Is the cable system insecure?

I just stumbled across a blurb in a networking book that said that the infrastructure for cable internet access is slightly insecure. The allegation was that since all cable drops in an area trace back to a distribution node (which in turn make their way to the head end) someone on the same distro node could, with some "technical prowess" (direct quote from the source) could eavesdrop on your communications. Is this true? I couldn't get Google to cough up any further info on the subject, but then again I couldn't seem to piece together completely relevant search terms.

This is perturbing news for someone who tends to be paranoid. ::glances nervously at the cable modem:: Is it time to go back to tin cans and string?

Nonapeptide

Reply to
Nonapeptide
Loading thread data ...

How old is the network book. Since you are a Cincinnati area RoadRunner customer, I assume your Motorola is set for encription.

As I misunderstand it, the cable modem to head end is encripted. Since you are a Cincinnati area RoadRunner customer, I assume your Motorola cable modem is set for encription.

If you were to look in the cable modem web page and see something like Initialize Baseline Privacy Done, then it is encripted.

Guessing http://192.168.100.1 would be the cable modem web page.

Reply to
Bit Twister

You are forgetting that there are 300 MILLION people in the US alone and almost 4 BILLION WorldWide! To try and track YOUR data thru the internet is not just hard it is impossible. Now to put a trace from your home thru your network to the head end, etc. is not impossible. BUT it is jammed in that pipe along with everyone else in your area. And of course as the article said your data flows into bigger and bigger pipes as it flows towards that 'head end' mixing with all the other people that are all headed to that same 'head end'. You are being paranoid, to stop id theft etc, shred your papers at home and only put the details of your account numbers, credit card stuff ,etc, into sites that are https sites. The standard http is not a secure site, as indicated by the 's' at the end.

Reply to
f/fgeorge

The internet is a shared medium, regardless of how it is connected to your home. In those regards, the only difference between the technologies is the point at which the individual connections become a shared connection.

Cable is no less secure than a T-1 line or dial-up or DSL or whatever.

CIAO!

Ed N.

snipped-for-privacy@gmail.com wrote:

Reply to
Ed Nielsen

There is some truth to the claim; however, most cable companies today encrypt the last-mile data, which would make it difficult (perhaps to the point of impossibility, except maybe for national intelligence agencies) for somebody on the same cable node to decrypt your data.

That said, most Internet traffic is not encrypted, and there are lots and lots of places on the Internet that it can be intercepted. If you're just concerned about your nosy neighbor knowing that you've been reading all the latest Star Trek rumors, this isn't a big deal, since your nosy neighbor probably doesn't have ready access to all the routers between you and the Star Trek sites. OTOH, if you're concerned about Big Brother snooping on your activities, that's another matter. Likewise if you're concerned about shady characters acquiring a profile on you and using it against you (for identity theft, say). Data passed over the Internet is compromised every day. Often this is a matter of theft of credit card numbers, but these are typically stolen from retailers' computers, not while they're in transit. If criminals were to compromise a router, though, they could sift through the data it manages and grab some of yours

-- passwords or other personal information, say. There have been allegations that the US government is doing this for data to and from foreign countries, the difference being that the feds are alleged to have the cooperation of the data carriers, or at least some of them, and of course they claim to be doing it in the interests of national security -- or they would if they admitted they were doing it.

The bottom line is this: Whether you're using a cable modem, DSL, a T1 line, a dial-up telephone modem connection, or anything else, you shouldn't consider your Internet transactions secure. If you pass anything sensitive over the Internet, you should ensure that you're using an encrypting protocol to do it. Fortunately, most Web retailers employ encryption on their order pages, or at least on the ones that ask for credit card numbers -- but as noted, data thieves manage to steal CC numbers from the retailers' servers. (Local CC transactions are also at risk in the same way or by waiters or whatnot copying the information by hand, so don't swear off Internet purchases for this reason.) If you routinely log into remote systems (getting a command prompt or desktop to use it as if it were local), use an encrypting protocol such as SSH. For sensitive sites, such as a bank, use a unique password, and don't store it on your computer. (With all the Trojans and viruses out there, passwords stored by your browser might not be secure even on your own computer.) Particularly if you're using Windows, run anti-virus software, and keep it updated. Use a NAT router, if your cable modem doesn't incorporate that functionality, to help protect your home system. These basic steps will minimize the risks, but security isn't an all-or-none thing. The only way to be 100% sure that your Internet data won't be snooped is to not use the Internet, and the only way to be 100% sure that your computer's data won't be compromised is to not use a computer. In today's world, neither of these is a practical approach, so you'll have to accept some degree of risk.

Reply to
Rod Smith

Thank yuo all for the responses. Much to think about.

@Rod

I suppose my initial confusion centered on this alleged ability of a member of your shared last mile on the cable system to snoop on your communication. To my limited understanding of networking, a snooper would have to have some way of having direct access to that multiplexer (or whatever the cable system uses) and then have some way of replicating the traffic from the multiplexer back down the line to himself. If a multiplexer (or whatever) is vulnerable, it would seem to me that any medium, not just cable, is just as vulnerable. The book I was reading stated that cable was more insecure by comparison to other mediums but didn't offer any further explanation. Maybe I should just calm down and go back to reading my Windows Administration books... ;)

Nonapeptide

Reply to
Nonapeptide

By any chance, is the copyright on the book about 7-10 years old? IIRC, that's about how long it's been since a cable customer could browse his neighbor's open shares and print to neighboring printers.

Reply to
Bill M.

