Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Which is more secure: cable or DSL?

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    17 Posts 7 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      kejianshi
      last edited by

      If you aren't paranoid you are not paying attention…

      1 Reply Last reply Reply Quote 0
      • C Offline
        charliem
        last edited by

        This document from CableLabs gives a hint at just how easily your traffic can be covertly monitored / captured on a cable modem: http://www.cablelabs.com/specification/cable-broadband-intercept-2-0-specification/

        Granted, that's only when the cable operator is presented with 'proper authorization', but I'm afraid that bar is frighteningly low

        Appropriate Legal Authorization: A Broadband Intercept Order or other authorization, pursuant to [18 U.S.C. 2518], or any other relevant federal or state statute

        Not to pick on the cable modem guys, I'm sure there are equivalent standards for intercepting all other data & voice transmissions, but this is written right into the DOCSIS standard.

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          CALEA reaches all technologies.  Encrypt and authenticate.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • K Offline
            kejianshi
            last edited by

            Correct…

            1 Reply Last reply Reply Quote 0
            • M Offline
              Mr. Jingles
              last edited by

              Thank you all for your replies, much appreciated  :-*

              I should have stressed that I am not thinking about if my ISP can monitor what I am doing, I know he can since all data goes through his machines.

              My concern was/is more if my neighbor, living next door, can easily sniff what I am doing since we are on the same 'LAN' segment (node).

              So what I understand right now is: I still don't know  ;D

              So, it appears under DOCSIS 2.0 sniffing the neighbor would have been rather easy, according to this DefCon talk:

              Youtube Video

              (Which, btw, is not what is said in this 14 years old thread: http://arstechnica.com/civis/viewtopic.php?t=1047846. Back in 2000, apparently they already said/thought the traffic on the 'LAN' is encrypted such that only the intended recipient, casu quo my modem, can take it in/out, all the others on the segment can not decode the traffic that passes all modems in the segment, only the intended recipient can).

              Under DOCSIS 3.0 it should be more difficult, 'provided the ISP has set up everything correctly'. Sure, but how would I know that?

              (Your average ISP, at least over here, is as un-customer-friendly as can be, and one indicator for that is the people they put on the support departments to answer calls from customers: "information will be provided on a need to know basis only', and asking about how they have set up anything appears 'not need to know'.)

              Then again, in this DefCon talk, of which I do understand very little, it seems suggested DOCSIS 3.0 isn't secure either (and I've learned using cable phone seems a bad idea too):

              Youtube Video

              (DefCon presentation sheets can be found here, btw: https://www.defcon.org/html/links/dc-archives/dc-18-archive.html).

              Now this is interesting too:

              First of all its true about cable internet. It all passes down the same cable/line. But mostly the isp give you the cablemodem. Witch should be locked by them and should block the sniffing by default. If you want to sniff it you would need hack inside the modems first and then alter to allow all traffic to get to your sniffing box

              (https://forums.hak5.org/index.php?/topic/28465-how-to-stop-a-sniffer-wout-breaking-his-nose/)

              It is interesting, because: it appears only two months ago a customer of the largest cable ISP over here just discovered some nasty details in the appliances this cable ISP hands out:

              http://userbase.be/forum/viewtopic.php?f=50&t=42216

              Unfortunately, this thread is in Dutch which will make it difficult for you all to read. What I've understood from it this customer was able to 'break into his own box', and then sniff his own traffic, capture his own phone calls, install backdoors and root kits, and he is worried about tcpdump being installed on it by default and that there is a telnet running on WAN by default:

              even ter verduidelijking dit werkt enkel op men eigen modem ik kan niets doen met andere modems … ==> Just to be sure, I can only do this on my own modem

              dit wordt via de config files in de modem beveiligt enkel als je van de telenet  management ip range komt kan je met andere modems praten ... ==> This is being secured through config files; 'only if you arrive from the ISP's management ip-range are you allowed to other modems'

              deze hack is een probleem om de volgende redenen ==> This hack is a problem for these reasons:

              • je kan telefoon gesprekken en internetverkeer afluisteren ==> You can sniff phone and internet traffic
              • je kan malware in de modem plaatsen ==> you can put malware on the modem
              • je kan de telenethomspot sniffen die normaal volledig gesheiden is  ==> You can sniff the hotspot, which normally is a fully separated network
              • je kan wifi keys uit de modem leezen ==> you can read the WIFI-keys
              • je kan de firewall aanpassen ==> You can change the firewall
              • je kan firmware downloaden van telenet servers ==> You can install firmware
              • je hebt full root acces ==> You've got full root access

