Ed's an EE, PE, and author in Poughkeepsie, NY. Contact him at ed.nisleyieee.org with "Dr Dobbs" in the subject to avoid spam filters.
Embedded systems designers make mistakes, just like everyone else, and we generally learn from our mistakes. Unfortunately, learning from your own mistakes means that you must stumble through the same stupid errors before reaching a state of true enlightenment and, alas, sometimes you just don't live that long. It's far better to learn from the mistakes of others, so that you can start off making truly weird errors.
By their very nature, embedded systems projects don't get much public exposure. Most projects are born, live, and die without anyone noticing anything at all. For example, when was the last time you thought about the firmware in your microwave oven, wire-line telephone, keyboard, or cable modem?
Let's take a look at a design misfeature that might not be quite a mistake, but is definitely a bit more than an oversight. We'll see how a reasonable design decision enables some do-it-yourself hacking that completely compromises the security of an embedded device.
What It Does
A cable modem (modulator-demodulator) translates information between radio-frequency signals and TCP/IP packets. On the modulation side (the "customer" side), the modem accepts network data from your PC or network, converts the bits into sequences of voltages, and applies those voltages to a small transmitter that sends the signals out on the cable. To demodulate incoming signals from the TV cable, the modem uses a receiver to select a narrow band of frequencies, amplifies and filters the signal, then converts the resulting voltages into bits.
Figure 1 shows the main circuit board inside my Motorola SB4100 SURFboard cable modem. The other side of the board has a handful of components, but the heavy lifting happens here. The metal enclosures don't serve aesthetic or security functions—they reduce the amount of radio-frequency energy radiated or absorbed by the circuitry inside.
The transceiver circuitry is inside the lower-left shield, attached to the TV cable through the threaded F-connector on the left. The enclosure to the right of the transceiver holds what look to be RF filters and amplifiers. A Broadcom BCM3350 modem chip (which includes a MIPS R3000 CPU) and a RAM chip are in the top enclosure. Just above that is the 256-KB Flash ROM chip that holds the system software. To the left are Ethernet and USB connectors.
The grisly bit-level details of how all this works aren't relevant here, except that the process has sufficient complexity as to require a 32-bit microcontroller. Figure 2 shows that my cable modem is running VxWorks Version 5.3, Wind River's well-regarded, real-time, embedded operating system.
Imagine that—a modem with an RTOS. Welcome to the wonderful world of embedded systems!
The microcontroller handles several network-level protocols, in addition to shuffling data back and forth, which require the features of a serious operating system. Note that the customer-side network functions are completely different than those used on the cable side.
On the customer side, it implements a DHCP server to assign IP addresses (for anyone foolish enough to not run their LAN through a firewall router) and a simple web server that displays the modem's status and configuration information.
On the cable side, it configures the hardware to match the ISP's settings and can download new firmware. It also acts as a DCHP client to receive an IP address within the ISP's block for the modem itself.
The Broadcom modem chip implements the Data Over Cable Service Interface Specification (DOCSIS) protocol that, among other functions, provides encryption of data between a customer modem and the cable's head end where traffic is routed to the Internet at large. DOCSIS also provides limited firewall and privacy protection by discarding cable-side packets destined for other modems.
I don't see network traffic destined for other cable modems on my side of my modem, so at least that part of the security system is enabled. Whether my ISP has actually enabled all of the DOCSIS security provisions, including encryption, is another question.
What It Doesn't
The network linking your collection of PCs, whether at home or work, probably doesn't have any bandwidth restrictions other than the ability of a server to shovel data out and a PC's ability to accept it. The actual data rate may be a fraction of the theoretical maximum data rate, but it's not deliberately limited at any point.
Cable ISPs, on the other hand, must limit your data rate to a known fraction of the total system bandwidth, rather than allow unrestricted access, to ensure fairness among customers. When you download ISO images of your favorite Linux distribution, you should not choke off everyone else's browsing pleasure.
Perhaps more importantly, ISPs can also introduce tiered service with charges tied to bandwidth. If you want more bandwidth, they'll be happy to charge you for it. They can also introduce premium features, although at this point many cable companies seem to be having enough difficulty just providing basic ISP services.
The bandwidth limitation arises from the design of the cable TV network, which originally distributed plain old TV from a central location to all customers at once—everyone saw the same signal at the same time. This has been somewhat modified for data transmission, with what amount to routers that divide the system into subnetworks, each of which places all of its users in parallel.
From what I've read, that's on the order of 200-500 customers, although I suspect a segment might be a /24 subnet with a maximum of about 250 customers. Within that subnet, the cable system resembles the old coaxial-cable Ethernet: Each node can see all of the traffic for all of the other nodes.
Suppose you could turn off the DOCSIS firewall and pass all the network traffic from the cable to your PC. If the network traffic isn't encrypted, you'd be able to snoop the contents of every packet on your local segment of the cable network.
Hmmm...
How It's Done
When a crime occurs, the police look for someone with a motive to commit it, a method to carry it out, and an opportunity to do so without detection. Everyone using the cable system has the motivation (bandwidth for nothing and your neighbor's bits for free!) and the opportunity (an attachment to the cable, in the form of a cable modem). Only the method is lacking, as a cable modem simply doesn't let customers tamper with the DOCSIS settings.
As far as customers are concerned, the modem simply does whatever is needed to get them to the Internet. You can observe the current status and configuration, look at the logs, and view the help screen, but that's about it.
Although the SB4100 runs an RTOS inside, there's no external evidence of that complexity other than the VxWorks version in Figure 2. In particular, you don't "log on" to the modem and you don't have a "user account" of any sort. Even if VxWorks has accounts, you don't see them through the Ethernet port.
