Developer Finds Security Hole In SMC Router Provided By Time Warner Cable

If you didn’t provide your own wireless router when you signed up for Internet access from Time Warner, you may have been given an SMC-branded modem/router combo that turns out is ridiculously easy to break into.

Dave at Chenosaurus was helping out his friend and discovered that all you have to do is disable JavaScript on your browser—the device’s interface is accessible anywhere on the web by default—and you’ll be able to access pretty much everything on the router. TWC knows about the problem, thanks to Dave’s post, and they say they’ve pushed out a patch while they work on a long-term solution.

Here’s what Dave discovered:

The web admin for the router [model number SMC8014WG-SI] simply uses [JavaScript] to hide certain menu options when the user does not have admin privileges. By simply disabling JavaScript in the browser, I was able to access all the features of the router. With that access, I am now able to change the wifi settings, port-forwarding, etc.

Jeff Simmermon, the Director of Digital Communications at Time Warner Cable, left a comment on Dave’s blog addressing the situation:

From what I understand, our QA got a list of fixes for the identified issues on Friday, and are currently testing (if not finished with testing) and preparing to hand this off to our Ops team at this very moment.

Our customer’s security is of the utmost importance to us, and we are constantly working to identify and repair holes and flaws as we discover them. This is not the sort of thing where we’ll roll the fix out, go “okay, done, phew,” and go back to our comfy armchairs. With more than 14,000,000 devices in the field, we’ve always got bugs to fix and holes to secure.

We contacted Jeff to find out where TWC stands on the current status of the SMC8014WG-SI. He wrote back:

The updates [that we have applied to the router] are done remotely, without the customer getting involved.

This security issue affects roughly 67,000 out of over 14,000,000 customers. To imply that all of our customers’ data is at risk would be false. We deployed a patch remotely on Tuesday [October 20th] specifically to protect affected customers’ data while we QA and roll out a long-term solution. Customers with the affected routers should not have to do anything to upgrade their hardware or worry about their data.

So TWC is on the issue and planning a “long-term solution.”

But here’s what’s puzzling: SMC deliberately made a router that only uses WEP encryption, and that “protects” admin features by using JavaScript, and that stores passwords in plain text? Unless SMC is backed by some cybercrime-loving mafia, it makes no sense. I’ve never heard of SMC before, but from now on I’ll always remember it as the router company that is banned from my house.

“Time Warner cable modem/router major security hole” [My California Adventures via mocoNews
(Photo elements: James Cridland, Mykl Roventine, mugley, and ThisParticularGreg)

Comments

Edit Your Comment

  1. moore850 says:

    Here’s what you’re not thinking about SMC. Time Warner said “Make us a router that costs $1.” SMC said, “but the only way to do that is to forego all security” and time warner said, “one more time… Make us a router that costs $1.” Problem solved!

  2. chris_l says:

    I work in IT security, and this is pitiful. The government should step in and require ISPs to only provide hardware that can be reasonably secured. That means at WPA2 encryption, password encryption, requiring default admin passwords to be changed before a product can be used, etc.

    But I guess if that means that the “free market” can’t sell equipment that can be broken in by a 17 year old contracted by the Russian mafia to create botnets for use in mass attacks or ID theft, then it’ll never happen.

    I hope Ayn Rand comes back as a zombie so I can bash her fucking skull in.

    • bloggerX says:

      @chris_l: Excuse the ignorance, who’s Ayn Rand???

      • Chris Walters says:

        @bloggerX:

        Here’s a comic biography of her that I found on Flickr. It seems fairly biased against her, but then I’m no Rand scholar/fanboi/hater.

      • Stephmo says:

        @bloggerX: Oh my…

        The right trots her out every single time that the left is in power. They love her and hold up her objectivism as proof that the free market is the end-all-be-all of WIN.

        It’s further bolstered because in books like Anthem, the power of the Individual, not the Collective are the only way for society to truly triumph – proof that trying to squelch via any type of regulation is teh ebil.

        This became very very popular because Alan Greenspan used to be besties with the Ayn Rand. He drank much of her koolaid. And, likely, her milkshake.

        Of course, this worship gets very odd on may levels for Ayn was also:

        - A devout atheist.
        – A massive intellectual.
        – Probably somewhat insane.
        – Convinced that man could ultimately rise above petty things like emotion.

