What’s Fraud in DOCSIS Networks?
A fraudulent user manipulates a cable modem to get unpaid services. But how do they do it? Is your operation being attacked by some kind of ninja-hacking group? Probably not.
There are lots of step-by-step tutorials that explain how to take advantage of ISPs vulnerabilities. An advanced user could do it, and some people have even built up a really large and profitable business with a complex structure from this fraudulent practice.
Different Types of Frauds in DOCSIS Networks
These are the main types of frauds found in a common ISP network:
- Uncapping: It refers to subscribers who traffic more than they should with the configuration file assigned. This could be done by changing the configuration of the cable modem to one with better flows. Some firmware is vulnerable to DHCP/TFTP spoofing, and all you need is the original file to modify it.
- MAC Address Cloning: Some cable modem firmware allows you to change your MAC address. By configuring the MAC of subscribed customers, you’ll get their service. The best part is that they won’t even notice it! This fraudulent activity can be detected by looking for a MAC address connected to several CMTSs.
Dos and Dont’s of DOCSIS Security
There are no silver bullets to avoid fraud, and the best piece of advice is being always up-to-date with the latest technologies and their uses. However, these five tips will help you keep your network safe:
- Keep your operation modem firmware updated: Several security issues are related to vulnerabilities in firmware. Furthermore, fraudulent users commonly use modified firmware to take control of their devices. Being aware of vendor updates is crucial.
- Restrict access to TFTP servers: Since TFTP servers contain subscribers service information, they should be secured. It’s important to protect this information so no one can access it. In order to do this, we recommend:
- Block CPE’s access to TFTP server: No CPE should be able to access service parameters. This is a big security hole and could be used to easily get a valid config-file.
- Use BPI+ encryption: This should be considered a MUST on every DOCSIS network.
- Use CMTS MIC and change them frequently: DOCSIS allows you to use a shared secret password to calculate the CMTS Message Integrity Check (MIC) field that is attached to all DOCSIS configuration files. Modems should include its calculation in the registration request. If a user modifies the configuration file or uses a different shared secret, CMTS won’t allow the modem to register and will mark it with a reject status. We recommend having different values of shared secret in your CMTSs and changing them periodically.
- Restrict access to unsubscribed modems: A common way to avoid constant DHCP & TFTP traffic on your network is to provision unsubscribed devices with specific scopes and config-files. Although it’s a good practice, you should restrict access in order to prevent hackers from using it as a backdoor. We recommend using different scopes to separate devices and private networks for CPEs. Likewise, we suggest using restrictive DOCSIS configuration files to limit flows and access. A useful method here could be redirecting them to a captive portal with a warning message.
- Move up to DOCSIS 3.x: Apart from all network and performance improvements, DOCSIS 3.x provides several security upgrades, as Enhanced Traffic Encryption and Enhanced Provisioning Security.
Under BPI+, the CMTS protects against unauthorized access to these data transport services by enforcing encryption of the associated traffic flows across the cable network. BPI+ employs an authenticated client/server key management protocol in which the CMTS, the server, controls distribution of keying material to client CMs.
CABLELABS Baseline Privacy Plus Interface Specification – CM-SP-BPI+-C01-081104
Use Specialized Tools!
Fighting these fraudulent users requires effort and constant monitoring of your network.
It’s necessary to have tools that automatically support your actions and let you easily check suspicious users.
“Data-Over-Cable Service Interface Specifications – Baseline Privacy Plus Interface Specification,” last modified November 4, 2008, accessed July 17, 2015, http://www.cablelabs.com/wp-content/uploads/specdocs/CM-SP-BPI+-C01-081104.pdf.