But the Ethernet port isn't the only way to get into the system. Refer back to Figure 1 and look at all those holes and solder lands sporting tidy white outlines and labels: J14, E2, U8. Here's why a board has "unused" locations.
A company generally offers several closely related products based on a common design. The products may differ in external connections, indicator LEDs, and so forth, but they're similar enough that a single circuit board can hold all of the possible components. They simply leave off the parts that aren't required for a particular product, while taking advantage of the ability to stock a single bare circuit board.
A circuit board generally includes solder pads that give access to signals used for production tests and adjustments. As the production process improves, later versions of the boards may have fewer test points, so it's not unusual to see different boards in what's outwardly the same product.
Sometimes the board includes connectors or IC locations for development instrumentation: in-circuit emulators, JTAG boundary-scan emulators, or additional RAM and Flash ROM for bulky debugging builds. The second or third board revision probably won't have those pads, but they can be a lifesaver when you're trying to debug a bizarre problem with cryptic symptoms.
In the case of the SB4100 cable modem, some of those unused pads provide a serial link to a root-level account for the embedded VxWorks RTOS. With the addition of some trivial circuitry, you can use a terminal emulator on a stock PC to take control of the modem's boot sequence.
Well, you wouldn't, but someone else could. Work with me, okay?
In particular, you could elect to boot from either the normal Flash ROM or via TFTP from a server on the network. The modem should download new firmware only from the cable side (from the ISP's servers), but it seems that, after a bit of setup, SB4100 modems will happily fetch a new boot image from the customer's network. It was probably convenient during development and, of course, no users would ever figure it out.
Ooops!
So you can replace the official firmware in your modem with completely unauthorized, thoroughly hacked, code that does whatever you like. The only remaining catch is that you probably don't have any such firmware lying around.
While the ability to write firmware for a MIPS R3000 CPU embedded on a Broadcom BCM3350 modem chip is spread fairly thinly throughout the general population, in this Internet Age, it takes only one. You can fetch modified binary images for various cable modems from the Web, load them into your modem, and enjoy all the benefits of the Dark Side.
What Happens
Many people seem to regard what they do on their PC as a private matter, even when they're typing credit-card numbers into a web page or sending unencrypted e-mail. They remain blissfully ignorant that their data passes through many, many, many systems between their PC and the far end of the transaction.
Although cracked modem firmware can remove the bandwidth limitations imposed by the cable ISP, this is not a private activity. In particular, if you suddenly start passing gigabytes of data through your modem at abnormal rates, It Will Be Noticed. Perhaps not right away, but eventually, you'll have your service chopped off and may wind up being liable for other penalties, not the least of which is being banished to dial-up land for the rest of your online life.
On the other hand, disabling your modem's DOCSIS firewall might not be noticed. If encryption hasn't been enabled on your cable subnetwork, you can eavesdrop on your neighbors and collect all manner of data. Credit-card transactions are generally encrypted, but you could find out all manner of other things. Simply knowing when and what your neighbors are doing and viewing might be interesting.
As soon as you act on that knowledge, however, you've gone public. There are penalties associated with most of those actions and only the very inexperienced among us expect to "get away with it" forever.
Next Steps
The overall risk of modem tinkering in your neighborhood is fairly small, as the first step requires a Torx driver and some dexterity with a soldering iron. Given the many other, more obvious, security problems on the Internet, this one is tame, even if it's a fascinating look at how to pervert a fairly secure embedded system.
You must modify a cable modem's hardware to force an illicit firmware upgrade. Now, imagine what you could do to a device that allowed firmware updates. Say, for example, a firewall router.
Roughly half of the households with broadband Internet access, whether cable or DSL, protect their home networks with a firewall router (the other half now own zombie machines), each of which has a password-protected administration account. A user signed on to that account can update the router's firmware from a file on the PC's hard drive. Figure 3 shows the interface for a typical router.
Perforce routers ship with a default password for the administrator account. That password should be changed during installation, but, as nearly as I can tell from what I read, many, if not most, consumer-grade routers run with the default password.
Given ubiquitous hardware, default passwords, and firmware updates from disk files, how tough can it be to write a program to pervert a firewall router? Remember, anything you can do from the keyboard, a program can do behind the scenes.
Actually, you don't even need new firmware—just use the admin account to disable the existing firewall or open a few handy ports. What percentage of the population that doesn't change the password would notice a few open ports, let alone a disabled firewall?
Reentry Checklist
This is the leading edge of something we have yet to fully appreciate in the embedded world: Physical possession of an object means complete control of that object, inside and out. Briefly: To own is to be root. Clever encryption and suchlike can delay the crack, but the knowledge is out there.
SecurityFocus described cable-modem hacking at http://www.securityfocus.com/news/7977. For (what should be) obvious reasons, I will not provide any further links. If you really want to get involved with that stuff, you should do your own legwork. Okay?
Remember that cable modem hacking is on the shady edge of the law and any binary you download may carry an unexpected payload. Standard virus checkers won't find payloads written by folks who know the chip-level details of your modem or your PC, so treat executables with the casual nonchalance reserved for any other biohazard. Word!
The flaw I described has nothing to do with the underlying security of VxWorks because it happens in the application. More on VxWorks at http://www.windriver.com/, which features one of those annoying Shockwave Flash minimovies. I couldn't get any of the top-bar menu items to work with any of my browsers, but perhaps that's because I have too much protection enabled.
Broadcom (http://www.broadcom.com/) doesn't provide complete datasheets for its chips on the web site, but you can get a general overview of how things work.
An overview of DOCSIS is at http://www.cablemodem.com/downloads/ Security_in_DOCSIS.pdf.
DDJ
