Avoiding Piracy in DOCSIS Networks

April 29th, 2010

Patricio S. Latini Director, Sales Engineering Caribbean and Latin America

Agenda DOCSIS Provisioning Piracy Attacks and Solutions CPE Related Security

DOCSIS Provisioning

DOCSIS Provisioning
Standards Based
- DHCP, ToD, TFTP

Distributed Architecture
- DHCP Server has all the customer data - CMTS and CMs just policy enforcers - CMs are untrusted elements

DOCSIS Piracy
Mostly Based on Hacked Firmware of Cablemodems. Need to be mitigated by a battery of counter measures.
- Network Based - CMTS Based - Provisioning System Based

DOCSIS Piracy

DOCSIS Piracy

DOCSIS Piracy Speed Uncapping

Removing the Speed Caps (Limits) by either changing them for higher ones or completely removing them. Done by changing the legit configuration file used by the Cable Modem with a different one. Can use a file on a Local PC or in the TFTP servers in the Network.

DOCSIS Piracy Speed Uncapping

Case I No Shared Secret implemented Worst case, the hacker can create a Config file with any speed limit (or no limit), put it in his PC and instruct the hacked modem to ignore the parameters received by DHCP and download a file from the Local PC.

DOCSIS Provisioning DHCP Process

CMTS is a DHCP Relay Agent

DHCP Server DHCP Server

10.0.0.1

DHCP Offer Src: 10.0.0.1 Dst: 10.0.0.254 TFTP S: 10.0.0.2 TFTP F: silver.bin

DHCP Offer Src: C4:C4:C4:C4:C4:C4 Dst: 00:00:DE:AD:BE:EF

TFTP Server TFTP Server

10.0.0.2

HFC Network
172.16.0.1

Cablemodem
MAC: 00:00:DE:AD:BE:EF

ToD Server ToD Server

10.0.0.3

10.0.0.254

CMTS

Provisioning System

DOCSIS Provisioning Hacked TFTP Process

Hacked Cablemodem
MAC: 00:00:DE:AD:BE:EF IP: 172.16.0.10

DHCP Server DHCP Server

10.0.0.1

Src: 192.168.100.1 Dst: 192.168.100.10 FILE: hacked.bin

10.0.0.2

ToD Server ToD Server

10.0.0.3

10.0.0.254

172.16.0.1

CMTS
Src: 192.168.100.10 Dst: 192.168.100.1 FILE: hacked.bin

Provisioning System

TFTP - Response TFTP - Request

TFTP Server TFTP Server

HFC Network

DOCSIS Piracy Speed Uncapping

Case II Shared Secret implemented No Network Security In this case, the hacker cannot create a custom config file because it will fail Shared Secret verification. However it can get valid files with higher speeds from the MSO TFTP Server and put them in their own PC.

DOCSIS Provisioning Hacked TFTP Process

Cablemodem
MAC: 00:00:DE:AD:BE:EF IP: 172.16.0.10

DHCP Server DHCP Server

10.0.0.1

Src: 10.0.0.2 Dst: 200.0.0.10 FILE: gold.bin

TFTP Server TFTP Server

10.0.0.2
TF TF PTP -e R se Rpo qu s ne e st

HFC Network
10.0.0.254 172.16.0.1 200.0.0.1
Src: 200.0.0.10 Dst: 10.0.0.2 FILE: gold.bin

