Network management vulnerability exposes home cable modems to hacking

Hundreds of thousands of internet gateway devices around the world, primarily residential cable modems, are vulnerable to hacking because of a serious weakness in their Simple Network Management Protocol implementation.

Hundreds of thousands of cable modems are vulnerable to SNMP attacks.

SNMP is used for automated network device identification, monitoring and remote configuration. It is supported and enabled by default in many devices, including servers, printers, networking hubs, switches and routers.

Independent researchers Ezequiel Fernandez and Bertin Bervis recently found a way to bypass SNMP authentication on 78 models of cable modems that ISPs from around the world have provided to their customers.

Their internet scans revealed hundreds of thousands of devices whose configurations could be changed remotely through the SNMP weakness that they found and dubbed StringBleed.

Versions 1 and 2 of the SNMP protocol don’t have strong authentication to begin with. They provide either read-only or write access to a device’s configuration through passwords called community strings. By default these passwords are “public” for read-only access and “private” for write access, but device manufacturers can change them in their implementations and it’s generally recommended to do so.

The leaking of sensitive configuration data through the default “public” SNMP community string is a known problem that has affected many devices over the years. In 2014, researchers from Rapid7 found SNMP leaks in almost half a million internet-connected devices made by Brocade, Ambit and Netopia.

However, what Fernandez and Bervis found is much worse: devices from multiple vendors that accept virtually any value for the SNMP community string and unlock both read and write access to their configuration data.

The two researchers first located a small number of vulnerable devices, including the Cisco DPC3928SL cable modem that’s now part of Technicolor’s product portfolio following the company’s acquisition of Cisco’s Connected Devices division in 2015.

The researchers claim that when they reported the issue to Technicolor, the company told them that it was the result of an access misconfiguration by a single ISP in Mexico rather than a problem with the device itself.

This prompted the researchers to perform a wider internet scan that resulted in the discovery of 78 vulnerable cable modem models from 19 manufacturers, including Cisco, Technicolor, Motorola, D-Link and Thomson.

The number of vulnerable devices that can be targeted directly over the internet range from less than 10 for some models to tens and hundreds of thousands for others. For example, there are almost 280,000 vulnerable Thomson DWG850-4 devices on the internet, most of them are in Brazil, according to the researchers.

The researchers believe that the underlying problem is located in the SNMP implementation used by the modems, rather than being the result of misconfiguration by ISPs.

Regardless of the cause, the problem is serious, as attackers could exploit this flaw to extract administrative and Wi-Fi passwords or to hijack devices by modifying their configurations.

There’s not much that users can do if their ISP supplied them with a vulnerable device, other than ask for a different model or install their own modem. Unfortunately, not many ISPs allow their residential customers to use their own gateway devices, because they want uniformity and remote management capabilities on their networks.

Determining if a particular device is vulnerable to this issue is possible, but requires a bit of work. An online port scanner like ShieldsUp can be used to determine if the device responds to SNMP requests over its public IP address.

If SNMP is open, a different online tool can be used to check if the device’s SNMP server returns valid responses when the “public” or random community strings are used. At the very least this would indicate an information leak problem.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.

NSA ends surveillance tactic that pulled in citizens’ emails, texts

The U.S. National Security Agency will no longer sift through emails, texts and other internet communications that mention targets of surveillance.

nsa aerial

The change, which the NSA announced on Friday, stops a controversial tactic that critics said violated U.S. citizens’ privacy rights.

The practice involved flagging communications where a foreign surveillance target was mentioned, even if that target wasn’t involved in the conversation. Friday’s announcement means the NSA will stop collecting this data.

“Instead, this surveillance will now be limited to only those communications that are directly ‘to’ or ‘from’ a foreign intelligence target,” the NSA said in a statement.

As part of that change, the NSA will delete most of the internet communications that were collected using this surveillance tactic.

The agency said it decided to stop some of the activities because of technological constraints, U.S. citizens’ privacy interests, and difficulties with implementation.

The NSA said it made the change after reporting several incidents in which it inadvertently collected citizens’ communications while using this tactic. The Foreign Intelligence Surveillance Court, which oversees the agency’s spying powers, has issued an order approving the agency’s narrower approach to data collection, the NSA said.

