Bandwidth Pirates Ply Cable-Modem Waters

It is innocuously called OneStep, but the software download now circulating on the Internet promises to give cable-modem users the ability to make a giant — and illegal — leap in bandwidth with the click of a mouse.

This hacker software attempts to change a cable modem's configuration to increase the amount of bandwidth it can access, potentially sapping other customers' throughput and cheating cable operators out of service revenue.

While OneStep may open the door for a new product from network-management providers, cable operators and others in the industry have downplayed the problem. There are adequate network safeguards in place, they said, and such incidents are still relatively infrequent.

Andover, Mass.-based network-management provider Stargus Inc., however, sees the problem occurring more frequently, as cable operators move from a best-efforts broadband data service to one with tiered offerings at set throughput limits, said cofounder and chief technology officer Jason Schnitzer.

When a customer signs up for cable-modem service, the operator's central system typically sends a message to the local cable-modem termination system, ordering it to download the service-setting configuration file to the new modem. Hackers attempt to get around this by sending in phony configuration requests while pretending to be the central system.

Up to now, that required the expertise of a network engineer. OneStep is one of the first examples of software that automatically hacks into the configuration — and it won't be the last, Schnitzer said.

"The way the Internet and the hacker environment is, there is going to be something else the next week and the week after that," Schnitzer said. "So it is not just defeating that one application, because you know there is going to be another to work around it."

CABLEEDGE IN TRIALS

Stargus' CableEdge system — which is in trials with two unnamed large MSOs and will be available commercially later this month — monitors the Data Over Cable Service Interface Specification (DOCSIS) network for subscriber-consumption patterns and the configuration of each cable modem.

Though it doesn't record Web-surfing destinations, CableEdge does check how the modem is configured — and how much bandwidth it pulls.

In a typical large broadband cable-data network, on average, 10 percent of subscribers use 60 percent of the bandwidth, Stargus estimated.

Larger MSOs typically spend about $100 per modem per year on bandwidth, so controlling the few heavy users can mean significant savings, according to Stargus chief architect Dan Rice.

"We've actually had quite a few conversations with several of the large MSOs, trying to understand how they get a handle on this stuff," Rice said.

The problem may become harder to spot as operators roll out tiered data service.

While it's easy to spot the goofball who tries to provision for 1,000 megabits per second of throughput, more sophisticated hackers will better camouflage themselves by mirroring data rates for higher-service tiers.

"With our system today, you can go out and find the obvious ones, the ones that stick out like a sore thumb," Schnitzer said. "But to really do this right, to be able to look at the guys who are spoofing into one tier higher, you require integration with the cable operators."

Others in the industry don't think such bandwidth buccaneering is going to rule the broadband seas.

Modems from Toshiba America Information Systems aren't vulnerable to such hacking, because they're programmed to ignore any provisioning communication that comes from the subscriber's side of the network, said network products division marketing communications manager Chris Boring.

OPS SOFT-PEDAL THREAT

"The MSOs have definitely been concerned," Boring said. "We have gotten a request from them to verify the fact that we don't have any vulnerability to these things.

"But once they do that and the do their own tests and see that it is not vulnerable, it pretty much goes away for us. We've been engineering that in basically from day one."

Cable operators also downplay the threat, claiming it's not that widespread. The existing tools within their DOCSIS systems can adequately identify abusive users, operators added.

Right now, AT&T Broadband can tell if people are drawing too much bandwidth into their cable modems because service is uniformly capped at 1.5 mbps downstream and 256 kilobits per second upstream, said spokeswoman Sarah Eder.

AT&T Broadband has discovered "a low number" of offenders every month. When caught, the customer's service is terminated, she said.

Likewise, