (as they were then) ran thier first trials.. I had to buy my own modem from the states! a friend moved out of area cancelled and and gave me his modem, it worked for 9 months on his MAC before they realised it was elsewhere and canned it..

    But alas no more when Virgin took over the service went down hill very badly. and now I'm a happy ADSL2+ subscriber running at 20+ down and 2.5 up.. (yes im 300m from the exchange)

  22. Anonymous Coward
    Flame

    yeah - one way effort as usual

    "Obtaining services dishonestly is an offence under section 11 of the Fraud Act 2006. A conviction carries up to 12 months in jail."

    To bad that the consumer right legislation here in the UK is such a joke. The above should also be matched with its opposite. How about it? Not obtaining appropriate services due to dishonesty should be an offence with better legislative support and its application should be pursued actively by publicly founded consumer ombudsmen (false representation of unachievable speeds anyone?).

    What would happen if I "hack" my modem to be able to get closer to the speeds that my existing contracted subscription supposedly already cover? At the moment I would probably not find any legislative support for my actions.

  23. Anonymous Coward
    Linux

    How it works!

    @Joel Mansford

    Its fiber in the main network. But is converted into coax. You would need fiber light sensing equipment in your house to have house - house fiber.

    The modems work by cloning a mac address of a real modem. Allowing it to be connected to the network. As the modem itself regulates the speed it works out. The "Hackers" *hmm coin of a wrong phrase* force the modem to download the config file that is of higher speed than their own.

    This then allows the modem to be inside the network. WIth a copied mac. Because the mac is copied from a different SUBNET there are no conflicts.

    Also

    Id like to know how they are tracing. The only identifiers are local hardware MACS (Routers/NIC's etc)

    And the modem MAC.

    The modem connects into a sea of wires with the other ones. That all join into one after it leaves to CAB.

    They can do some diagnostics but wont get very far.

    LINUX :D

  24. Anonymous Coward
    Alert

    @A J Stiles - Untraceable?

    Of course you're traceable on a wired network! They just need to follow the cable with all the packets going down it. All the way to your computer .....

    One cable to many houses...Its a shared network the packets go to every house on that cable run... are you proposing they dig it up? and physically disconnect each house in turn to see which one they come from?? yeah thats gonna happen!

  25. Anonymous Coward
    Pirate

    @zerofool2005

    >"Id like to know how they are tracing. "

    The procedure is simple:

    NTL issues cable modem to legit customer, records MAC addr, registers it on activation, knows where it is connected at all times.

    Same MAC address appears elsewhere on network. Immediately it is possible to deduce which one is the fake. Here's where your reasoning falls down:

    >"The modem connects into a sea of wires with the other ones. That all join into one after it leaves to CAB."

    EPIC 1337 SKILLS FAIL. Boy, are you busted. Options for tracking individual modems that spring to my mind include TDR and manipulation of TDMA slots to cleanly isolate an invididual modem's signal.

  26. Anonymous Coward
    Pirate

    afterthought @zerofool2005

    Oh, and another method to track down an individual modem when you're out in a field: selectively inject noise into individual consumer end lines for a few moments, and see which MAC address suddenly drops out at the CMTS.

    Seriously, do not get smug about how secure you are when there is a fucking physical piece of wire that leads directly from the scene of the crime right to your fucking front door. You are a dumb criminal and you are going to get caught.

  27. Anonymous Coward
    Unhappy

    to Frank:

    "Or maybe the technical department doesn't talk to the user accounts department"

    duh! of course they dont talk to each other. NO department in Virgin Media talks to any other department. have you never had to phone them?

  28. Ian McNee
    Flame

    How about tackling fraud by...

    ...providing a service that is worth what we pay for it. I've been with VM (and Telewest before them) for a long time and apart from the *advertised* speed of their service things have by and large only got worse.

    Yes they finally listened to the torrent (no pun intended) of customer feedback about premium-rate phone support but you're still very lucky if you get to speak to someone who is capable of hearing that there is a problem with the service rather than just taking you through the Fisher-Price script telling you to make sure you're not wearing odd socks or metallic glasses that may interfere with the broadband signal.

