Linksys, now a division of Cisco has recently been touting its deal with Comcast as a big win. Well, looks like there are some serious problems with this 802.11g/Modem gateway combo, according to some really smart folks. Now to others this might seem a little speculative, but well that’s that.
If you scroll through the press release, you come to a section which says that the gateway supports a CableHome 1.0 “for the ability to deliver secure, managed services from Comcast’s head-end network to the subscribers’ home network.” Now there is a big problem with this thing – for instance, the Cablehome 1.0 standard allows cable operators to snoop around their home networks and learn things such as how many computers are attached to the gateway and what kind of traffic they are generating/receiving. (Beware Vonage fans, this could be used to detect your Vonage ATA as well.)
In case you were wondering, where’s the juice. Go to the Cable Labs website and read this document. Scroll down to Section 6.3.1 and read:
bq. The goals for the CableHome Management Portal include:
* Enable viewing of LAN IP Device information obtained via the CableHome DHCP Portal (CDP)
* Enable viewing of the results of LAN IP Device performance monitoring done by the CableHome Test Portal (CTP)
* Provide the capability to disable LAN segments
What this means is that Comcast (and its peers) can use its immense clout and possibly shut down little companies like Vonage, and possibly prevent us from using our broadband connections in the way we want them to use. (Yeah we sign the contracts but sharing one connection in a household is not such a bad deal!) There was an article on Brian Roberts, which described him as the God Father – need I say more. I have emailed the folks at Comcast and LinkSys, and will post what they have to say.
Comcast has a phone service but is seriously looking into moving it into VoIP so you could be right about Vonnage though it is mostly geared towards people who turn on wifi/cable modem so the neighborhood can use the bandwidth (as some people do with their cable modem service) … that’s what they are most afraid of – “mini ISP’s” popping up. But of course, lawyers like to write the broadest language on their side and the narrowest language when on the other side.
These boxes are more or less the same as the WRT54G, so they run Linux, right? So is the snooping software open source? So where is the source?
Presumably they’ll use SNMP for this. Since the SNMP implementation in a standard WRT54G is fairly broken, I wouldn’t bank on it working. I have this feeling that turning off logging will probably disable their ability to view the data. And changing the admin password ought to also limit it.
Which brings up the next issue. If they hard code a password to access these “features” how long before it gets hacked? Aren’t we always told to properly secure the WiFi AP?
Which all leads me to think that the only way they could do this is to have a custom Linux distro with closed source elements installed and to disable any possibility of firmware upgrades. I can’t see this happening. Now if this was a story about Motorola cable modem/routers, that might be a different case.
hmmm. justin you bring up interesting points. can you expand on your comment about motorola cable/modem routers. is this a big problem there as well?
In a meeting about six months ago, the CEO of a rural LEC dismissed Vonage’s threat because of their (and other LECs and cable companies) could easily disrupt their service by turning off the SNMP protocol. I am skeptical that the FCC would allow that to happen, but you never know. This is the first I’ve seen any reference to it in the media (is that what you want to be part of?). The big threat to Vonage, in my opinion, is that they will have trouble competing against the cable companies that will be offering similar services. Even if you hate the cable company and doubt their service reliablity, will people trust them more than Vonage? I would say yes.
Re: Telecom Banker: SNMP isn’t used by Vonage or VOIP. What the telcos/cable companies could do is disable SIP protocol traffic from specific ports or filter it on all ports. This is an actual threat, but I have to believe that if they try to do it, Congress and the FCC will drop their weight on them because both bodies appear to be committed to allowing VOIP to flourish.
keep us posted. one question to which i hope my assumptive answer is correct… will they only be able to do this stuff on leased equipment, or would they have the same capability if i buy this product from a retailer and set it up myself?
Glenn,
Thanks for the clarification. For a banker, it’s all the same.
Hmm, that sucks. I hope they don’t try to force these “cablehome” compliant modems on everyone, or I guess I’ll have to look around for a new provider. I don’t need anyone snooping my network. Just not right…
fp?
I am just going to have to proxy my network before the gateway. bfd, comcast can go to great legnths to ensure you dont have multiple comps on YOUR line
Anyome remember when companys such as TCI used to complain about the use of splitters for tvs and attempted to charge people for every tv in the house
Fucking fascists.
I was considering moving to Comcast for internet access. I have definitively changed my mind.
I guess that I will stick with Sprint Broadband a bit longer.
Wow. What is next’ Cars with black boxes that record my driving… How about a refrigerator that Knows what brand milk I buy? C’mon who world allow that sort of security breach on their home network! Not I! Dare I say big brother Comcast is making it’s own bed as Far as tech-savvy users go.
This isn’t a conspiracy and shouldn’t be a big surprise. The CableHome specifications have been around for over two years, and those pecs were designed by the Cable operators to be what they were going to deploy.
They figure that they can sell it to people who don’t know any better (i.e. 80% of the public, who might actually benefit from the remote network troubleshooting it provides). The other 20% will just place their own gateway right after the Comcast one.
More obnoxious practices are already in place: port blocking, and termination for
an arbitrary “overuse”.
Very interesting. Is it the case that the user has no ability to administer the Linksys piece? If not, then there would of course be no way for the user to disable remote administration on the Linksys router.
Guess I’m going to have to buy a D-Link…
First the unchangeable admin l/p, now this.. wow. Cisco is really on a roll. Cisco just dropped to unber 2 on S*list.
While this is certainly some fun paranoia-propaganda, consider that the whole point of CableHome is for customers who WANT their ISP to help them manage their home networks. Those who don’t want this value-add obviously can still run the same routers, firewalls, i-toasters, and whatever else they enjoy without the supposed “snooping” and “prevention”. Mom & Pops who just want their two wireless computers and wired print server to work without RTFM can simply have their ISP use the CableHome APIs to configure this stuff for them.
(Incidentally, no ISP needs access to your home gateway in order to snipe Vonage or snoop traffic, regardless of connection type… They’ll do it somewhere along the metro or core if they really wanted to or had the time/bandwidth.)
-Ex-ISPEng, Bored with Consipiracy Theorists
“(Incidentally, no ISP needs access to your home gateway in order to snipe Vonage or snoop traffic, regardless of connection typeÖ Theyíll do it somewhere along the metro or core if they really wanted to or had the time/bandwidth.)”
Excellent point. Especially the part about time. For the most part, they really don’t have the time to snoop on billions of tcp/udp/icmp/whatever packets traversing their network. Maybe if you were trying to brute-force one of their routers they might get interested, otherwise I really doubt they care.
“The other 20% will just place their own gateway right after the Comcast one.”
Also an excellent point. I do, however, prefer my Cisco uBR924, which gives me some control back. Excellent modem with many IOS capabilities (such as NAT/PAT and ACLs) available for $20-$50 on eBay.