ToD Server ToD Server

10.0.0.3

CMTS

Provisioning System

DOCSIS Provisioning DHCP Process

CMTS is a DHCP Relay Agent

DHCP Server DHCP Server

10.0.0.1

DHCP Offer Src: 10.0.0.1 Dst: 10.0.0.254 TFTP S: 10.0.0.2 TFTP F: silver.bin

DHCP Offer Src: C4:C4:C4:C4:C4:C4 Dst: 00:00:DE:AD:BE:EF

TFTP Server TFTP Server

10.0.0.2

HFC Network
172.16.0.1

Cablemodem
MAC: 00:00:DE:AD:BE:EF

ToD Server ToD Server

10.0.0.3

10.0.0.254

CMTS

Provisioning System

DOCSIS Provisioning Hacked TFTP Process

Cablemodem
MAC: 00:00:DE:AD:BE:EF IP: 172.16.0.10

DHCP Server DHCP Server

10.0.0.1

Src: 192.168.100.1 Dst: 192.168.100.10 FILE: gold.bin

10.0.0.2

ToD Server ToD Server

10.0.0.3

10.0.0.254

172.16.0.1

CMTS
Src: 192.168.100.10 Dst: 192.168.100.1 FILE: gold.bin

Provisioning System

TFTP - Response TFTP - Request

TFTP Server TFTP Server

HFC Network

DOCSIS Piracy DHCP Broadcast and Unicast

If a modem makes a DHCP discover with the Broadcast flag enabled, the Offer is sent to the Broadcast (ff:ff:ff:ff:ff:ff) in the Downstream. All the broadcast traffic received by a modem is copied to the ethernet port. Anybody with a packet sniffer and get Modem MAC Addresses and config file names in the local downstream!!!. When the modem sends a Discover with the broadcast flag in 0 the Offer will be sent only to the modem MAC Address and will not be copied in other modems ethernet port.

DOCSIS Piracy Speed Uncapping - Protection

DOCSIS Provided Implement Shared Secret MIC! Use a Strong Secret - 30 Chars+ and Special Characters. Allow TFTP Files Downloads only from Cablemodem IP Networks (172.16.0.0) and block from CPE network and others (Use Filters in CMTS and routers, not CMs they are untrusted). Request CM Vendors firmware supporting DHCP requests using Broadcast Flag disabled. CMTS Provided Implement TFTP Enforce (TFTP Proxy) Use Dynamic Shared Secret

DOCSIS Piracy Speed Uncapping TFTP Enforce

During the DHCP Exchange, the CMTS replaces the TFTP Server address and name with its own address and stores that information in a table. When the modem sends the TFTP File request, the CMTS Proxies it and gets the file from the TFTP Server. By doing that it ensures that the legit file is downloaded from the proper server.

DOCSIS Provisioning TFTP Enforce - DHCP Process

DHCP Server DHCP Server

10.0.0.1

DHCP Offer Src: 10.0.0.1 Dst: 10.0.0.254 Yiaddr:172.16.0.10 TFTP S: 10.0.0.2 TFTP F: silver.bin

DHCP Offer Yiaddr:172.16.0.10 TFTP S: 172.16.0.1 TFTP F: silver.bin

TFTP Server TFTP Server

10.0.0.2

HFC Network
172.16.0.1

Cablemodem
MAC: 00:00:DE:AD:BE:EF

ToD Server ToD Server

10.0.0.3

10.0.0.254

CMTS
CMTS TFTP Client Table CM 172.16.0.11 172.16.0.10 TFTP S 10.0.0.2 10.0.0.2 TFTP File gold.bin silver.bin

Provisioning System

DOCSIS Provisioning TFTP Enforce - TFTP Process

Src: 172.16.0.1 Src: 10.0.0.2 Dst: 10.0.0.2 Dst: 172.16.0.1 FILE: silver.bin FILE: silver.bin Src: 172.16.0.10 Src: 172.16.0.1 Dst: 172.16.0.1 Dst: 172.16.0.10 FILE: silver.bin FILE: silver.bin

DHCP Server DHCP Server

TFTP - Response TFTP - Request TFTP - Response TFTP - Request

10.0.0.1

TFTP Server TFTP Server

10.0.0.2

HFC Network
10.0.0.254 172.16.0.1

Cablemodem
MAC: 00:00:DE:AD:BE:EF IP: 172.16.0.10

ToD Server ToD Server

10.0.0.3

CMTS
CMTS TFTP Client Table CM 172.16.0.11 172.16.0.10 TFTP S 10.0.0.2 10.0.0.2 TFTP File gold.bin silver.bin

Provisioning System

DOCSIS Piracy Speed Uncapping Dynamic Secret

This feature goes one step further than TFTP enforce, the CMTS instead of just doing a proxy of the file, it disassembles the file and recalculates the MIC with a per session shared secret and reassemble the file. After the modem gets the file and sends the Registration Request, the MICs must match. This is much more secure as an individual secret is used for each file download.