    And their mail service has been selling itself with the line: "Fed up with puny mailboxes? With Virgin Media you get five 30MB mailboxes" ever since I signed-up with Telewest. Every now and then I get the urge to collect a few old 40GB drives and send them off to VM to upgrade the mail server capacity.

    /rant

  29. Anonymous Coward
    Pirate

    Don't need a flashy tool.

    Run a scan for every mac address on their subnets.

    Look for repeated entries - these will be the cloned devices.

    Block all repeated entries and see who screams.

    Hell, it even fits the VM customer service reputation. Still, they're all as bad - BT Broadband, I'm looking at you... And waving as I go elsewhere...

  30. Mike
    Happy

    VM's only happy customer?

    Every time there's a VM story, you get loads of people complaining. Maybe it's different around the country, but up here in Edinburgh, I get my full 20Mb speed all the time, unless I've hit the limit which is VERY rare, even though I download pretty much all the TV I watch from Usenet, and in 6 years my connection has gone down a grand total of twice. Both times I called and it was back in an hour.

    But I still hate Beardy Branson. He's just so smug

  31. Anonymous Coward
    Anonymous Coward

    There is no end in sight for vm hacks

    The sad truth is that there is no end in sight for the hacks (Tv and modem), They just dont have the resources to go and cut every modem off, For a start it takes (Apparently) about 10 seconds to log on to the modem and set a new mac address from the modems web interface. As soon as that is done they would have to start all over again unless they knew exactly which wire you were on.

    If they changed every switch/router in the cabinets then maybe they could turn them off fast enough remotely to make it pointless changing the mac again but that would cost more money than they have.

    Maybe they need to introduce dynamic config files with names generated from a hash of the mac address and the speed they should be getting and only let that mac download them once. Atleast if it wasnt so easy that dave down the pub that struggles to even connect the stuff up can read a 3 line tutorial on mac changing and do it himself

    I hope that now they have admitted the massive security holes in there network that they will inform the BPI/RIAA etc.. that all the information on customers ip leases they gave them over the past 5 years is potentially inaccurate, That it could have actually been anybody in the whole cabled area downloading gangster rap and copious amounts of goat porn at 3am from torrent sites, rather than old granny jones from number 13 that only wants the internet to download knitting patterns and talk to her kids in australia.

    The TV hack could only really be countered by changing to nagra 2 and hoping that its not completely hacked again by the time they finish rolling it out. Maybe if they made every channel VOD then you could stop it. I doubt they have the badwidth for that though.

  32. Peter Gathercole Silver badge
    Stop

    @AC re TDMA

    I'm not a cable engineer, but am interested in the subject.

    I'm not sure that it is that simple. The cable network, even from the street boxes is a tree network, with many branches and bi-directional signal regenerators. The signal is not baseband, but true multi-frequency broadband (my, how that term is mis-used in the public space), with many customers appearing on the same branch of the tree. It is not a point-to-point network like the telephone network.

    The modulation is a mixture of TDMA and FDMA, with modems switching frequency during normal operation, and possibly using more than one frequency carrier for the higher data speeds.

    If you were to inject noise (that is, without disconnecting the individual tap from the network), you would take out ALL customers ON THAT BRANCH! If you wanted to try to make it more selective, you could try to identify the frequency currently in use, but you would still take out all the customers using that carrier on that branch, and that is assuming that the modems would not switch to another frequency. If you want to check each tap, you would have to physically visit each tap point. And you must remember that this is a shared infrastructure with their cable TV operation.

    You may also get false positives. What happens if, at the same time as you trying to identify an illegal modem, a customer turns off their cable modem?

    I'm not sure a TDR (if you mean Time-Domain Reflectometer) would help either. These are used to measure cable breaks by relying on reflected signals from the end of cables without load (un-terminated in the transmission line vernacular). In this case, the cable would not be un-terminated, but would still have a load on it.

    In theory, if you knew the prorogation time of the signal on the wire, it may be possible to time a response to the modem, but I suspect that the quality of cable, number of taps, and even the moisture content of the soil around the cable may alter the inductance and capacitance of the cables to make this uncertain. We're not talking 10base5 Ethernet, or even telephone line twisted pairs here.

