Submitted by Christian Voglhuber Submitted at Institute of Networks and Security Supervisor Assoc. Prof. Mag. Dipl.-Ing. Dr. Michael Sonntag Security attacks and February 2019 countermeasures in DOCSIS networks Master Thesis to obtain the academic degree of Diplom-Ingenieur in the Master’s Program Computer Science JOHANNES KEPLER UNIVERSITY LINZ Altenbergerstraße 69 4040 Linz, Osterreich¨ www.jku.at DVR 0093696 Abstract I Abstract This thesis focuses on the security aspects of cable networks. DOCSIS is a speficiation which is used by many cable operators to offer data services, like internet access, over existing TV-cables and architectures. The functionality and features of DOCSIS are described and security properties are evaluated. Moreover, a test system is deployed to simulate passive and active attacks. Those results are used to eliminate the vulnerabilities and problems of the DOCSIS network by securing the involved parts. Issues of the data encryption, authentication of modems, and provider headend equipment are presented. A case study reveals the state of security of two Austrian cable operators. Thereby many issues and vulnerabilities are detected, by merely passively sniffing the signals of a typical television port. Kurzfassung II Kurzfassung Diese Arbeit beschäftigt sich mit der Sicherheit von Kabelnetzwerken. DOCSIS ist eine Spezifikation, welche von vielen Kabelbetreibern verwendet wird um Datendienste, wie etwa Internetzugang, über vohandene TV-Kabel und Strukturen anbieten zu können. Die Funktion und Architektur von DOCSIS wird beschrieben und sicherheitsrelevante Eigenschaften aufgezeigt. Weiters wird ein Testsystem eingerichtet, um Angriffe in DOCSIS Netzwerken zu simulieren und zu identifizieren wie mögliche Probleme behoben werden können. Attacken auf die Datenverschlüsselung, Authentifizierung der Modems und der Provider-Kopfstation werden eruiert. Eine Fallstudie untersucht die Sicherheit von zwei österreichischen Kabelbetreibern. Dabei wurden viele Probleme, nur durch passives Empfangen der Signale auf einem handelsüblichen TV-Anschluss, aufgedeckt. Contents III Contents 1. Introduction1 1.1. Motivation..................................2 1.2. Task description...............................2 1.2.1. Practical...............................2 1.2.1.1. Lab scenarios........................4 1.2.2. Case study..............................5 2. The Data Over Cable Service Interface Specification (DOCSIS)6 2.1. Topology of a CATV-system.........................7 2.1.1. Variations...............................8 2.1.2. Security risks.............................9 2.2. DOCSIS Stack................................ 10 2.3. The cable modem registration process................... 11 2.4. DOCSIS 1.0.................................. 15 2.4.1. Baseline-Privacy-Interface...................... 15 2.5. DOCSIS 1.1.................................. 17 2.5.1. Baseline-Privacy-Interface-Plus................... 18 2.6. DOCSIS 2.0.................................. 19 2.7. DOCSIS 3.0.................................. 19 2.7.1. SEC.................................. 20 2.8. DOCSIS 3.1.................................. 22 2.9. DOCSIS over PON.............................. 22 2.10. Alternatives and comparison to other protocols.............. 23 3. Practical DOCSIS networks 26 3.1. Lab environment............................... 26 3.1.1. Cable plant.............................. 27 3.1.2. CMTS................................. 29 3.1.3. Cable modems............................ 31 3.1.4. Provisioning system......................... 32 3.1.5. Core router.............................. 36 3.2. Attack scenarios............................... 37 3.2.1. Passive attacks............................ 37 3.2.1.1. Sniffing downstream.................... 38 Contents IV 3.2.1.2. Decoding DOCSIS downstream traffic.......... 39 3.2.2. Active attacks............................ 41 3.2.2.1. Cloning modems...................... 41 3.2.2.2. Bypassing settings..................... 47 3.2.2.3. Unallowed service usage.................. 52 3.2.2.4. Downgrade attacks.................... 59 3.2.3. Other issues and improvements................... 64 3.2.3.1. Network enhancements.................. 64 3.2.3.2. Network attacks...................... 67 4. Additional security concerns in DOCSIS networks 71 4.1. Physical attacks................................ 71 4.1.1. Cable modem swap.......................... 71 4.1.2. Manageable HFC devices...................... 72 4.1.3. Pre-equalization........................... 74 4.2. Passive attacks................................ 75 4.2.1. Deciphering the downstream traffic................. 75 4.2.2. Upstream sniffing........................... 78 4.3. Active attacks................................. 