Which is more secure: cable or DSL?
-
If you aren't paranoid you are not paying attention…
-
This document from CableLabs gives a hint at just how easily your traffic can be covertly monitored / captured on a cable modem: http://www.cablelabs.com/specification/cable-broadband-intercept-2-0-specification/
Granted, that's only when the cable operator is presented with 'proper authorization', but I'm afraid that bar is frighteningly low
Appropriate Legal Authorization: A Broadband Intercept Order or other authorization, pursuant to [18 U.S.C. 2518], or any other relevant federal or state statute
Not to pick on the cable modem guys, I'm sure there are equivalent standards for intercepting all other data & voice transmissions, but this is written right into the DOCSIS standard.
-
CALEA reaches all technologies. Encrypt and authenticate.
-
Correct…
-
Thank you all for your replies, much appreciated :-*
I should have stressed that I am not thinking about if my ISP can monitor what I am doing, I know he can since all data goes through his machines.
My concern was/is more if my neighbor, living next door, can easily sniff what I am doing since we are on the same 'LAN' segment (node).
So what I understand right now is: I still don't know ;D
So, it appears under DOCSIS 2.0 sniffing the neighbor would have been rather easy, according to this DefCon talk:
(Which, btw, is not what is said in this 14 years old thread: http://arstechnica.com/civis/viewtopic.php?t=1047846. Back in 2000, apparently they already said/thought the traffic on the 'LAN' is encrypted such that only the intended recipient, casu quo my modem, can take it in/out, all the others on the segment can not decode the traffic that passes all modems in the segment, only the intended recipient can).
Under DOCSIS 3.0 it should be more difficult, 'provided the ISP has set up everything correctly'. Sure, but how would I know that?
(Your average ISP, at least over here, is as un-customer-friendly as can be, and one indicator for that is the people they put on the support departments to answer calls from customers: "information will be provided on a need to know basis only', and asking about how they have set up anything appears 'not need to know'.)
Then again, in this DefCon talk, of which I do understand very little, it seems suggested DOCSIS 3.0 isn't secure either (and I've learned using cable phone seems a bad idea too):
(DefCon presentation sheets can be found here, btw: https://www.defcon.org/html/links/dc-archives/dc-18-archive.html).
Now this is interesting too:
First of all its true about cable internet. It all passes down the same cable/line. But mostly the isp give you the cablemodem. Witch should be locked by them and should block the sniffing by default. If you want to sniff it you would need hack inside the modems first and then alter to allow all traffic to get to your sniffing box
(https://forums.hak5.org/index.php?/topic/28465-how-to-stop-a-sniffer-wout-breaking-his-nose/)
It is interesting, because: it appears only two months ago a customer of the largest cable ISP over here just discovered some nasty details in the appliances this cable ISP hands out:
http://userbase.be/forum/viewtopic.php?f=50&t=42216
Unfortunately, this thread is in Dutch which will make it difficult for you all to read. What I've understood from it this customer was able to 'break into his own box', and then sniff his own traffic, capture his own phone calls, install backdoors and root kits, and he is worried about tcpdump being installed on it by default and that there is a telnet running on WAN by default:
even ter verduidelijking dit werkt enkel op men eigen modem ik kan niets doen met andere modems … ==> Just to be sure, I can only do this on my own modem
dit wordt via de config files in de modem beveiligt enkel als je van de telenet management ip range komt kan je met andere modems praten ... ==> This is being secured through config files; 'only if you arrive from the ISP's management ip-range are you allowed to other modems'
deze hack is een probleem om de volgende redenen ==> This hack is a problem for these reasons:
- je kan telefoon gesprekken en internetverkeer afluisteren ==> You can sniff phone and internet traffic
- je kan malware in de modem plaatsen ==> you can put malware on the modem
- je kan de telenethomspot sniffen die normaal volledig gesheiden is ==> You can sniff the hotspot, which normally is a fully separated network
- je kan wifi keys uit de modem leezen ==> you can read the WIFI-keys
- je kan de firewall aanpassen ==> You can change the firewall
- je kan firmware downloaden van telenet servers ==> You can install firmware
- je hebt full root acces ==> You've got full root access
Ik heb ook de bootloader unlocked dus in theory kan ik zelf custom firmware flashen naar de modem ==> I also unlocked the bootloader so theoretically I could flash custom firmware to the modem
Now, three key points are:
- He says he can only do it for his own modem;
- He is talking about the 'all in one appliance', e.g. router/modem/WIFI; I have modem only, so being the noob that I am I'm not sure which part is relevant for me;
- He has worked with the ISP to fix these problems, and apparently a firmware patch has been rolled out around now.
(After which he discovered another problem: he is able to access any customer's modem based on the WIFI SSID ::) ).
In the end, I wanted to know this as my VDSL-ISP is making a mess of things, and, of course, the 'customer support' is denying everything. So I pay for 30/2, yet get 17/1,5. For the same money, I can get 160/10 on cable, so I was thinking to make cable my primary WAN, and VDSL my backup WAN (which is the exact opposite of what it is right now).
And so I still don't know if my neighbor, next door, who also has cable, can sniff my traffic. 'It depends', it seems, on my ISP. Who just was caught having so it seems very buggy / insecure modems.
What would you all do if you would be in my shoes?
(Yes, ask for a new brain, I know ;D But I can't be blamed for that: I simply was last in line when they handed out the brains ;D ).
Thank you for your comments,
Bye,
-
I have a DOCSIS3 cable modem connection from Cox and a DSL connection from CenturyLink both going through an outside switch on blank VLANs to pfSense WAN ports. I would be happy to take some packet captures for comparison.
I am not equipped to take ATM samples on the provider segment of the DSL modem nor DOCSIS samples from the coax going to the cable modem provider (the provider sides of the DSL/Cable Modems). Those would probably be far more interesting.
-
Anything is secure if pfsense is sitting on the other side and the installer is semi-competent.
-
Anything is secure if pfsense is sitting on the other side and the installer is semi-competent.
That was not the subject, the subject was before pfSense can do it's thing ;D
-
I have a DOCSIS3 cable modem connection from Cox and a DSL connection from CenturyLink both going through an outside switch on blank VLANs to pfSense WAN ports. I would be happy to take some packet captures for comparison.
I am not equipped to take ATM samples on the provider segment of the DSL modem nor DOCSIS samples from the coax going to the cable modem provider (the provider sides of the DSL/Cable Modems). Those would probably be far more interesting.
Thank you ;D
I only understand half of what you are writing, remaining the proud noob that I am :P
( :-[ ).
Do you want me to capture something which you can then analyze? How would I need to provide you with the information you need?
Btw, this I found intriguing:
[quote]I have a DOCSIS3 cable modem connection from Cox and a DSL connection from CenturyLink both going through an outside switch on blank VLANs to pfSense WAN ports
You don't have cable and VDSL in two NIC's, but on VLAN's? I am trying to understand how that would work in the first place, as I don't get any further with my knowledge than:
Cable/VDSL-modem => pfSense NIC's => WAN1/WAN2 => (V)LAN => Switch => machines
But you have(?):
Cable/VDSL => Switch => (V)LAN => ?
-
No, they're on physical ports. Could be VLANs though.
-
Well, given I can't find anymore info on this, I decided to 'take the dive'. I've ordered 160 Cable, and will use this to swap my VDSL to be the backup, and cable the primary one. Total costs stays the same, so let's hope this helps fixing my ISP-crap.
Thank you all for commenting ;D
