Security questions

[czep415]

Hi Sonic community!

I have several security related questions that I haven't been able to find good answers for on the wiki and forums. Since security is a constant battle, I think it's critical that we remain vigilant and scrutinize our home network security configurations to stay safe. If anyone has thoughts or input on these questions, please share as they can benefit everyone!

1. The Pace modems (and probably others) supplied by Sonic support TR-069 as a management interface. Presumably this is the protocol that Sonic uses to remotely communicate with onsite modems. However, this protocol can be vulnerable to attack. See for example http://www.pcworld.com/article/2463480/ ... s-say.html. What protections does Sonic have in place to monitor for and mitigate intrusion attempts?

2. What other possible attacks can be leveraged against our modems? Apart from wireless (see next question), is there any way for attackers to probe or gain entry to our home networks? Are any services running on publicly accessible ports, like ssh or http? Is the modem's management interface accessible from outside the LAN?

3. What best practices should be followed to secure Sonic modems that also serve as wireless access points? Is there any information leakage to unauthenticated users? Are the default passwords secure enough or could they be cracked? When first turned on "out of the box", what are the risks that eavesdroppers could monitor traffic to the WAP and possibly intercept credentials?

I consider myself rather paranoid when it comes to security, but unfortunately I don't feel like I understand the risks since there is so much closed-source code and firmware involved in these modems. What can we do to protect our networks?

Thank you.

[pockyken007]

Good questions and I am pretty sure somebody from sonic will answer them for you .

Here is what I do with my network , passwords and data security .

I change my passwords every 2 weeks for all my network devices and make it an alpha-numeric combination that usually uses words from 3 random language ( including fantasy languages ) so it's harder for straight brute force or dictionary attacks to crack it .

As for eavesdroppers I monitor my network traffic and have set up filters and rules that would notify me of anything out of ordinary .

Aside from that there is not much one can do ( encrypting your whole traffic I guess ... ) aside from being diligent , smart and cautious when being on the net .

[adame]

1. The Pace modems (and probably others) supplied by Sonic support TR-069 as a management interface. Presumably this is the protocol that Sonic uses to remotely communicate with onsite modems. However, this protocol can be vulnerable to attack. See for example http://www.pcworld.com/article/2463480/ ... s-say.html. What protections does Sonic have in place to monitor for and mitigate intrusion attempts?

These are all good questions.

We do use TR069 to remotely communicate with modems. We use HTTPS instead of HTTP, our ACS is not directly exposed to the internet and we don't accept self-signed certificates. Our ACS provider performs routine security audits using the Qualys SSL Lab Suite to ensure compliance and that the platform is not susceptible to newly discovered vulnerabilities.

2. What other possible attacks can be leveraged against our modems?

We are, of course, not aware of any vulnerabilities to the Pace modems we distribute. Any reported vulnerabilities always receive the highest priority and a fix is pushed as close as we can to immediately.

If you're looking for an answer to what types of attacks modems are vulnerable to in a general sense, I think a really interesting resource for this is http://www.cvedetails.com. You can navigate to Vulnerability by Type, and look at the most common types of security exploits out there and the per year trends. You can search vendors whose equipment you might own, to see what potential vulnerabilities you might need to patch in that router you've been using for a few years.

Apart from wireless (see next question), is there any way for attackers to probe or gain entry to our home networks? Are any services running on publicly accessible ports, like ssh or http? Is the modem's management interface accessible from outside the LAN?

The way that comes to mind for attacks to gain access to a home network is when the user intentionally opens up access through the firewall via port forwarding, LAN Subports, or DMZ Plus. If the service running on an accessible port isn't secure, the home network is absolutely vulnerable.

No WAN side services (aside from TR069) are running on the modem. That's a requirement for us to consider a new firmware release acceptable, and part of our check list for any new firmware candidate is to run a port scan on it to check.

Support technicians can use TR069 to initiate a secured remote management session on in the modem for a brief window in order to help a customer with their settings. The session uses https, an individualized and random set of credentials for each modem, and times out after 5 minutes of inactivity.

The positive side of having TR069 available on the modem is that we are constantly on the look out for new potential threats, and in the future if we do become aware of a vulnerability, TR069 allows us to patch it quickly.

3. What best practices should be followed to secure Sonic modems that also serve as wireless access points? Is there any information leakage to unauthenticated users? Are the default passwords secure enough or could they be cracked? When first turned on "out of the box", what are the risks that eavesdroppers could monitor traffic to the WAP and possibly intercept credentials?