        In all honesty, she was kind of going for this thing where everyone would work for the ideal as individuals without being told to do so because they’d be self-actualized through philosophy and intellectualism. People forget she escaped the Russian Revolution when she wrote a lot of what she wrote – so it was as if she liked a lot of the ideals, but wanted to find a way to implement it without the whole oppression of the people and the bloodshed and treating everyone the same part.

        Somehow, all the right took away from this was, “don’t regulate the markets and everyone will do the right thing. Oh, and we still believe in Jesus – a lot.”

        • Pink Puppet says:

          @Stephmo: I love Ayn Rand in a scholarly way, and have had a huge girlcrush on her since I was old enough to read her books.

          But I want to bash my own skull in every time the right props her corpse up on a stick and waves it and her unrealistic philosophies around. REPUBLICANS, UR DOIN IT WRONG.

          • Stephmo says:

            @Pink Puppet: Mostly I get really confused when they start bashing intellectuals and then embracing free-market ideals.

            It’s very confusing. I want to say, “um, you’re actually supposed to be incredibly smart to make the free-market work in an unregulated environment. And I mean really smart, not just, I’m so smart I know to hire people smarter than me to make me look smart. NO – you’ve got to be smart. You DON’T want to be the dude I want to have a beer with! That’s pandering to my emotional side…WTF!”

            Yeah, they confuse me on that whole thing. Frankly, I’m pretty convinced the new Ayn Rand-devotees in the party are really there because Greenspan was a fan and they never understood him beyond, “he’s really smart, so trust everything he says” which included “I believed in Ayn.” Oh, and the 50s were awesome, which was when Ayn got her first big rise to popularity – when everyone was trying to bust out of being part of the homogeneous collective and wanted to do something to rebel other than just be a beat or a greaser.

            Geez, I loved Lord of the Flies, but it’s not like I’m gong to develop a Juvenile Reform system called Golding-Security Measures and claim it’s awesome. Even though it totally would be if we televised it…

        • CheritaChen says:

          @Stephmo: I’m with you on almost all of the above, but

          - A devout atheist.

          does not exist. Devout has a powerful religious connotation, and in this context, it reads as if the writer does not understand the nature of atheism. I know you were probably trying to be ironic, but there are too many people with the misconception of atheism as a religion or a belief.

          On the other hand, to say Rand was a devout capitalist would work just swell.

        • catastrophegirl chooses not to fly says:

          @Stephmo: so… you’re saying ayn rand was a wanna-be vulcan?
          [yes, i’ve read some of her books. and after choking my way through john galt’s speech i have to say that was one of the most convoluted pieces of literature i have ever encountered]

    • wvFrugan says:

      @chris_l:
      “I hope Ayn Rand comes back as a zombie so I can bash her fucking skull in.”

      That just gave me an exceptionally warm happy feeling! Thank you for my only brief glimpse of joy thus far today.

    • cerbie says:

      @chris_l: but, but…then they might have to make them run real OSes to do it well. And everybody knows consumer routers aren’t powerful enough to run real server operating systems (to those of you who don’t get it: Google “Tomato” and “dd-wrt”).

  3. angryneo says:

    I use TWC. But thank gawd for my Linksys w/DD-WRT. I sleep better at night.

  4. theSuperman says:

    Ever since I have successfully broken into my own router using WEP, I have been making sure I tell everyone I know to use WPA2 with a long, complex passphrase. WEP is pretty much useless. 5 minutes or less to get into a WEP protected AP.

  5. Felux says:

    Currently most ISP agreements state that the end user is responsible for the use of their connection. Especially with the RIAA, MPAA, and the ISPs themselves tracking illegal downloads via IP addresses.

    This poses a huge question. Is the customer liable for illegal content downloaded via a router provided by the ISP that has had its security breached?

  6. FLConsumer says:

    Does anyone know if this affects Comcast’s SMC modem/routers as well? I absolutely hate that you can’t disable the router and NAT on the ones they’ve shipped me.

    • Beef Supreme says:

      @FLConsumer:

      The Comcast SMC routers are for business class customers and are a different make and model, I do believe.

      • MeCatLikesMeHamSanwich says:

        @dfens42: They is…I have one.

      • FLConsumer says:

        @dfens42: That’s what I found most objectionable — Comcast thinking business-class customers would actually want to use their built-in router/firewall and have no provision to disable it! The only solution they gave us was to get static IPs and just route everything directly to the gateway. Still leaves their crappy router in place, but it generally doesn’t overload too often.

