Security Holes at Time Warner Cable
by Xyzzy
Like most people I don't go looking for trouble.
I've never made a hobby of trying to steal passwords or violate people's privacy. But when an opportunity slaps you right in the face, I'm as curious as the next person.
This is the story of one of those opportunities. I'm not here to demonstrate any elite hack, just to share information with you about a vulnerability at Time Warner Cable in the hopes that this large company will do something to fix their lax security.
It all started when a Time Warner Cable technician arrived at my house to fix intermittent downtime on my cable Internet connection. After poking around and diagnosing very little (my connection happened to be up at the time), the technician sat down at my laptop, opened a browser, and started typing.
Now I was interested. The technician opened the URL tech.nyc.rr.com and logged into the page using an htaccess window.
Now if you were me, wouldn't you wish you had a keylogger running right about now? Well, I keep a keylogger running 24/7 on my laptop, so good thing you're not me. Hello username and password, nice to meet you.
But just for kicks, let's pretend I didn't have a keylogger running.
The technician diligently closed the browser window when he finished, but he neglected to quit the browser entirely.
This means that his authorization session was still cached. Launch your favorite packet sniffer, reload tech.nyc.rr.com in the browser, and voilà!
You have captured the HTTP header containing the technician's authorization login. It's hashed of course, but we don't care. Now switch over to Telnet and connect to tech.nyc.rr.com on port 80. Simulate a web request with the following HTTP commands, followed by two new lines (hit Enter twice):
Congratulations, you're a spoof.
Now you may wonder what treasures await us on this mysterious web page? Not much, but enough.
The tech.nyc.rr.com page is a diagnostic page that shows basic information about a Time Warner customer's account and cable modem.
The page is titled "ServiceCertificate version 4.0.0" which is not a commercial product as far as I can tell (someone please correct me if you know more).
The page displays the customer's account number, name, address, and phone number. This is interesting, because only the customer name, address, and phone number are used to authenticate incoming callers on Time Warner telephone support.
Let the social engineering begin.
The page also includes the IP and MAC addresses of the two network interfaces on the modem: the downstream Ethernet link and the upstream DOCSIS link.
It also lists the Universal Broadband Router (UBR) hostname that the modem connects to, plus stats on upload and download bandwidth, the modem uptime, and the modem firmware version and firmware filename.
At the bottom is an HTML text box labeled "Comments." I didn't play with this, but I'm sure you can think of something fun.
The web server is running Apache version 1.3.29 and PHP version 5.0.2. Directory indexing is turned on.
I also noted that the technician hadn't entered any information about my account before loading this page, meaning that the server must use a referrer address local to my location as the variable used to determine what customer account to display.
Hmmm... this could be fun. Anyone interested in a little war walking? What's to stop me from grabbing my laptop, walking down the street and trying this technique on any open Wi-Fi node, thereby gleaning the account number, customer name, address, and phone number for that connection?
My indefatigable moral compass? Oh yes, I forgot about that.
Now comes the open letter to Time Warner Cable: