Not enough ghosts and goblins running around for you? Just wait: News that Time Warner Cable has deployed a dual Wi-Fi router/cable modem with a gaping security hole should send chills up the most hardened IT professional’s spine.
David Chen exposed the hole, which allows an attacker to remotely log in to a router’s administrative interface and possibly intercept traffic. Since being exposed by Chen, the story has been picked up by Wired’s Threat Level, CNET’s InSecurity Complex, and ITKnowledgeExchange’s own Sister CISA CISSP. The latter noted another particularly spooky aspect of the tale in a follow-up post on the Time Warner security hole:
Lo and behold, I am visited and left a comment by “Adam Wood” defending SMC, and telling me/us what a wonderful job SMC is doing about this issue.
(That’s got to be a really crappy job for a lowly PR flack; surfing the Internet for comments on the SMC modem, and uploading a canned positive comment wherever he can.)
Despite “Mr. Wood’s” comments about how SMC is fixing the problem in an absolutely wonderful way, I admit to some slight cynicism. Especially after reading more from David Chen, the guy who found it in the first place.
It seems that a fix from Time-Warner or SMC seems to consist almost entirely of PR.
Boo! And while it would be easy to respond that users have a responsibility to change their default passwords (they do!), the story goes a little deeper: This is putting sensitive corporate data at risk.
With more and more companies pushing for remote working both as a Swine Flu precaution and a way to cut office costs, an insecure router being pushed out could easily expose data that isn’t properly secured to all sorts of attackers, even those just trolling for random open vulnerabilities, like Chen did.
Fortunately, he also provided some quick fixes as Time Warner Cable works on a fix to push out (or not). Modify slightly and pass on to your users if your employees are working in a Time Warner Cable subscription area:
- Change the default configuration of the routers to use WPA2 instead of WEP for wifi encryption. It’s ok if you don’t want the customers to change their wifi settings, but at least use a key that’s not derived from the router’s MAC address (which is broadcasted over wifi).
- Disable access to the router’s web admin page from outside IPs. The options are in the router (see below), a simple config change would block access to the router from the internet.
- Block traffic to port 8080, 8181, 23 (those are the ports that are open on the SMC8014 routers) at the ISP level. This of course should be a temporary fix until the hardware can be replaced with something more secure.
- Of course the best idea would be to immediately recall those routers and issue your [users] real cable modems and decent wifi routers with good security.
Have a happy Halloween!