Comcast's WiFi router lets your ISP spy on you, shut you down

gigaom. ^ | May 6, 2004 | Om Malik

[pending]

Linksys, now a division of Cisco has recently been touting its deal with Comcast as a big win. Well, looks like there are some serious problems with this 802.11g/Modem gateway combo, according to informed sources.

If you scroll through the press release, you come to a section which says that the gateway supports a CableHome 1.0 “for the ability to deliver secure, managed services from Comcast’s head-end network to the subscribers’ home network.” Now there is a big problem with this thing - for instance, the Cablehome 1.0 standard allows cable operators to snoop around their home networks and learn things such as how many computers are attached to the gateway and what kind of traffic they are generating/receiving. (Beware Vonage fans, this could be used to detect your Vonage ATA as well.)

In case you were wondering, where’s the juice. Go to the Cable Labs website and read this document. Scroll down to Section 6.3.1 and read:

The goals for the CableHome Management Portal include: * Enable viewing of LAN IP Device information obtained via the CableHome DHCP Portal (CDP) * Enable viewing of the results of LAN IP Device performance monitoring done by the CableHome Test Portal (CTP) * Provide the capability to disable LAN segments

What this means is that Comcast can use its immense clout and shut down little companies like Vonage, prevent us from using our broadband connections in the way we want them to use. There was an article on Brian Roberts, which described him as the God Father. Well he is one and if we don’t do something about it, well they are going to be snooping on your network. I have emailed the folks at Comcast and LinkSys, and will post what they have to say

[pending]

This is breaking, not in a major publication yet, that I have found. I came across this via the very good: http://boingboing.net/

Comcast's WiFi router lets your ISP spy on you, shut you down

Om Malik warns that the Linksys WiFi boxes that Comcast is supplying to its customers allow Comcast to remotely detect and disconnect devices on your home network, like your VoIP phone (which competes with Comcast's long-distance service). If you scroll through the press release, you come to a section which says that the gateway supports a CableHome 1.0 "for the ability to deliver secure, managed services from Comcast’s head-end network to the subscribers’ home network." Now there is a big problem with this thing - for instance, the Cablehome 1.0 standard allows cable operators to snoop around their home networks and learn things such as how many computers are attached to the gateway and what kind of traffic they are generating/receiving. (Beware Vonage fans, this could be used to detect your Vonage ATA as well.) In case you were wondering, where’s the juice. Go to the Cable Labs website and read this document. Scroll down to Section 6.3.1 and read:

The goals for the CableHome Management Portal include: * Enable viewing of LAN IP Device information obtained via the CableHome DHCP Portal (CDP) * Enable viewing of the results of LAN IP Device performance monitoring done by the CableHome Test Portal (CTP) * Provide the capability to disable LAN segments

[RhoTheta]

Big Brother Ping

[neutrino]

So why not add a switch inside the network and run your home machines off the switch?

[Wonder Warthog]

Looks like I "lucked out". I started putting together a wireless home network around a Linksys access port/router unit, and had nothing but problems. The Linksys router would drop connections for no known reason, and eventually died completely after about a month. I bought a D-link unit to replace it and have not had any problems whatsoever.

Your article gives me yet another good reason to never buy a Linksys product again (the crappy quality being the first).

[pending]

BTW...I am on Vonage VOIP now..It is flawless so far. Unlimited local is fifty bux here in Vermont, with my long distance, another ten...i have done well with the 25/month plan.
I can recommend it.

Interesting note, all routers work simply with Vonage, except the Linksys...Vonage includes an involved set of instruction on setting one up.

Vonage is gaining ground, they are in a lawsuit now with ATT, which has a "callvantage" voip. ATT bought up all the links around mis-spellings of "Vonage" to get the typo folks confused and steal the business.

[Honcho Bongs]

I had very bad luck with the early Linksys WAP11 wireless access points. They truly were crappy. The last year or so has seen a big improvement in their quality and I'm running a router/firewall/switch, a wireless access point, a media adapter and a couple of PCI wireless cards at home with no problems.

The snooping that this article suggests sounds like it can be defeated pretty easily by connecting their network device to a firewall and using private IP numbers "inside". They can't browse your network or shut down your devices in that case.

[Unassuaged]

Also, it is a good idea to disable CDP (Cisco Discovery Protocol) for security reasons anyway, wireless or not.

[demlosers]

Bump for later...

[demlosers]

Yes, a good idea in this case.

[demlosers]

RouterA(config)#no cdp run

[Publius6961]

Why do propeller-heards assume that the rest of the world knows what "Vonage" is or stuff like "DHCP Portal (CDP)" and "CableHome Test Portal (CTP)"??

Mind you, this topic may be of immense interest to the average user, if they could just understand what is being discussed.

On the other hand, people who abuse the internet and use it in ways that it was not intended to be used get no sympathy from me. The problem is, there is no way for the average moderately-informed web user to tell from a jargon-filled post like this one.

[nhoward14]

This is because the press release isn't intended for "moderately informed" web users. These press releases are meant to taunt the competition and entice the decision makers at companies who actually do the buying to purchase.

It is a very rare instance that a cable company or phone company will let you choose what kind of device you use to access their broadband network in the US. The most common occurrence is you tell them what service level you want and then they send you equipment. You don't get to choose from a list.

[doodad]

I have very good luck with linky products at home and work.

One thing I noticed with earthlink is that when they went to the new ppoe modems, I had tons of drops. They were releasing idle connections with DHCP drops from what I could tell. Since the router install, three devices on full time no drops. HAH.

[RedWing9]

Looks like I "lucked out".

Looks like you had coincidence. This story is fresh, which means the news release is fresh. And you think your problems where related?

Hardware sometimes fails. Sometimes in just the way you describe. In fact my last Linksys wired 4-port router started failing this winter, locking up, dropping connections, etc. Guess what? It was OLD - purchased in 1999. Now I have another one, connected to my Linksys cable modem and they work just fine.

[adam_az]

Kindly explain specifically how you get from "Comcast's WiFi router lets your ISP spy on you, shut you down"

to this:

"The goals for the CableHome Management Portal include: * Enable viewing of LAN IP Device information obtained via the CableHome DHCP Portal (CDP) * Enable viewing of the results of LAN IP Device performance monitoring done by the CableHome Test Portal (CTP) * Provide the capability to disable LAN segments"

PS - The sky isn't falling, either.

[taxcontrol]

Ummm, excuse me, hate to bust your bubble here but any time you have an ISP provided router that ISP can:

1) watch your traffic (actually they can do it even on dial up)

2) determine MAC addresses and thus the number of PCs at the end of that router

3) place all kinds of restrictions on what you can see and where you can go and what you can do.

Nature of the technology.

[taxcontrol]

Wont work. The switch must forward the packet with the original MAC address intact to the router. Only true way to obscure the MAC address is to front with another router or proxy gateway.

[taxcontrol]

The REAL issue here is does your ISP have access to your router. If it is an ISP provided router - most likely they will have access. If you provide the router, they are prohibited by LAW from accessing your router.

Folks, the issue is who owns the equipment. If you buy the equipment - REGARDLESS of brand - and they hack into it, then they have violated LAW. If THEY provide the equipment, then they own it, and they can do what ever they want.

BTW, Linksys runs Linux code. If you don't like the idea of them being able to see your box AND YOU OWN IT, blow in different code.

[Jack Black]

Personally I'm sold on Netgear. I've used a bunch of their stuff and have not had any problems. It's so easy to insatll it's silly, and it never crashes. What more do you want?

[diotima]

Ping.