    • Zegridathes says:

      @FLConsumer: When we had Comcast I noticed that their provided cable modem/routers have a number of features (like port-forwarding) ‘soft-disabled’ by removing the javascript from the buttons. I had to re-add the functions back to the buttons with firebug (the IE8 developer tools would work now too) to use it.

  7. PsiCop says:

    SMC is a company that has been making things like network cards for a very long time, a couple decades at least, and maybe more. I can recall having put SMC NICs into computers back in the early 90s. Their decision to use JavaScript as a security measure (cough, cough) is both laughable and inexcusable. There is just no justification for it … none whatever. For this alone, SMC owes its customers an apology. And it should not have been Time Warner’s people who implemented the fix, but SMC’s … because this inexcusable design decision had been theirs, not TWC’s.

    As for WEP security … SMC is not alone in having decided to stand with it even long after it was proven deficient. Although I’m an IT veteran, and have long tried to make sense of this collective decision, the reasoning behind it still baffles me. It seems to have been due to backward compatibility with client devices which had been built long ago when WEP was (erroneously) thought to have been sufficient (as recently as c. 2003). Even so, until a couple years ago, many companies, not just SMC, were still making WEP-only routers, when they should have been making routers with other security enabled as default with WEP being a selectable option only where it was needed for compatibility.

    A great many security challenges remain in the field of wireless technology. It’s not just SMC that is hesitating … to the point of harming their own customers. Again, this is one of those collective decisions on the part of many companies, whose wisdom (if I may use that term!) eludes me. There are security technologies which are available now, which are either underused or completely unused. My own “pet theory” is that a lot of these companies have stockpiles of older chips capable only of older, deficient, security; they’re trying to save money by continuing to assemble products that use them. I can’t prove this but it does seem the only reason that makes any sense.

    • MeCatLikesMeHamSanwich says:

      @PsiCop: Brilliant. Ben, pay this man.

    • shepd says:

      @PsiCop:

      I think you’re pretty much right on, although WAP2 can be done through software on all routers I’ve seen.

      The smart money is that people who know what they’re doing buy any crap router that supports DD-WRT/Tomato/OpenWRT and have it their way. :)

      • PsiCop says:

        @shepd: You’re correct. It’s true that some of the deficiencies can be made up for or obviated by software/firmware changes. But those changes would cost money to develop — and if my “pet theory” is correct this is all about saving money — then the last thing these companies are going to do, is spend money overcoming a problem that they created, by trying to save money.

        Personally I’m hoping one day there’s some kind of class-action suit filed on behalf of customers and businesses, perhaps in the wake of a security breach like this one or this bigger one in which hackers raided unsecured or poorly-secured wireless networks in stores, which forces these tech companies to implement upgrades of this sort.

        (Don’t anyone have a heart attack. This doesn’t mean I’ve changed my views about trial lawyers. They’re still mercenary-like bottom-feeders suckling at the teat of American commerce, costing everyone a whole lot of money while providing few discernible benefits in return. But as the saying goes, even a broken clock is right twice a day; so too, even trial lawyers can have their uses. Sometimes. Maybe. Then again, given the trial lawyers have already had many opportunities to joust at this target but have — for whatever reason — chosen not to, maybe I’m overestimating what they could do about this. Oh well. Nice thought, though.)

  8. Scatter says:

    It bugs me when a company say that “blah blah blah is of utmost importance to them”. It really looses its meaning when they say that about everything.

    Cleanliness, safety, privacy, customer satisfaction, quality, can’t ALL be of the utmost importance. And that’s not even getting into the business side of a company with issues such as profits.

  9. Cant_stop_the_rock says:

    “the device’s interface is accessible anywhere on the web by default”

    Wait, are you saying the admin interface is available via the Internet, not just the intranet?

  10. uber_mensch says:

    Dead link cache for ‘How it’s done’ here:
    [74.125.47.132]

  11. shadydentist says:

    Wow… not just one, but two incredibly stupid errors. What kind of idiots store password information in cleartext?

  12. nfs says:

    Hmm. More reasons not to take the cable company router.

    Use some WPA2, hidden SSID, and MAC Address filtering.

    • PsiCop says:

      @nfs: Agreed. Those measures taken together — along with frequently changing router passwords and WPA keys — should suffice for most people and most situations. They still aren’t impervious to determined and skilled hackers or wardrivers, but they would prevent casual breeches.

