 
wifi4milez
Big Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | Who's next? I hope they dont discover this vulnerability for the Fios Actiontec devices. The FIOS device is required in most cases, so people would be at much hiher risk. | |
|  | iansltx
join:2007-02-19
Golden, CO | Re: Who's next? They aren't required, as long as you have Ethernet to somewhere useful where you can put a router. | |
| | | | | | | iansltx
join:2007-02-19
Golden, CO | Re: Who's next? Didn't know that. Thx for the clarification. | |
| | | | | | | patcat88
join:2002-04-05
Jamaica, NY
| said by iansltx  :They aren't required, as long as you have Ethernet to somewhere useful where you can put a router. They are basically required if you have TV. (someone will chip in you can put a firewall ahead of the actiontec so no worm infections are possible) | |
| | | | | | | | | 
jmn1207
Premium
join:2000-07-19
Reston, VA
 ·Verizon FIOS
| Re: Who's next? The main problem with security in this article is the fact that remote access is enabled by default and the wireless security is vulnerable at the default WEP setting.
There are no problems with FiOS and the ActionTec or Westell routers with regards to security. At least, no different from any other consumer level router. These aren't modems, just routers, and while the tiny NAT table may be an issue for some users with certain ActionTec models, they are full featured routers that are very capable and highly configurable.
Lots of people have setup FiOS to use their own routers in all kinds of configurations, and all of these setup are explained in the FiOS FAQs.
You can actually hook up your PC directly to the ONT without using any router at all. And only the Verizon STB require a MoCa router for VOD and guide data. TiVo and Moxi HD DVRs get their guide date from the internet, and the coaxial cable does not need to connect to the router at all for people with these devices. | |
| | | | | | | | | | | | |
jmn1207
Premium
join:2000-07-19
Reston, VA
·Verizon FIOS
| Re: Who's next? ActionTec or Westell are the current brands being used right now. Still, they are full featured routers, and not absolutely necessary. I don't really see this as any concern at all. Your options for any ISP are just as limited in reality. How many different DOCSIS 3.0 Comcast modems can I use.? Would most customers even purchase their own? How many variations does Comcast provide?
It's really nothing to worry about. | |
| | | 
G W Carver
@rr.com
| I live in New Jersey and I have a router and a Toshiba PCX 2600 cable modem and I have problems with Lag? (30 sec to load) and other Times the page comes up unreachable. The cycle is about 5 minutes on and 10 minutes off and it is not the router ether or the firewall or any file on the computer there is a thread about DNS server attacks on Wilders security forums »www.wilderssecurity.com/showthre···t=256231. I think Road Runners Servers are Vulnerable to attack. | |
| | | jjeffeory
join:2002-12-04
USA | They're required. VOD will not work without them. Also other channel information will not be present. I tried removing one and it wasn't pretty. | |
| | tmc8080
join:2004-04-24
Floral Park, NY
| said by wifi4milez :I hope they dont discover this vulnerability for the Fios Actiontec devices. The FIOS device is required in most cases, so people would be at much hiher risk. Broadband tiers are provisioned in the C/O computers (fios)... not by the routers, whereas a cablemodem provisioning has much to do with a file within cablemodems that provision speed/terms of service/features. | |
| | | | | | | | | | 
Jason Levine
Premium
join:2001-07-13
USA
| Re: Who's next? said by wifi4milez :it could even allow them to potentially re-route traffic to malicious websites. That, I think would be the worst outcome. Especially if the malicious website was benign looking. For example, a transparent proxy. So a hacker hits your cable modem and redirects all traffic through his proxy. You then go to your online bank's website, your web e-mail site, Paypal, etc.
All of them work fine and you take all usual precautions (typing in address bar, up to date security software, etc). Still, you're compromised because the hacker now has your account information the minute you hit Submit. He can now clean you out whenever he wants.
Later, if he wants to cover his trails, he can re-log back into your cable modem and revert his changes so it looks like the cable modem was never tampered with.
