Developer Finds Security Hole In SMC Router Provided By Time Warner Cable

If you didn’t provide your own wireless router when you signed up for Internet access from Time Warner, you may have been given an SMC-branded modem/router combo that turns out is ridiculously easy to break into.

Dave at Chenosaurus was helping out his friend and discovered that all you have to do is disable JavaScript on your browser—the device’s interface is accessible anywhere on the web by default—and you’ll be able to access pretty much everything on the router. TWC knows about the problem, thanks to Dave’s post, and they say they’ve pushed out a patch while they work on a long-term solution.

Here’s what Dave discovered:

The web admin for the router [model number SMC8014WG-SI] simply uses [JavaScript] to hide certain menu options when the user does not have admin privileges. By simply disabling JavaScript in the browser, I was able to access all the features of the router. With that access, I am now able to change the wifi settings, port-forwarding, etc.

Jeff Simmermon, the Director of Digital Communications at Time Warner Cable, left a comment on Dave’s blog addressing the situation:

From what I understand, our QA got a list of fixes for the identified issues on Friday, and are currently testing (if not finished with testing) and preparing to hand this off to our Ops team at this very moment.

Our customer’s security is of the utmost importance to us, and we are constantly working to identify and repair holes and flaws as we discover them. This is not the sort of thing where we’ll roll the fix out, go “okay, done, phew,” and go back to our comfy armchairs. With more than 14,000,000 devices in the field, we’ve always got bugs to fix and holes to secure.

We contacted Jeff to find out where TWC stands on the current status of the SMC8014WG-SI. He wrote back:

The updates [that we have applied to the router] are done remotely, without the customer getting involved.

This security issue affects roughly 67,000 out of over 14,000,000 customers. To imply that all of our customers’ data is at risk would be false. We deployed a patch remotely on Tuesday [October 20th] specifically to protect affected customers’ data while we QA and roll out a long-term solution. Customers with the affected routers should not have to do anything to upgrade their hardware or worry about their data.

So TWC is on the issue and planning a “long-term solution.”

But here’s what’s puzzling: SMC deliberately made a router that only uses WEP encryption, and that “protects” admin features by using JavaScript, and that stores passwords in plain text? Unless SMC is backed by some cybercrime-loving mafia, it makes no sense. I’ve never heard of SMC before, but from now on I’ll always remember it as the router company that is banned from my house.

“Time Warner cable modem/router major security hole” [My California Adventures via mocoNews
(Photo elements: James Cridland, Mykl Roventine, mugley, and ThisParticularGreg)