    All in all, I expect that the cable engineers at Virgin Media, who actually maintain a cable network, to know more about the design and running of these things than a majority of us amateurs commenting in this thread. Give them some credit, because if they knew nothing, their whole network would grind to a halt very quickly.

  33. Anonymous Coward
    Thumb Down

    the kiddy pron problem

    If its that easy to clone someone elses modem then surely this is a more serious issue than VM loosing out on some bandwidth and money.

    What happens if some perv gets a cloned modem and downloads a load of kiddy pron, then at some point the website he downloads it from gets busted, the police get a list of IP address that have been downloading it and trace it back to one of those cloned modems. If they dont know its a clone they will look at their accounts and say oh that IP was issued to Joe Bloggs 50mb modem. here is his name and address. And some innocent guys gets his front door kicked in and his computers taken away because VM couldnt secure their network. Sure eventually they will check Joe bloggs pc and find no kiddy pron but he will have to go through the stigma of being accused and may loose his job, gets his kids taken away, wife leave him etc. How long before a good lawyer sues VM for damaged if that happens

  34. Anonymous Coward
    Anonymous Coward

    Yeah - like you're anonymous on the Internet - Right

    Hmmm...

    this might be stating the blindingly obvious but - heck - unless you want to run an *everything* over encrypted / anonymous services you'll expose some identifiers in your IP traffic. I suspect that a week's worth of full on data snooping (Phorm aren't the only ones) will result in everything apart from the average modem MAC cloner's shoe size. An ISP was recently (2008) found to be snooping *all* their customer's MSN stuff - stopped when a techie noticed it and complained......

    It's almost the same as the old mobile IMEI game .... a network operator too greedy to do things right....

  35. Anonymous Coward
    Anonymous Coward

    Virgin

    They shouldn't make their systems so easy to hack, heh

    They have only themselves to blame, I could secure their systems in a matter of days but while they're too stupid to do it themselves they're going to get owned.

    TBH, if they priced their services at the right level and didn't screw their customers with substandard tv boxes and firmware, people might be more willing to pay them but their boxes are a joke, their tech support is a joke, I know a few people running dreamboxes just to get a decent system that they can actually use the way they want, if it was possible to use your own equipment and pay them I suspect a large number of people would...

    Also, they're doing away with the cheapest broadband package and forcing people to take a more expensive one now so your granny who has a basic connection just to check her email and so on will have to pay for at least a 10mbit connection!

    Yes, way to keep your customers and discourage fraud there, heh.

  36. Anonymous Coward
    Boffin

    @Peter Gathercole

    > "I'm not sure that it is that simple. The cable network, even from the street boxes is a tree network, with many branches and bi-directional signal regenerators."

    Yep. The plan is to narrow it down to a small enough segment that it then becomes practical to go house by house. I am of course assuming here that the cableco engineers have a well-equipped toolbox full of parts such as taps, mixers, filters, injectors, splicers etc., that only require breaking the connection briefly to place them in circuit, and perhaps that they are willing to put a little development effort into building a few custom jerry-rigged gizmos out of these parts and some of the standard sort of parts they'll have around the lab - oscillators, filters, that kind of thing.

    > "The signal is not baseband, but true multi-frequency broadband (my, how that term is mis-used in the public space), with many customers appearing on the same branch of the tree. It is not a point-to-point network like the telephone network."

    Well yeh, that's why I didn't just say "Follow the wire from the port on the CMTS"!

    There's this little thing called a MAC layer. It manages many clients appearing on the same segment of a network. Remember it, because it'll come in handy later.

    > "The modulation is a mixture of TDMA and FDMA, with modems switching frequency during normal operation, and possibly using more than one frequency carrier for the higher data speeds.

    > If you were to inject noise (that is, without disconnecting the individual tap from the network), you would take out ALL customers ON THAT BRANCH! If you wanted to try to make it more selective, you could try to identify the frequency currently in use, but you would still take out all the customers using that carrier on that branch, and that is assuming that the modems would not switch to another frequency."

