Cable modem security issues

Discussion in 'Technical' started by stg58, Aug 31, 2016.

  1. stg58

    stg58 Monkey+++ Founding Member

    Two friends have Ubee cable modems which became unreliable for WIFI when they changed there SSID's and passwords which was restored when the cable company did factory resets back to default settings.
    They changed them out for Arris (Arris bought Motorola from Google) modems which allow password changes with no issues on WIFI so far.

    I own my Motorola modem without WIFI and all passwords changed with outboard Linksys and Asus WIFI routers covering my house and property flashed with DD-WRT.

    Keep in mind that the cable companies do monitor your forward and reverse RF no way around that and on modems they own they have other tools they admit and others they deny exist or deny that they use.
    And there is this..Just what I want some clowns in my leased WIFI modem.

    Less than a year ago, Comcast was sued over its WiFi hotspot program, which essentially turned residential customers into hotspots for other Comcast customers or hotspot subscribers. Comcast used this to make a great deal of money off of its own residential customers. The problem was that Comcast didn't see the need to have customers opt-in to this program and was perfectly happy using customers' electricity and, in some cases, bandwidth to power the service. That and the fact that the opt-out settings on the router controls were given to bouts of amnesia made the company look pretty crappy, but, hey, you know, Comcast.

    Cablevision Follows Comcast Down The Compulsory WiFi Hotspot Rabbit Hole | Techdirt
    Comcast Sued Over Router Update That Makes Your Wi-Fi Hotspot Public, Ignores Your Opt-Out Preferences | Techdirt

    Some like Tomato they are both great but I like DD-WRT.

    Main Page - DD-WRT Wiki

    Tomato Firmware |

    Then there is Open WRT which I have never used but many like it and another option.

    All three are like Linux distros, free open source and thought to be more secure.
    Marck, Bandit99, Mindgrinder and 2 others like this.
  2. 3M-TA3

    3M-TA3 Cold Wet Monkey Site Supporter++

    And that is exactly why I talked my Dad into keeping his ancient modem when ComCast tried to force him to upgrade. They backed off when I asked them how much they were going to pay us for electricity and bandwidth because I had already read about the hotspot program. It's also why I own my cable modem so ComCast stays out of my internal network.
    chelloveck likes this.
  3. BTPost

    BTPost Old Fart Snow Monkey Moderator

    Just ask them if THEIR Bandwidth Use, for THEIR HotSpot usage, is deducted from the Bandwidth YOU are Paying for, on YOUR Connection?
    chelloveck and Mindgrinder like this.
  4. stg58

    stg58 Monkey+++ Founding Member

    The cable WIFI hotspot is a nationwide deal with Comcast, Time Warner and other cable companies.

    See if you or folks you know are hosting a hotspot they don't know about, it will have a different SSID but it is still allowing anyone cablewifi login into WIFI modems home and commercial.

    XFINITY WiFi Hotspot Finder
    Marck, Mindgrinder and Cruisin Sloth like this.
  5. Mindgrinder

    Mindgrinder Karma Pirate Ninja|RIP 12-25-2017

    Interesting post....i can contribute.

    It's not practical to build a mesh network this way. Hotspot access on a commercial grade wifi router requires real time auth - in the case of the ISP i work for this is done by registering MAC address' of devices with a central database. Any device connects to our hotspots - the router "calls home" and checks for the MAC addy prior to handing it an IP and internet access. In most cases this is "Passpoint" tech and frankly - it works quite well - and is as secure as any wifi can actually get (not much).

    Even the best dual band home routers have very limited range so while this kind of idea might "seem" like a wifi hotspot "solution" - it's really not in any place other than super high density cities. If you're walking down a road loaded with hotspots broadcasting from ARRIS or CISCO home quality routers switching from spot 1 to spot 2 is NOT seemless like a cell tower that has multiple mile radius and plenty of time to ready the handshake as you approach the edge.The dual band Hitrons we use have 6 antennas (3 transmit and 3 receive) for a reason. 1pairx2.4g, 1pairx5g and 1xpair either/or. In major cities 2.4g is congestion toast on all 11 channels and 5g range sucks even at 40.

    Of coarse we monitor rx and tx rf....this is how your ISP spots outages, isolates SNR spikes and drops and hunts for correctable and uncorrectable packet transfer errors. I use these tools every single day and I assure you there is nothing nefarious going on with monitoring your RF levels. HOWEVER with that being said - sure the tool your cableco won't talk aboot is the DPI hardware used for "packet shaping" and QOS traffic management. In comcasts case - i'd bet highly that it's an ellacoya that sits on every fiber hub but not necessarily on every ATM. Most of the techs who work on these sites have no idea what it actually does - they just plug it in and make sure it boots up.