              Ik heb ook de bootloader unlocked dus in theory kan ik zelf custom firmware flashen naar de modem ==> I also unlocked the bootloader so theoretically I could flash custom firmware to the modem

              Now, three key points are:

              • He says he can only do it for his own modem;
              • He is talking about the 'all in one appliance', e.g. router/modem/WIFI; I have modem only, so being the noob that I am I'm not sure which part is relevant for me;
              • He has worked with the ISP to fix these problems, and apparently a firmware patch has been rolled out around now.

              (After which he discovered another problem: he is able to access any customer's modem based on the WIFI SSID ::) ).

              In the end, I wanted to know this as my VDSL-ISP is making a mess of things, and, of course, the 'customer support' is denying everything. So I pay for 30/2, yet get 17/1,5. For the same money, I can get 160/10 on cable, so I was thinking to make cable my primary WAN, and VDSL my backup WAN (which is the exact opposite of what it is right now).

              And so I still don't know if my neighbor, next door, who also has cable, can sniff my traffic. 'It depends', it seems, on my ISP. Who just was caught having so it seems very buggy / insecure modems.

              What would you all do if you would be in my shoes?

              (Yes, ask for a new brain, I know  ;D But I can't be blamed for that: I simply was last in line when they handed out the brains  ;D ).

              Thank you for your comments,

              Bye,

              6 and a half billion people know that they are stupid, agressive, lower life forms.

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                I have a DOCSIS3 cable modem connection from Cox and a DSL connection from CenturyLink both going through an outside switch on blank VLANs to pfSense WAN ports.  I would be happy to take some packet captures for comparison.

                I am not equipped to take ATM samples on the provider segment of the DSL modem nor DOCSIS samples from the coax going to the cable modem provider (the provider sides of the DSL/Cable Modems).  Those would probably be far more interesting.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • K Offline
                  kejianshi
                  last edited by

                  Anything is secure if pfsense is sitting on the other side and the installer is semi-competent.

                  1 Reply Last reply Reply Quote 0
                  • M Offline
                    Mr. Jingles
                    last edited by

                    @kejianshi:

                    Anything is secure if pfsense is sitting on the other side and the installer is semi-competent.

                    That was not the subject, the subject was before pfSense can do it's thing  ;D

                    6 and a half billion people know that they are stupid, agressive, lower life forms.

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      Mr. Jingles
                      last edited by

                      @Derelict:

                      I have a DOCSIS3 cable modem connection from Cox and a DSL connection from CenturyLink both going through an outside switch on blank VLANs to pfSense WAN ports.  I would be happy to take some packet captures for comparison.

                      I am not equipped to take ATM samples on the provider segment of the DSL modem nor DOCSIS samples from the coax going to the cable modem provider (the provider sides of the DSL/Cable Modems).  Those would probably be far more interesting.

                      Thank you  ;D

                      I only understand half of what you are writing, remaining the proud noob that I am  :P

                      ( :-[ ).

                      Do you want me to capture something which you can then analyze? How would I need to provide you with the information you need?

                      Btw, this I found intriguing:

                      [quote]I have a DOCSIS3 cable modem connection from Cox and a DSL connection from CenturyLink both going through an outside switch on blank VLANs to pfSense WAN ports

                      You don't have cable and VDSL in two NIC's, but on VLAN's? I am trying to understand how that would work in the first place, as I don't get any further with my knowledge than:

                      Cable/VDSL-modem => pfSense NIC's => WAN1/WAN2 => (V)LAN => Switch => machines

                      But you have(?):

                      Cable/VDSL => Switch => (V)LAN => ?

                      6 and a half billion people know that they are stupid, agressive, lower life forms.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        No, they're on physical ports.  Could be VLANs though.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • M Offline
                          Mr. Jingles
                          last edited by

                          Well, given I can't find anymore info on this, I decided to 'take the dive'. I've ordered 160 Cable, and will use this to swap my VDSL to be the backup, and cable the primary one. Total costs stays the same, so let's hope this helps fixing my ISP-crap.

                          Thank you all for commenting  ;D

                          6 and a half billion people know that they are stupid, agressive, lower life forms.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.