DOCSIS Provisioning Dynamic Shared Secret

Src: 172.16.0.1 Src: 10.0.0.2 Dst: 10.0.0.2 Dst: 172.16.0.1 FILE: silver.bin FILE: silver.bin Src: 172.16.0.10 Src: 172.16.0.1 Dst: 172.16.0.1 Dst: 172.16.0.10 FILE: silver.bin FILE: silver.bin

DHCP Server DHCP Server

TFTP - Response TFTP - Request TFTP - Response TFTP - Request

10.0.0.1

TFTP Server TFTP Server

10.0.0.2

HFC Network
10.0.0.254 172.16.0.1

Cablemodem
MAC: 00:00:DE:AD:BE:EF IP: 172.16.0.10

ToD Server ToD Server

10.0.0.3

CMTS
CMTS TFTP Client Table CM 172.16.0.11 172.16.0.10 TFTP S 10.0.0.2 10.0.0.2 TFTP File Dynamic MIC gold.bin 0x12dce5f5430 silver.bin 0x524c45f5879

Provisioning System

DOCSIS Provisioning Dynamic Shared Secret

Registration ACK Service Flows Classifiers MAC CPE MD5 CMTS MIC=

DHCP Server DHCP Server

10.0.0.1

0x524c45f5879 REG - Response REG - Request

TFTP Server TFTP Server

10.0.0.2

HFC Network
10.0.0.254 172.16.0.1

Cablemodem
MAC: 00:00:DE:AD:BE:EF IP: 172.16.0.10

ToD Server ToD Server

10.0.0.3

CMTS
CMTS TFTP Client Table CM TFTP S TFTP File Dynamic MIC gold.bin silver.bin 0x12dce5f5430 0x524c45f5879 10.0.0.2 00:00:DE:AD:00:00 00:00:DE:AD:BE:EF 10.0.0.2

Provisioning System

DOCSIS Piracy Cablemodem MAC Cloning

A Cable Modem identifies to the Network by its MAC Address Cloning the MAC Address of a Modem allows an un-provisioned modem to get the Service of a provisioned modem. This is much more dangerous because a Hacker behind a cloned modem can do illegal activities and be untraceable. Hacked Firmware allows to change the MAC address of a compromised modem to any value

DOCSIS Piracy Cablemodem MAC Cloning

DOCSIS 1.1 Specified BPI Plus as a method to authenticate a Cable Modem All Modems DOCSIS 1.1 and over, have an embedded certificate that is Signed by the Manufacturer and Cablelabs When BPI+ is enabled the modem must send the Certificate to the CMTS and it validates the signature with its own database. If it fails the CMTS can deny the service.

DOCSIS Piracy MAC Cloning - Recommendations

BPI+ is enabled in the Configuration File, all the previous protection measures should be implemented in order to ensure that the file is not modified and BPI+ is disabled. It is recommended to remove all DOCSIS 1.0 modems from the network and only having DOCSIS 1.1 Modems, by doing so all DOCSIS 1.0 Config files can be deleted from the TFTP Server. Ensure all the modems send the DHCP broadcast flag in 0 in order to ensure that that their offers are not sent on the broadcast.

DOCSIS Piracy MAC Cloning BPI+ Mandatory

Hacked firmware also supports changing the advertised supported DOCSIS Version in order to cheat the provisioning. Some CMTSs support BPI+ mandatory, that means that if a modem tries to register without BPI+ is rejected. All modems and config files need to be DOCSIS 1.1 enabled.