    Hang on a minute. We control the horizontal, we control the vertical, remember? We manipulate the allocation policy of all the cable modems on the same CMTS port as the 'phantom' to isolate it in a time slot and channel of its own. Then we can inject timed pulses of band-limited noise into the system and know we're only going to take out one specific modem. This could be done with a laptop with a hacked-up cable modem card in it and some special drivers.

    > "If you want to check each tap, you would have to physically visit each tap point."

    Yep. This is a fraud investigation and we have to assume they are motivated to put some effort into it. The point of tracing the signal down the tree to the final segment is to reduce the number of tap sites to a manageable quantity. Then you actually go round each house one at a time and visit each tap point and test it again there. Sooner or later you find your signal source.

    > "You may also get false positives. What happens if, at the same time as you trying to identify an illegal modem, a customer turns off their cable modem?"

    Errm, that's trivial. You just repeatedly run the test a few dozen times, turning the blocking noise injection on and off at random intervals a few superframes apart. The odds of someone switching their cable modem on and off, or of a loose wire or third-party noise source interfering in the exact pattern you choose? Inifinitesimal.

    > "All in all, I expect that the cable engineers at Virgin Media, who actually maintain a cable network, to know more about the design and running of these things than a majority of us amateurs commenting in this thread"

    Err, did they say that they /weren't/ able to trace individual modems and I missed it? I'm sure they do know how to run their network. Some of the techniques I have just described may even be novel, but I'm pretty sure they're the same sorts of ideas they'd be kicking around if you got them round a meeting table and asked them how to solve this problem.

    TDR was probably a red herring, I guess. Except... you know that one particular modem's listening on a particular channel at a particular time. That means (because cable modem QAM demodulators tend to work on an IF) that there's a bandpass filter out there at the end of the line, tuned to the channel center frequency and effectively connecting and disconnecting according to the time-slot allocation. Now, a filter is neither a short-circuit nor an open-circuit, but it sure is electrically distinguishable from there not being a filter there, even at the end of a cable segment. So the idea might not be completely without its uses after all...

  37. Anonymous Coward
    Anonymous Coward

    Untaceble?

    Shirley all they have to do is check the download speed on a line? If it's more than is being paid for then they've traced it.

  38. Peter Gathercole Silver badge
    Happy

    @AC re TDMA again

    I follow all of your points, and I guess that I was simplifying things a bit, but it sound like a lot of effort, and synchronisation between different parts of the organisation, including putting engineers on the street physically fiddling with the cables. Must be some form of cost/benefit analysis on the value of this.

    I'm not sure about the time-slot allocation technique for the bandpass filter. I'm fairly certain that they will not be "effectively connecting and disconnecting according to the time-slot allocation", but will have packet selection based on MAC, rather than an electronic time based switch. And it also does rely on being able to isolate the modem being investigated to a fixed carrier, preferably not shared with other modems.

    I hate to think what the jitter of several dozen modems switching their bandpass filters on an off on a particular branch would be. Probably almost impossible to analyse.

    Anyway, interesting discussion, as always on El. Reg.

  39. Alex
    Joke

    @"Untracable" AC

    Exactly. And don't call me Shirley

  40. YumDogfood

    Wondering...

    So why can't the CMTS one-time reprogram the CM RSA keys (and encrypt IP transport from then on) so that any cloned modems from that time would get spanked as MAC addr & RSA public key would not match their records?

  41. Carl Thomas
    Flame

    TDMA...

    The modems have timeslots allocated to them based on when they request data, the CMTS notes which modems have requested data and provides them with a data grant at a certain time which the CMTS then carries out via a downstream broadcast, the MAP.

    Introducing noise to a modem's timeslot will *not* knock the modem offline, it'll just retransmit, and as I said you cannot force a modem to request timeslots, nor can you arrange for when the modem will transmit without causing issues for other modems.

    Modems carry out periodic maintenance, however even introducing noise to this won't be effective, the modem will retry and a counter will increment, but what use is noting a counter incrementing and what does this tell you about the modem, it remains just a MAC address?

    TDR is pointless, cable modems have a timing offset anyway, however all this tells you best case is to within a small area how much fibre and coax there is between CMTS and modem.

