Cable Modem Jailbreaks
Marc Newlin: And so this talk is about a Netgear modem called the CM400, which I got to know for a few weeks over the summer. And I think it's a really good candidate for this type of device repurposing because it's, more or less, a software-defined radio under the hood. And so we're going to start by doing a brief introduction on DOCSIS and MoCA. These are two radio frequency protocols that are spoken by cable modems. We're then going to look at a trio of some really goofy, bizarre bugs that I found over the last handful of years, which resulted in me looking at this Netgear modem. Then we'll take a look at the modem itself and its architecture and RF capabilities. And then I'll walk through the steps required to run custom code on the modem. I've gotten as far as figuring out some basic control over the transmit chain.
Cable Modem Jailbreaks
Marc Newlin: And so my hope is that people would be able to take what I've learned from this and then have some cool side hackery. And another fun note about this modem - it's around 8 years old, DOCSIS 3.0. And so it's being deprecated by a lot of U.S. ISPs. And so you can buy these for 10 or 15 bucks on Amazon or eBay. And so what really excited me is that it's at the sweet spot of capabilities and price point where hobbyists can potentially get access to these SDR capabilities in a more complete way than with something like the RTL-SDR. And then we'll conclude with a bunch of ideas I have for future research with this device that I haven't had time for and that I hope someone else will be able to pick up.
Marc Newlin: So DOCSIS and MoCA are both radiofrequency protocols that are spoken by these cable modems. And you can think of this type of protocol as something called RF over coax. And so, conceivably, if you were the only person on Earth and no one else was occupying the RF spectrum, you could actually put an antenna on the back of your cable modem, put an antenna on the ISP's headend unit and then communicate wirelessly. But, of course, we don't do that because we have many other users trying to occupy the same spectrum.
Marc Newlin: And both the DOCSIS and MoCA protocol occupy the same physical medium. So that medium in the wireless space is going to be the, you know, free space in the air. For the modem, that physical medium is the coaxial wire that you plug your modem into in the wall. So in order to have both DOCSIS and MoCA share the same physical medium, they use something called frequency-division multiplexing, which just means you have one protocol operating in one band and one protocol operating in another.
Marc Newlin: And so this is a - kind of a approximate table of the frequency division used by DOCSIS and MoCA. The actual frequencies vary a bit depending on North America or Europe, as well as your version of DOCSIS, version of MoCA and the specific configuration. But, roughly, you have DOCSIS uplink, that is, going from your modem to your ISP, occupying the lowest part of the band. So in North America, with DOCSIS 3.0, it's approximately 0 to 50 megahertz. Then you have DOCSIS downlink above that at approximately 50 to 850 megahertz. And then you have MoCA further above that at approximately 850 to 1,500 megahertz. And the reason we have DOCSIS uplink at the lowest frequencies is that when you have a radio frequency transmission, the lower the frequency, the higher the transmit distance at a given power. So by having the DOCSIS uplink at the lowest frequency, you can have the lowest requirements for transmit amplifiers and cheaper hardware on the end user. MoCA, on the other hand - this is used for communication between devices within your home or office or apartment. Because MoCA doesn't have to travel as far, it uses the upper band. So I'm a really big fan of bugs that are - you know, you don't expect to find them, maybe not looking for a bug and bugs that make you ask, you know, WTF is going on? And so I've taken kind of a weird path to find an interest in this modem. And along that path has been some of these type of bugs. And my favorite thing about bugs that you don't expect is that it causes you to challenge assumptions you've held or to challenge some truth that you've held as fact. And it's humbling to discover that you were assuming something that was wrong but also valuable because it allows you to have new perspective for future research efforts.
Marc Newlin: So the kind of spiritual origin of this project is what I call the Comcast project, which was some research I was doing back in 2017. And slightly before this in 2016, I attended a talk at Hack In The Box Amsterdam by this guy who goes by the handle Blaspheme. And he was reverse engineering his ISP's modem from the vendor UPC. And he discovered this sort of technician's access Wi-Fi credential the modem would use. And the way this worked - there was an algorithm here reverse engineered on this modem, which will consume the current day as well as the serial number of the modem. And then that would go into this proprietary algorithm. It would generate a credential. That credential could be used by a technician to access his Wi-Fi network when they came to visit his home. And this makes sense because you want to, you know, have somebody be able to come and work on your modem. Maybe you don't want to share your password or so forth.
Marc Newlin: This talk was really fascinating. And I decided it would be fun to try and reproduce this on Comcast equipment, which was my ISP at the time. And so at the end of the day, I ended up with 24 CVEs in that equipment, but I was primarily looking for wirelessly exploitable bugs - so Wi-Fi and then some Zigbee RF4CE on set-top boxes. But I also purchased a bunch of just plain, vanilla DOCSIS modems which had, you know, no wireless interfaces, no MoCA - just plain DOCSIS modems. And so, you know, halfway through this project, I had a shell on the modem - well, on both Linuxes on the modem. There's one ARM and one x86 on the Comcast modem I had at the time. And I wanted to get a shell on my set-top box. And my only way to access a set-top box over the network was over the MoCA link from my modem. So from the shell on the modem, I could ping the set-top box.
Marc Newlin: And so my thinking was I could turn off the firewall on the MoCA interface. So I crafted an IP tables rule - or command, rather - that would allow all on this MoCA interface. And my hope was that I would then be able to, you know, see these network services on the set-top box over MoCA from the modem. So I go through this process. I pull out the hard drive, do the command injection, bring it back up, turn off the firewall. And pretty soon all of the devices that are connected to my LAN lose connectivity for a minute or two and then come back online. And so I'm hoping that, you know, something weird has happened. But, you know, maybe my set-top box has a DHCP lease from the modem.
Marc Newlin: So I, you know, do an Nmap connect scan across the subnet for my LAN. And I see some devices that I don't recognize - you know, a couple of iPhones that I don't have, a couple of Apple devices that I don't have. And it turns out that I'm actually on my neighbor's LAN. So I try to log in to the modem. My password is not accepted, of course. It's my neighbor's modem. I try the default credential. I get in. And this is, you know, not my modem. And so what's happened is that my devices are still connected to the Wi-Fi radio on my modem, but they they're getting a DHCP lease from my neighbor's modem.
Marc Newlin: And this kind of blew my mind. And I still don't know exactly what happened here. And I hope somebody can figure this out. And so as best I can tell, MoCA, which I thought was constrained to my physical premises, my apartment, is actually maybe not constrained to just that one housing unit. And so I wanted to see if I could understand, you know, how MoCA was actually functioning and, you know, what was actually happening here. But I did not want to experiment by bridging my neighbor's network or otherwise breaking the law. And so I thought it'd be fun to, you know, see if you could implement a software-defined radio receiver for MoCA. The first thing I tried was this MoCA-to-Ethernet adapter, which is a device about this big. It has a coaxial port on one end, Ethernet on the other. You plug it into your wall - into a coax port on your wall, and then it gets a DHCP piece from your modem and basically allows you to have a remote Ethernet port for your modem. Unfortunately, the MoCA-to-Ethernet adapter that I had did not have any kind of a promiscuous mode, and it did not look super-hackable. So I tabled that and tried to go the SDR route. Now, MoCA has a variety of physical layer configurations. You can have channels as narrow as approximately 25 megahertz and then up to hundreds of megahertz. So I took an SDR and attached some attenuators, plugged it into the wall and started taking some IQ captures. And I quickly discovered that the MoCA configuration that I was seeing was a 100-megahertz-wide OFDM waveform, which was considerably more complex than I would be able to do with any of the SDR hardware I had.
Marc Newlin: And so I ended up, you know, shelving this MoCA investigation in favor of other research efforts, but I still don't know what was actually happening there. And so after this Comcast project concluded, not long after that, I moved out to Los Angeles, got a different ISP. Now, different ISP is kind of a misnomer because the, you know, ISP oligopoly in the U.S. means you have the same devices, same service, same price no matter where you are. But I opted to stop subscribing to cable TV service and getting just - I agree.
Marc Newlin: And I got just a plain DOCSIS modem, one, so I could switch to streaming services. But also, I did not want to, you know, risk somehow my neighbor accidentally getting on my LAN because, you know, MoCA now terrifies me. So around this point, this is when Matt Knight and I were starting our work on the DARPA Spectrum Collaboration Challenge in - let's see - early 2018. And for the next year and a half, 100% of my free time went to SC2. So we had a day job and then another day job doing the DARPA challenge. And so I didn't have any opportunities for this type of research for quite a while until that challenge concluded at the end of 2019.