DOCSIS Piracy MAC Cloning Other Cases

Some modems vendor are vulnerable to full Flash copy (MAC and Certificates) This Creates a full Clone High Tech Equipment and physical access is required for that. BPI+ cannot do much about that. Some CMTSs support manual deny lists in order to block that modems to pass from Ranging stage. Your provisioning system could have detection algorithms in order to detect the same MAC coming from different CMTS/Upstream Ports

CPE Related Security

Customer Security
CMTS Packet Filters Source Verify (Source Address Verification) DHCP Option 82.1 and 82.2 relaying Protocol Throttling (DHCP and ARP) DHCP Server CPE Lease Logging

Customer Security Source Verify

CMTS snoops all CPE DHCP offers and creates a list of CPE MAC/IP and CM Table When a CPE sends and ARP Request, the CMTS Looks for in the table for an existing entry, if there is not matching entry, the ARP is discarded. This allows to avoid ARP Poisoning. Also allows a tight control to be sure that all the IP addresses being used by CPEs were assigned and logged by the DHCP Server.

DOCSIS Provisioning Source Verify

Src: 10.0.0.254 Src: 10.0.0.1 Dst: 10.0.0.1 Dst: 10.0.0.254 Giaddr:200.0.0.1 chaddr: 00:11:22:33:44:55 yiaddr: 200.0.0.10 DHCP --Discover DHCP Offer Src: 00:11:22:33:44:55 Dst: FF:FF:FF:FF.FF:FF Src: C4:C4:C4:C4:C4:C4 Dst: 00:11:22:33:44:55 yiaddr: 200.0.0.10

DHCP Server DHCP Server

10.0.0.1

DHCP --Discover DHCP Offer

TFTP Server TFTP Server

10.0.0.2

HFC Network
Cablemodem

ToD Server ToD Server

10.0.0.3

10.0.0.254

172.16.0.1 200.0.0.1

MAC: 00:00:DE:AD:BE:EF IP: 172.16.0.10

CMTS
CPE MAC

Provisioning System

CMTS MACDB Client Table CPE IP CM MAC 00:00:DE:AD:BE:EF 00:11:22:33:44:55 200.0.0.10

DOCSIS Provisioning Source Verify

Who has : 200.0.0.1 Src: 00:11:22:33:44:55 Src: C4:C4:C4:C4:C4:C4 Dst: 00:00:00:00:00:00 Dst: 00:11:22:33:44:55 tell: 200.0.0.1

DHCP Server DHCP Server

ARP REP ARP REQ

10.0.0.1

TFTP Server TFTP Server

10.0.0.2

HFC Network
Cablemodem

ToD Server ToD Server

10.0.0.3

10.0.0.254

172.16.0.1 200.0.0.1

MAC: 00:00:DE:AD:BE:EF IP: 172.16.0.10

CMTS
CPE MAC

Provisioning System

CMTS MACDB Client Table CPE IP CM MAC 00:00:DE:AD:BE:EF 00:11:22:33:44:55 200.0.0.10

Customer Security CMTS Option 82.1 and 82.2 Relay

The CMTS can add to either CM or CPE DHCP Discover packets the option 82. Option 82.1 specifies the Upstream Port name from where the request came. Option 82.2 specifies the MAC Address of the Cablemodem from where that Discover came. For CPEs is Very useful to know to which Cablemodem (MAC) that Device is connected in order to take provisioning actions, or just for keeping a log.

DOCSIS Provisioning Option 82 Relay

Src: 10.0.0.254 Dst: 10.0.0.1 Giaddr: 200.0.0.1 hwaddr: 00:11:22:33:44:55 Opt 82.1:Upstream 1 Opt 82.2 :00:00:DE:AD:BE:EF DHCP - Discover Src: 00:11:22:33:44:55 Dst: FF:FF:FF:FF.FF:FF

DHCP Server DHCP Server

10.0.0.1

DHCP - Discover

TFTP Server TFTP Server

10.0.0.2

HFC Network
Cablemodem

ToD Server ToD Server

10.0.0.3

10.0.0.254

172.16.0.1 200.0.0.1

MAC: 00:00:DE:AD:BE:EF IP: 172.16.0.10

CMTS

Provisioning System

Customer Security Protocol Throttling

ARP and DHCP are protocols that are necessary for system operation and cannot be completely filtered. Hackers can take advantage of that and generate denial of service attacks. DHCP DoS can overload the DHCP Server. ARP DoS can saturate the local segment with ARP Traffic. CMTSs support Protocol Throttling, that means that they allow a certain acceptable amount of traffic of that protocols and drop the rest.

Questions?

Thanks!