    Sadly there is only one way to reliably find the evil people, via which CMTS card they are on, and from there disconnecting the HFC network at hardware level a leg at a time and observing if the modem goes offline or not can trace down to which tap the evil person is on, from there going through the taps one at a time.

  42. Carl Thomas
    Flame

    Re: Wondering

    If BPI+ were actually implemented and working properly on the VM network these modems wouldn't be getting online in the first place. MAC address and key pair would only match properly on the original modem unless the device were a 'perfect clone' with the RSA key pair stolen as well, however that requires physical access to a modem.

    Large swathes of the VM network do not have BPI+ implemented, and even where it is it does not appear to be mandatory so hackers just switch it off.

    From my own:

    AMBIT Euro DOCSIS 2.0 Cable Modem

    DOCSIS operating mode = DOCSIS 1.0

    BPI Baseline Privacy Enabled = False

    BPI2 Privacy enabled = False

    They still however have the cheek to switch off customers' SNMP access to their own modems for 'performance reasons'...

    The fire icon, as that's hopefully what this article has set under VM's security people to get them to stop messing around with datacentre stuff and sort the cable network out.

  43. Anonymous Coward
    Anonymous Coward

    @Carl

    >"The modems have timeslots allocated to them based on when they request data, the CMTS notes which modems have requested data and provides them with a data grant at a certain time which the CMTS then carries out via a downstream broadcast, the MAP.

    Introducing noise to a modem's timeslot will *not* knock the modem offline, it'll just retransmit, and as I said you cannot force a modem to request timeslots, nor can you arrange for when the modem will transmit without causing issues for other modems."

    Yes you can. It won't transmit outside its timeslot. You can't force it to request them but you can control the allocations. You're in charge of the CMTS, remember? You can program it to respond however you like.

  44. Anonymous Coward
    Anonymous Coward

    @Carl (pt 2)

    [gah, hit send too soon]

    >"Modems carry out periodic maintenance, however even introducing noise to this won't be effective, the modem will retry and a counter will increment, but what use is noting a counter incrementing and what does this tell you about the modem, it remains just a MAC address?"

    The idea is to introduce band- and time- limited noise *selectively* into downstream legs of any branchpoint so that you can figure out which one the evil modem is on.

    >"Sadly there is only one way to reliably find the evil people, via which CMTS card they are on, and from there disconnecting the HFC network at hardware level a leg at a time and observing if the modem goes offline or not can trace down to which tap the evil person is on, from there going through the taps one at a time."

    The whole point of CDMA and TDMA is that the modems, despite sharing a common physical medium, have unique individual "virtual" carriers within that can be processed separately without interfering with the others. If it's possible to avoid tx collisions this way, it's possible to *target* collisions (or other interference) by the same means.

  45. Anonymous Coward
    Anonymous Coward

    @Peter Gathercole again

    Re: Effort/organisation. Yes, definitely it would have costs. But I'm an engineer, not a beancounter, so I'm wondering what is practical and possible in engineering terms. It might be possible to justify the expense with an argument along the lines "each such operation persuades N other bandwidth hackers to stop before they got caught".

    Re: timeslots, filtering etc. I did a bit of research, and the QAM demod chipsets that I could find all required external filtering to an IF. Also, most RF equipment that I know of has a TX/RX switch in there. Because we control the CMTS, controlling the time and channel allocations to all the modems on the port is entirely within our power, so isolation shouldn't be a problem. Think about timing-correlated side channel attacks: if there's any kind of measurable difference in the line's complex impedance properties caused by the modem switching from channel to channel, or turning its transmitter or receiver on or off, we can manipulate that from the far end and then just wrap an inductive tap round each of the legs past a branch point and see which one we can pick up the strongest correlated signal from.

    Look at the recent stuff about keyboard sniffing from rf traces on the domestic power supply to the building where the keyboard is being used if you want to see the power of these kinds of attacks to reveal information from a noisy signal. If you're the cable co and you have access to the detailed RF leakage reports that you had to prepare for FCC approval, you could might even be able to work out a way to detect the RF signal from a particular modem from afar using DF antenna.