82 4.3.1. Denial-of-service attacks....................... 83 4.3.2. Man-in-the-middle attacks...................... 86 4.3.3. Network attacks........................... 88 4.3.4. Insider attacks............................ 88 4.4. Implementation issues............................ 89 4.4.1. Headend network........................... 90 4.4.2. Cable Modems............................ 91 4.5. Legal aspects................................. 97 4.5.1. Technical limitations......................... 97 4.5.2. Patents................................ 98 4.5.3. Issues and denouncements...................... 100 5. Analysis and evaluation of existing cable networks 101 5.1. Information Intercept............................ 101 5.2. Sniffing System Method and Considerations................ 104 5.2.1. Signal Filters............................. 105 5.2.2. Sniffing Detection.......................... 105 5.2.3. Hardware............................... 105 5.2.4. Software................................ 106 5.3. Analysis.................................... 109 5.3.1. Provider I............................... 109 5.3.1.1. Results........................... 109 Contents V 5.3.2. Provider II.............................. 112 5.3.2.1. Results........................... 112 5.3.2.2. Analysis on different Media................ 118 5.3.3. International Providers....................... 118 5.3.4. Provisioning Systems......................... 118 5.4. Conclusion.................................. 120 6. Future work and outlook 122 6.1. Theoretical study............................... 122 6.2. Practical ideas................................ 124 7. Conclusions 126 A. Appendix 128 A.1. Practical DOCSIS networks......................... 128 A.1.1. Components............................. 128 A.1.2. Configuration files.......................... 128 A.1.2.1. Provisioning system.................... 129 A.1.2.2. CMTS........................... 136 A.2. Case Study.................................. 138 A.2.1. Components............................. 138 A.2.1.1. Software.......................... 138 A.2.2. Analysis................................ 139 A.2.2.1. Provider II......................... 139 Introduction 1 Chapter 1. Introduction Cable Television networks were developed to supply many people with the ability to watch TV cheaply. Since the first development and construction of a Community- Antenna-Television (CATV) system in 1948, the industry in connection to this technology has grown rapidly. Providers of such systems supply customers not only with pure TV reception, but they also offer Triple-Play solutions (Voice, Video, and Data) to end- and business-customers to compete with other companies and their technologies (like DSL). Traditional Cable-TV-systems use a common medium, also known as shared-medium. Therefore, each subscriber receives the same information. At the beginning of the Internet success, it was clear that also private subscribers wanted the technology to surf the web. The cable companies decided to investigate on this, to be competitive and offer internet access via their CA-TV-Systems. To enable this, the research began to develop a technology to transmit data in both directions via the common media, which resulted in lots of proprietary product solutions. The main problem in the first place was to enable a bi-directional communication to the customers, which means that they can also transmit data and send it back to the provider. The first systems used a (Dial-Up) telephone line to make this transmission of data at the subscriber possible, and the reception was enabled via the normal CATV-System. This solution was not practical and the prices were too high, because of the extra telephone costs. At the time of the DSL technology development it was clear that there must be a practical solution to deliver high-speed internet access to the regular Cable-TV subscriber. Therefore, an open market for CATV data equipment has to be established to shrink the hardware prices and to make different vendors work together [54]. The industry developed the Data Over Cable Service Interface Specification (DOCSIS), to enable high-speed data communication over Cable-TV-Networks, which has the goal to deliver internet access to the Cable-TV subscribers. [10] One of the biggest problems of CATV-Systems is the usage of a common media. Each subscriber receives all information. The result of such an architecture is very problematic regarding security. The requirements for securing this system are comparable with WiFi Introduction 2 networks (IEEE 802.11), but the attack range is much bigger because whole cities can be harmed. Therefore, a security concept has to be implemented, which makes sure information can only be sent and received at the corresponding device. 1.1. Motivation The