    Also of note - if you have landline service with your cableco and they use ARRIS digital phone terminals - tracking and privacy issues are huge. ANY front line tech on the phone can pull up your call records for at least a year and 1 click them into an excel sheet. These are paired with motorola end points and are black boxed all to hell by letter agencies in both USA and Canada FOR SURE. #echelon
    Last edited by a moderator: Sep 1, 2016
    stg58, Brokor, 3M-TA3 and 2 others like this.
  6. Mindgrinder

    Mindgrinder Karma Pirate Ninja|RIP 12-25-2017

    Whatever bro....i'm going opsec disabled *soon*.
    My dogs want bacon and a facebook page.
    +i've lost 40lbs in the last year and need to download a new girlfriend for keepers.
    Cruisin Sloth, 3M-TA3 and Ganado like this.
  7. Brokor

    Brokor Live Free or Cry Moderator Site Supporter+++ Founding Member

    I used Tomato firmware when I was in Iraq. We had our own, private sat connection. ;)

    Tomato Firmware |

    I don't know if it's still as good as it was then, but there are other firmware (see links at bottom of page in the link I provided)
    Not sure if this helps any, but there you go.
    stg58 likes this.
  8. ghrit

    ghrit Bad company Administrator Founding Member

    If I understand all I think I know, this discussion is more about public wifi hotspots than home wifi networks. Making allowances for the obvious ignorance chez moi, how is my home wifi system affected? Currently, it's open, but out here in the sticks, there is a near zero chance of a casual connection from a passing vehicle. Also the network is set up to notify me if another user gets on and uses the connection. My internet connection is via hard wired phone if it makes a difference; there's no cable available here.

    I can close the network to other users easily, but doing so slows the connection perceptibly. The phone line modem is motorola, the old type. The router is Lynksys. Telco tells me they are going to change the modems to the new type when they get done putting up the fiberoptic system.
  9. Brokor

    Brokor Live Free or Cry Moderator Site Supporter+++ Founding Member

    @ghrit I recommend always password protecting your wifi. Any wireless network, no matter how remote is a security risk. Yours may just be a lot lower being remote.

    Also, jot down the password (make it unique and excellent) and attach it to the underside of the router. Years can go by and you may not ever need it until the day you do.
    Marck, chelloveck, stg58 and 2 others like this.
  10. stg58

    stg58 Monkey+++ Founding Member

    It is a bit of a pain having to add a MAC when someone I know wants to use my WIFI but I use MAC filtering access control along with WPA and Str0Ng Pa$$Phr@$es
    Marck, Mindgrinder and 3M-TA3 like this.
  11. 3M-TA3

    3M-TA3 Cold Wet Monkey Site Supporter++

    I have guest access set up that only allows Internet access. The current SSID is "Clinton Email Server" and before I changed it the password was "VoteTrump2016". Internal network access is restricted by MAC.
    stg58 likes this.
  12. stg58

    stg58 Monkey+++ Founding Member

    Brokor and ghrit like this.
  13. Con123

    Con123 On Hiatus Banned

    It's always better to use wired system instead of wireless because there are a lot of issues regarding wireless. Even in the case of wireless cctv camera system there are a lot of limitations. While comparing with wireless, wired is always better.
    Last edited by a moderator: Nov 3, 2016
    Brokor likes this.
  14. Brokor

    Brokor Live Free or Cry Moderator Site Supporter+++ Founding Member

    And there's Echelon, can't forget that. Then, we shouldn't ignore Fusion Centers. Of course, there's also more...
    I am surprised Wikipedia allowed the brief overview already there, since most of the .GOV hacks tend to erase valid information over time. I traced some of their IP's since they always post anonymously, and their IP's are registered. Turns out, there's one group I kept running into from the Room 614A vicinity.
    Ganado likes this.
  15. stg58

    stg58 Monkey+++ Founding Member

    Then there is the NSA Utah data center.
    This looks like 2 + 1 , 3 + 1 redundancy or since it is taxpayers money who knows the redundancy standard they are using.
    Marck and Brokor like this.
  16. chelloveck

    chelloveck Captain Didactic!

    Nice tank farms to keep the emergency generators going.
    Marck likes this.
  17. Brokor

    Brokor Live Free or Cry Moderator Site Supporter+++ Founding Member

    Huh. I didn't know about that one.
  18. DarkLight

    DarkLight I self identify as a Blackhawk Attack Helicopter! Site Supporter

    Wait, seriously Brokor? Not poking, just surprised.
    Brokor likes this.
  19. Tempstar

    Tempstar Invented Politically Incorrect Site Supporter+

    Put something like a Mikrotik RB-750 router behind the cable modem and set up a network. The Mikrotik software on their stuff allows so many options that others don't.
    BTPost likes this.
survivalmonkey SSL seal warrant canary