  46. Mike Bronze badge

    easier

    it's a lot easier than you seem to think, re-read the article:

    "It added that recent network upgrades allowed it to detect modems cloned in this way and it intends to pursue those involved."

    network upgrades, such as the blocks of flats i've seen being re-wired which now have a separate coax from every flat back to a central box with a fibre uplink in? i'm not sure if it is related to virgin or not as the way they have fitted them seems to be sub-optimal for anything i can think of that would require running coax around the building, however if that is indeed virgin coax (it's not connected up yet here) then that would make it trivial to locate cloned modems

    or of course they could just head out and start unplugging things, while there might be thousands of sources to track down now there wouldn't be many at all if they actually put effort in to tracking them down and prosecuting, there are only so many people doing it because they can get away with it

    personally i think they should just block the MAC Addresses that show up twice on the network, sure it'll cause temporary loss of service to legitimate customers initially (who won't even notice it as more than "the usual service level"), but it'd make the modem hacking stop working so people would stop even trying it - no point leaving a hacked modem connected up and turned on if it doesn't even work - so the legitimate user wouldn't stay blocked for long

  47. Carl Thomas
    Paris Hilton

    @Anonymous Coward

    So Virgin can either rewrite the IOS on their CMTS, or they can use an external device which rewrites the MPEG frames on the downstream, along with sending someone to a cabinet to selectively introduce noise..... or they could just diss each leg and see when the modem in question goes offline, which is what they do.

    Introducing noise downstream will increment the T4 counter on the modem, so you'd need to be continuously polling the modem via SNMP - not doable if the hacker has removed your SNMP access as often happens with hacked firmware, there is no OSS channel on DOCSIS you have to read MIBs to get information from modems. You'd have to block and block then the CMTS would queue up a load of station maintenance requests and fire those at the modem, you'd have to mess with those as well - this would require messing with IOS or using an EQAM and data diddling both of which would introduce timing issues and make the whole lot no longer DOCSIS compliant risking effecting legitimate subscribers on the entire downstream or EQAM, far more effect than simply dissing a node.

    Paris - as while it's of course in theory doable, as rightly said we control everything, it's seriously not practical, just like her!

  48. Anonymous Coward
    Alert

    and here we go again...

    its much harder to trace a cable connection than a bt land line, a landline is basically hardwired from end to end, whereas the cable network is more like sky, the cable split to more cables split to more cables and the card in your box decides what you get to see (and in the case of the modems everything your modem sends and recieves is visible to everything else in your area but the "docsis encryption" keeps it private

    have a search on google for ntl engineers manual, their training manual leaked out years ago, those little green cabinets are little more than glorified aerial amplifiers: 1 main cable goes in X number of feeds go out to peoples houses, hence it will be VERY difficult to trace the fraudulent modem by following the cable as some suggest, even more so if your in a block of flats etc where the lazy sods tend to just further split off one incoming feed into as many flats as needed (optical cable (that seems to be made of solid copper) must be THAT expensive that they need to save as much cost as possible... now wheres advertising standards when you need them...)

    one has to wonder why were pretty much the only country in the western world where dodgy cable is available if not the norm, pretty much everywhere else has their network securely set up so the clones and carded boxed arent possible (maybe VM should have a talk with sky's tech department to learn how to set things up right)

    the thing thats never been picked up on:

    sky gets pissed off at the dodgy cable boxes, takes the sky channels off vm

    virgin does a sweep and kills most the boxes, gets sky channels back

    dodgy boxes gradually reappear so how long you reckon they sky channels are going to stay?

    then we have the headlines about sky wanting access to the virgin cable modem network

    a few days later virgin are waging war on the modems, surely its only got to be a matter of time before we see it all becoming sky media or something else? (doubt it would be sky virgin cos that sounds like a star in one of the films wacky jakies hubby seems to like getting us to pay for...)

  49. Anonymous Coward
    Alert

    another point about virgins crappy security...

    apparently from having a bit of a google it seems that the modem hackers use a bit of software that simply ASKS VIRGINS SERVERS for alist of all valid mac addresses along with the subscribed speeds, now im no expert but if any other company was found to be giving away that kind of information theye'd be shut down pretty quickly...

    now how a company with that kind of flaw in their basic setup can claim to be activley persuing the hackers....

This topic is closed for new posts.

Other stories you might like