The out of the box wireless configuration is most likely to be the most secure. The modem is configured using a WPA2/AES security key, with a randomly generated alphanumeric security key. Customers who change their wireless password to something easier to remember are likely to be more vulnerable to potential dictionary attacks, and customers who switch to WEP to accommodate older hardware are more vulnerable. Keep pin-method WPS disabled, as this functionality does make cracking WPA2 easier. If you are going to change your wireless key, convention says to make sure it's at 12 characters, mixed-case, including numbers and special characters.

I think that covers it. If you have any other questions, please feel free to ask.

[Guest]

If you are going to change your wireless key, convention says to make sure it's at 12 characters, mixed-case, including numbers and special characters.

I've heard that 20 characters was the minimum to avoid certain weaknesses. I remember because I became irritated when I found my key was only 19 characters at the time.

[Guest]

The out of the box wireless configuration is most likely to be the most secure. The modem is configured using a WPA2/AES security key, with a randomly generated alphanumeric security key.

I didn't pay attention to Sonic's Pace gateway when I helped a family member set it up several weeks ago. But AT&T's Pace gateways show the WiFi keys in the clear when you connect to the webserver and no authentication is required to display the Home page. That's just a bone-headed decision. The guest network isn't allowed to connect to the gateway.

[dane]

My biggest premise security concern is "fire and forget" retail network equipment, which can be abandoned by their makers or not updated by the users. The three year old TP-Link might have new firmware available, but the buyer isn't ever notified about it. A compromise could mean you can no longer trust DNS, and the URL you type doesn't send you to the financial website you expected. This extends to network attached storage devices like the Synology NAS, or routers with NAS functions too. A compromise can mean critical documents such as tax records and other fodder for identity theft.

The concerns about ongoing security updates helped us choose to make the investment in a TR-069 ACS platform that allows us to deploy ongoing security updates with management of the modem/router equipment. (Part of our equipment fee goes toward the ACS annual licensing.)

We also moved from providing bridges to 100% routers with NAT and firewalling, because customers with simple bridges are more were vulnerable, as their LAN and PCs were directly connected with a public IP. And providing a full residential gateway with WiFi means less random DLink/Linksys/TPLink etc equipment, and thus lower risk for our members.

Thanks Adam for the other details.

[Guest]

Adam/Dane,
I couldn't have expressed it better. The article is around 18 months old and the author bases his results on regional ACS systems. There have been numerous alerts in the CVE system which have helped make internet browsing much more secure.

The OP asked about best practices for wireless configuration. industry standard 10 years ago was a 40-bit numerical WEP key. Today, the standard is much more complex and secure with keys having letters of both cases, numbers and special characters being included. This increases the number of bits required to create the character and in turn increases the difficulty of being able to crack the key.
Most hackers will try to crack the easiest target. A system with no or weak encryption (WEP) will be targeted before trying to target stronger encrypted systems (WPA/WPA2 using TKIP or AES). I believe Adam was attempting to provide a minimum acceptable Best Practice when selecting a WAP password. One can certainly use a larger password but there needs to be a balance of strength and usability when trying to connect. Try remembering a 20+ character password when your kids bring a friend over and want Wifi access. Sure, you can use the guest SSID, but you will most likely have that protected with a similar password strength which makes it difficult to use.
Another best practice, which a previous poster had mentioned, was to change the password regularly. If you have concerns that you believe you have been targeted, change it! But remember how many different devices you will have to enter that 20+ character string into. In my house, the count is 18 and rising...

bulldog85043

[Guest]

The out of the box wireless configuration is most likely to be the most secure. The modem is configured using a WPA2/AES security key, with a randomly generated alphanumeric security key.

I didn't pay attention to Sonic's Pace gateway when I helped a family member set it up several weeks ago. But AT&T's Pace gateways show the WiFi keys in the clear when you connect to the webserver and no authentication is required to display the Home page. That's just a bone-headed decision. The guest network isn't allowed to connect to the gateway.

AT&T has different requirements than Sonic.

bulldog85043

[Guest]

Try remembering a 20+ character password when your kids bring a friend over and want Wifi access. Sure, you can use the guest SSID, but you will most likely have that protected with a similar password strength which makes it difficult to use.

Use a passphrase and it's easy to average 30 characters and be easy to remember. Just stick to a system and it will work. Have different systems for primary, IoT, and guest networks so if you give out one key to people they won't be able to decipher your other networks' phrases.

[czep415]

Thanks everyone for the thoughtful and informative answers here.

Would it be worth considering a pfsense appliance? Would this be any better than the filtering that's already handled by the Pace modem? If we want to use a separate firewall appliance like pfsense, does that require setting the modem to bridge only mode, and if so, would that cause any other problems?

I have a lot more confidence in Sonic compared to other ISPs I've used, and it does seem like the out of the box security is very good here. I could possibly make things worse for myself by trying to introduce additional devices, but I am ultimately interested in learning how to get the most secure setup possible.