Fraud on a Network
The main problem with fraudulent devices is that they generate unexpected bandwidth consumption and problems for customers with legal devices.
Many MSOs don’t know the exact percentage of fraudulent devices on their networks. And, in my experience, that percentage can range from 7% to 20% when no secure networks are available.
Common Methods to Create a Fraudulent Device
- Cloning MAC addresses: Hackers replace their cable modem’s MAC address with a MAC address of a cable modem that has an activated service.
- Uncapping (by changing the configuration name): Hackers intercept and modify the configuration file and the TFTP server where the file is hosted, with two options in mind: to replace the file with a copy or to download the modified file on their own TFTP server.
Tips and Tricks to Increase Security
- Activate BPI/ BPI+: All CMTS on your DOCSIS networks should have BPI/ BPI+ activated, no matter whether fraud is present on the network or not.
- Configure shared secret in each CMTS: Shared secret is a validation mechanism run on configuration files sent to cable modems. The configuration file in the CMTS (cable shared-secret XXX) should be the same as the one used when generating the configuration files for cable modems.
- Enable TFTP Enforce in the CMTSs: TFTP Enforce prevents a cable modem from registering and coming online if there is no matching TFTP traffic through the CMTS that precedes the registration attempt. Hackers cannot download the configuration file from a local TFTP since the CMTS will not let them register.
- Change the names of the configuration files: Periodical changes to the configuration files make it harder for hackers to intercept and modify the files to obtain a better service than the one they purchased (uncapping).
Provisioning System: My Experience
I have worked with Intraway’s provisioning system, which offers:
- Generation of the configuration file on the fly. It also encrypts the file name and date that are sent in the DHCP options to the cable modem and that the TFTP server can decrypt by evaluating if it was generated in a valid lapse of time (for instance: 10 seconds). Otherwise, the request for a configuration file is discarded.
- Configuration and modification of BPI/ BPI+, shared secret, thus allowing flexibility for each CMTS.
- Support for CMTS with the TFTP Enforce option activated.
- Detection of cloned cable modems. To detect a cloned cable modem during the DHCP provisioning process, the MAC address – SERIALNUMBER tuple is validated. The cable modem sends its capabilities in option 43 in the DHCP packet, including the SERIALNUMBER information (suboption 4). Intraway detects whether the cable modem is valid or cloned. It tells the valid CM to download the hired configuration file and sends the cloned one to a captive portal.
- Detection of cable modem with a different physical location. To detect a CM which has changed its location during the DHCP provisioning process, Intraway uses information from the DHCP packet (Relay Agent Information [Giaddr] and the Agent Circuit ID [option 82 suboption 1]) to identify if the CM has moved. In that case, Intraway sends the cable modem to a captive portal. Also, Intraway enables the CM to be moved, avoiding the validation for that device.
We have reviewed the security bases of DOCSIS networks in high standards. The procedures mentioned are the simplest to implement if we use a provisioning system that allows a fast re-configuration of parameters and includes security mechanisms.
If you care to read about the ROI of solving fraud on your network, check Francisco’s post: Does Just Keeping Clone CMs out Provide MSOs with a Positive ROI?