  13. Razor512 says:

    verizon and qwest also have this problem, and I have called verizon about the problem because it is being actively exploited and they didn’t understand what I was talking about.

    when verizon dsl and qwest dsl moved to using routers like the actiontec gt701-gt704wg, the bloated ISP firmware left the router accessable through the internet and it could not be disabled in the ISP release of the firmware, you had to download and install the generic firmware provided by actiontec (while it didn’t fix the remote access problem fully, it did fix the problem of the default username and password working in the telnet interface regardless if the user changed it and them with a simple command generally commands like “nvram get http_passwd”
    you get the webui password unencrypted.

    if you do a scan a port range of like 50ip’s in either isp’s netblock, you will generally find 30-40 vulnerable dsl gateways.

    at least time warner is trying to fix their screwup

    I do lots of IT work and on the side, I fix personal computers for many people, in many cases, I have found people using these routers to have their DNS servers changed, to random people getting their routers bricked because they were in a game server and another player got angry at them and was able to get their ip and then flash a random dat file to their dsl gateway.
    (very common among people who play starwars jedi academy since it is no longer updated and a server bug allows clients to get a list of the ip’s of connected users)

    Many ISP’s have very little care for security and will in some cases intentionally create security holes in their hardware so the ISp can remotely log in and make changes.

  14. webweazel says:

    Actually, I think it’s pretty good that somebody found a security hole, told the company, and the company said “Thanks! We didn’t know about this. We’re working on a patch to fix it.” Rather than repeatedly ignoring said person, leaving the hole open for months on end, and not really giving a crap about it, which some companies are wont to do.

  15. XTC46 says:

    Please note that most people who do buy their own routers have the same security holes in place. The last time I went for a wardrive I found over 200 accessable routers (in 1 neighborhood..maybe 5-10 square miles) with no encryption on the wireless and using the default credentials.

    I work with businesses every single day and when we do their evaluations before bringing them on as a client, this is the kind of stuff we see. It is not rare at all.

    • CheritaChen says:

      @xtc46 – thinksmarter on twitter:But that’s not the same. You’re talking about a router that’s bought and basically administrated by the user. Yes, the manufacturers are more concerned with quick and easy plug-and-play installation because that way the clueless buy more of their units, so they leave the lame insecure settings as defaults. But it’s up to your dumb neighbor who purchased that router to make sure the router’s settings are secure.

      The Time Warner customers, on the other hand, are receiving (and paying rental fees on, maybe) these units as part of their service. TW is responsible for making sure that routers which they provide for their customers are, at least initially, secure. What the user does after getting plugged in and online will be out of their hands.

      My mother keeps joking about how she will ever survive when I move out of the state, because while she’s a smart person, she has no tech savvy, and this is not the type of stuff that just “comes naturally” to most users.

  16. Quatre707 says:

    There are numerous routers with web browser management flaws such as this (i’m looking at you Nortel and dlink), but the release of patches and/or firmware updates to fix the issues are generally pretty fast. This is why most Cisco hardware is still configured using command line, or GUI tools that do nothing more than type the commands in for you externally over telnet or SSH.

    The real problem here is that this gateway router has its http management interface accessible from outside the network by default. THAT is unheard of.

  17. KMan13 still wants a Pontiac G8 says:

    i used to love smc routers =[

  18. Tasunke says:

    The combination of default-on external access and this … this … incompetent can’t even begin to describe it … use of Javascript to hide administrative features from non-admin users is completely unconscionable. Glad Time Warner’s doing something about it, but gah, how did something like this happen in the first place?

  19. AdamWoodSMC says:

    SMC Networks was recently made aware of a potential vulnerability in the firmware deployed in certain versions of its cable modems deployed on the Time Warner Cable network in North America.  In specific and limited instances, the firmware could potentially be exploited by hackers intending to compromise the security of a user’s Internet connection and network.
     
    SMC Networks has moved quickly to develop new firmware that fixes the potential vulnerability and eliminates the possibility of a customer illegally accessing other users’ computers or Time Warner Cable’s network.  The new firmware has already been delivered to Time Warner Cable who are pushing the update to their end users’ equipment.  This update is being deployed by Time Warner Cable and will require that no action be taken by the end users.
     
    SMC Networks and Time Warner Cable take its customers’ network security concerns very seriously and apologizes for any inconvenience that has been caused by this vulnerability.  It is of the utmost importance to SMC to deliver to markets products that are secure, safe and reliable.

  20. Tasunke says:

    I blogged about it, and some guy named “Adam Wood”, ostensibly from SMC, commented on my blog post about it.
    [tasunke.otakugeeksquad.org]
    He says, in essence, that they’ve developed new firmware to address the issue and delivered it to TWC.