14 DAY TRIAL // Time Warner has failed to properly address critical security issues in tens of thousands of routers distributed to its customers. The distributed patch is not only insufficient, but also disables the only option users had to properly configure the device themselves.
Last week we reported that as much as 65,000 thousands SMC8014 series routers distributed by Time Warner to its customers in the New York area had gaping security holes. The problems were discovered by Pip.io Founder and CTO David Chen, who disclosed them on his blog after contacting the telecom company and receiving an unsatisfactory response.
There were two distinct types of problems with these cable modem/router combo devices. First was an improper access control implementation issue, where the only difference from the limited user and admin user on its Web management interface were menus hidden via JavaScript. This meant that by simply disabling JavaScript in the browser, one could access all the administrative features with what should have been limited user credentials.
The second type of issues resulted from improper default configuration of the devices. And while the device manufacturer, SMC Networks, was responsible for the access control problem, the configuration issues were Time Warner's to address. These included using the insecure WEP encryption algorithm for wireless networks by default instead of WPA, using the same administration credentials for all devices, making the administration interface accessible from anywhere on the Internet, using publicly-broadcasted MAC addresses as WLAN SSID and storing administrative passwords in plain text in the configuration file.
Time Warner gave assurances last Tuesday that the problems would be resolved and that a patch would be distributed to the affected customers. Now a week later, the only security issue fixed is the one depending on SMC Networks. A SMC spokesperson confirmed to Wired that a patch that addressed the access control issue had been released, separating the administration and limited user pages on the device's Web management interface.
The SMC spokesperson was not able to confirm if the patch was distributed to all devices, but Chen notes that he found it on some. However, without a change in default configuration on Time Warner's part, which doesn't seem to have occurred yet, this SMC fix actually does more harm than good.
This is because a potential attacker who has the default admin password, as Chen does, will still be able to access the interface remotely and login as superuser. And while the more knowledgeable users could have used the SMC access control flaw to modify these insecure settings themselves, their hands will be tied now and they will be left with a completely insecure router.
"If you have an SMC8014 series modem/router combo, get rid of it. Call up Time Warner and ask them to replace it with a standard cable modem and get yourself a real router," Chen advises. But there's one more thing that attracted our attention. According to the SMC representative, the default admin password set by Time Warner on these routers is the same as for similar devices produced by Ambit, which they also distribute to costumers.
Additionally a user calling himself cableguy79 wrote on Wired that "As a former technician, all Time Warner combo wireless modems I’ve worked on (ambit and smc’s) have allowed access via the 10. IP addresses inside TW [Time Warner] network. […] And all the passwords are defaulted none are changed upon installation." We were not able to verify this ourselves, but if that is true, then these security problems might affect many more Time Warner costumers than initially believed.