--
-Jason Levine
Support a children's charity. Buy a calendar and/or a photo book. Shooting For A Cause | |
| | | | |
Spiffy 2
@att.net | Re: Who's next? Already done | |
| | | | |
jmn1207
Premium
join:2000-07-19
Reston, VA
·Verizon FIOS
| If you are simply passing through a hacker's intercepting proxy, unless the bank site is fake and collecting your personal data, I would think that SSL or whatever the banks use nowadays, would prevent eavesdropping. I thought that was the purpose of secure sites? Only the end points have the key, the client and server.
I don't know too much about any of this stuff, so please don't clobber me for my ignorance, I'm just curious. I realize this is a real security threat, but I would hope that it's more challenging than just creating a simple proxy to steal webmail and bank access. | |
| | | | | | Necronomikro
join:2005-09-01
| Re: Who's next? quote:
The SSL vulnerability allowed Marlinspike to create what he called a universal wildcard certificate that caused Firefox to authenticate every domain name on the internet. He did so by applying for a normal certificate for his website thoughtcrime.org. In the commonName field he listed the site as *\0.thoughtcrime.org, causing the browser to believe the certificate was universally valid.
»www.theregister.co.uk/2009/08/04···_update/
There's a few vulnerabilities out there... | |
| | | | | | |
jmn1207
Premium
join:2000-07-19
Reston, VA
·Verizon FIOS
| Re: Who's next? It looks as if that has already been patched. The browser I normally use does not currently show any unpatched Secunia advisories, and the developers have been very quick to respond when potential problems do appear.
A fake site might be able to mimic Wells Fargo's site, but if someone attempts to log in and check their account, I would think it would be immediately obvious that something was not quite right. Recent transactions would not be able to be forged on a fake site unless the bank's site, itself, was completely compromised. Even if a browser is fooled into thinking the site is legit, I would be EXTREMELY concerned if the site popped a message claiming to be temporarily down after entering my login credentials. I'd be on the phone immediately.
There is only so much I can do, within reason, to protect myself. As long as more valuable data is out there that is much easier to get to, I won't panic. FiOS is so fast and reliable, any phantom proxy being used had better be damn fast with very low latency, otherwise I'd be doing all kinds of tests to see what the problem might be, which could possibly expose the security problem, or at least put me on notice to stay away from more security sensitive sites until the issue can be resolved. | |
| | | | | | | | rahvin112
join:2002-05-24
Sandy, UT
| Re: Who's next? It's a man in the middle attack, the attacker intercepts the data, and passes it through after recording it. Think of it as a guy standing in line in front of you that relays all your information to the teller, not only do you and the teller complete the transaction in the normal manner but the guy in the middle has all the data too. The problem as already noted is that it won't work on an encrypted connection.
You shouldn't be passing ANY login information in clear text. If the connection isn't encrypted you shouldn't be logging in. | |
|
anon51
@att.net
| Hack We are Time Warner... If WE say it is fixed, its is fixed, as far as we are concerned.
How DARE you challenge us on this.
I will F*** up your TV signal so fast it will make your head spin.
It will take weeks to get a tech to you....
Oh wait... That already happens.
Never mind. | |
| | Heated Man
join:2009-06-18
Cleveland, OH | Re: Hack What a loser post this is. Thanks for the great information. Troll | |
| watice
join:2008-11-01
East Elmhurst, NY
| SMC/TWC sux what other modem that twc offers has channel bonding? none as far as i'm aware, so you're shit out of luck unless you go buy your own docsis3 modem and then hook up your router to it. As far as I'm concerned, this "hack" should remain open, and ppl should be able to change their own login credentials on their SMC gateways. Last time I spoke to tier 3 they told me if I wanted to change anything on it, get my own modem. | |
| | | | | |
|
|
Hackable Time Warner Cable Modems Still Hackable?
·
·
·
and let it pass through the firewall. Or get them to set the device into bridge mode and let it pass along to the next device in line.
·