Okay, if you all /must/ know, here it is:

formatting link
Nonapeptide

Reply to
Nonapeptide

The problem with cable systems is that every customer in an area gets every other customer's data. Remember that cable systems were designed for TV distribution, where every household gets the same set of channels. To feed computer data over this existing infrastructure, cable operators simply send the data for several households down this one shared set of cables, so in theory one person can snoop on the data sent to a nearby location. (Upstream data also goes over the same shared set of cables and so is vulnerable, too.) In this sense a cable system's last-mile network is similar to a large Ethernet network that uses hubs rather than switches.

This description, though, is incomplete; as I wrote in my previous post, most cable operators today employ encryption and other techniques to secure their last-mile data. I certainly wouldn't want to bet my life -- or even my bank account access data -- that the last-mile data is really secure, but I'm not going to get too worried about the last-mile security compared to security on the rest of the Internet. When I deal with data that really should be securely transmitted (credit card numbers, passwords that provide shell access to remote systems, etc.), I use encryption to provide end-to-end security. For most data (Web page URLs, most e-mails, etc.), I don't worry about it, since this data isn't really sensitive, whether it's stolen by my next-door neighbor or by a spy in China.

Note also that another technology has become very common that's far less secure than cable modems: Wi-Fi. Wi-Fi is a radio technology, so somebody can sit in a car parked outside your home and snoop on your Wi-Fi traffic or even use your network to access the Internet. Your internal network may also be vulnerable to attack, since many LAN security products are designed to protect against access from the Internet rather than from systems on your local network. Most (all?) Wi-Fi hardware supports encryption, but the studies I've seen suggest that this encryption is often ineffective and is also often disabled by default. (I've not been following this closely, though, so my information may well be out of date.) If you use wireless networking at home or at work, you should definitely look into this issue to learn how secure your hardware's encryption is and, if it turns out to be inadequate, add encryption on top of it.

Reply to
Rod Smith

It's worth noting, however, that cable modems transmit in an entirely different range of frequencies than they receive. So, while it is theoretically possible to hack a cable modem to receive data being sent

*to* other modems on the cable segment, it is physically impossible for it to receive data being sent *from* those other modems.

-Larry Jones

You can never really enjoy Sundays because in the back of your mind you know you have to go to school the next day. -- Calvin

Reply to
lawrence.jones

No one said one had to use the same tuner to capture data going both directions.

You can tune one device to (e.g.) 34.8 MHz to capture the upstream traffic and to (e.g.) 723 MHz to capture the downstream traffic.

Reply to
Tom Stiller

My point was that you *can't* tune an off-the-shelf cable modem to capture upstream traffic. To do that, you essentially have to build, buy, or otherwise obtain something resembling a head-end modem (but not an actual head-end modem, since the head-end expects to control all the end-user modems connected to it and you don't want to control them, you just want to snoop on them), which is well beyond the capabilities of your average neighborhood hacker.

-Larry Jones

Oh, now don't YOU start on me. -- Calvin

Reply to
lawrence.jones

So, if I'm understanding correctly, as I sit here and look at my modem, its receiving downstream transmissions that are headed for me and every other cable modem subscriber in my area. The modem is selectively choosing to ignore all but the transmissions that are addressed to it (I'm supposing that it's filtering by IP address?). My mind's eye is picturing all downstream content that is intended for me being split to all nodes on my local last mile, but only being accepted by my modem. Is that correct?

Also, (again, if I understand correctly) each transmission that I send hits some kind of local aggregator (multiplexer?) which then, in hub- like fashion, repeats the transmission to every port, which includes every neighbor that has a cable modem as well as the upstream connection to the head end? Eek! Seems like a waste of bandwidth for the provider. Each last mile area of a cable provider's service is essentially a big MAN sized collision domain?

As for the wireless admonitions, I think WPA2 with a decent sized PSK is purported to be uncrackable.

Thanks for the continued discussion, Nonapeptide

Any word on what type of encryption cable providers use?

Reply to
Nonapeptide

Yes, although the RF network has its own addressing scheme, it doesn't use IP addresses. Most cable systems allow multiple IPs behind a single modem (although there may be an additional charge).

No. The transmissions that you send go to the local node over coax that is shared with your neighbors, so they receive those transmissions but the node itself only retransmits (over fiber) to the head-end so people attached to other nodes don't see the transmissions. And the upstream bandwidth is divided into specific time slots that are, for the most part, preassigned to specific cable modems, so there are no collisions except for the few slots that are left open for contention.

The packet data is encrypted using either 56- or 40-bit DES. The DES keys are managed using RSA public-key encryption.

-Larry Jones

Even though we're both talking english, we're not speaking the same language.

-- Calvin

Reply to
lawrence.jones

WPA and WPA2 aren't crackable in the same way that WEP is so easily cracked, but both flavors of WPA are susceptible to dictionary attacks, and the nice thing is that you don't need to sit there and gather tons of packets like you would for WEP.

Reply to
Bill M.

Not quite. The taps to which subscribers are connected are directional and have high port-to-port isolation. Not like a hub or switch or T-connection.

The downstream path is located somewhere in the bandwidth of 88-860MHz, while the upstream path is in the 5-42MHz bandwidth. Just where depends on the system.

CIAO!

Ed N.

snipped-for-privacy@gmail.com wrote:

Reply to
Ed Nielsen

Here in comp.dcom.modems.cable, Bill M. spake unto us, saying:

How much more secure are you when you turn SSID broadcasting off?

I would think that would at least deter casual drive-by Wifi cracking (folks can't crack what they don't know exists).

Or will some Wifi detectors show hidden wireless networks anyway?

Reply to
Richard Steiner

Not more secure at all, IMHO.

Yup, passive scanner programs like Kismet show those networks, too, just as quickly and clearly as if they were broadcasting their SSID. Active scanners, like Netstumber, won't show them. Disabling SSID broadcast is a little like MAC filtering, it makes you feel good but adds little or nothing in the way of additional security.

Reply to
Bill M.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.