Privacy advocates applauded the move.

“This change ends a practice that could result in Americans’ communications being collected without a warrant merely for mentioning a foreign target,” said U.S. Senator Ron Wyden of Oregon in a statement.

He plans to introduce legislation banning this kind of data collection.

Former NSA contractor Edward Snowden tweeted: “This is likely the most substantive of the post-2013 NSA reforms, if the principle is applied to all other programs.”

The NSA change specifically involves its upstream surveillance collection, and not the agency’s PRISM program, which allegedly spies on U.S. citizens.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.

Meet Windows Defender Security Center, your PC’s safety belt in the Creators Update

Microsoft made some much needed changes to Windows Defender with the Creators Update. The built-in anti-virus app is renamed the Windows Defender Security Center, and as that name suggests, it’s a more fleshed-out security suite.

It’s not that Windows Defender has any new features. What Microsoft has done for the most part is bring together a number of security settings in Windows 10 that were scattered throughout the system.

windowsdefender0

Ian Paul/PCWorld

Windows Defender pre-Creators Update.

The old Defender was a very bare-bones utility. The Home tab showed a confirmation that it was active, whether virus and spyware definitions were up-to-date, and when the last scan was.

There were also tabs to manually retrieve updates to spyware definitions and to view your Defender history. Other than that there was a link to access Defender’s options in the Settings app, as well as a Help menu.

That was it.

The landing page of the new Windows Defender Security Center is clearly a different beast. Information about your latest scan and spyware definitions are still there, but that’s just the beginning.

windowsdefender1

Ian Paul/PCWorld

Windows Defender Security Center shows all its categories on the main screen, as well as in a lefthand menu.

 Instead of three tabs at the top, the new Defender has an icon-based menu on the left side. Similar to other built-in apps for Windows 10, the menu only shows icons, and clicking the three-line menu icon expands to display the title for each icon.

You don’t really need that menu, however, as each item is also displayed in the main window complete with icon, explanation, and current status.

Here’s a quick tour of the new Security Center.

Virus & threat protection

windowsdefender2

Ian Paul/PCWorld

 Clicking on the top menu item lets you manage the basic spyware and virus capabilities of Defender. Here you’ll see your scan history, the ability to run a quick or more advanced scan, change your threat and protection settings, and update your anti-virus definitions.

Device performance & health

windowsdefender3

Ian Paul/PCWorld

 The second section includes a Health Report that details your most recent scan, and (rather unbelievably) the option to reinstall Windows. Microsoft has once again moved and renamed its feature for reinstalling Windows. For the Anniversary Update, the option was called “Reset this PC” and was in the Update & Recovery section of the Settings app. (You can still get to this option from the old location, but it takes you to Windows Defender Security Center.)

Now it’s accessible from Windows Defender under the name Fresh start. Click Additional info in this section to open a second screen. From here, click Get started to rese—er…give your PC a fresh start.

Firewall & network protection

windowsdefender4

Ian Paul/PCWorld

The Windows Defender Security Center is now the starting place for the Windows Firewall. At the moment, there aren’t many settings here. Instead, all you see is the current status of the firewall. Clicking the links at the bottom of this window leads to either the Control Panel or the Settings app, with the exception of Firewall notifications settings. We can only assume that in the future Microsoft will move more firewall settings into Defender.

App & browser control

Windows’ SmartScreen controls are a helpful feature for novice and intermediate users. SmartScreen scans incoming files and apps for suspicious behavior.

windowsdefender5

Ian Paul/PCWorld

The generic Windows SmartScreen used to be in the Control Panel, while the Edge and Store SmartScreens were in the Settings app. All the SmartScreen incarnations are now in the Defender Security Center.

Family options

The last section includes a link to various parental controls including the ability to limit screen time for your children, Windows’ activity reports for children, and so on.

windowsdefender6

Ian Paul/PCWorld

Below the parental controls there’s a link to manage all the various Windows 10 devices for your family members.

The family options are the least interesting part of Defender, because this screen doesn’t actually house any settings. Clicking any of the links here takes you to Microsoft’s site, where all family information is managed as part of your Microsoft account.

There’s a lot more to Windows Defender than in previous iterations of Windows 10 and no doubt this security suite will become even more capable in the future.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.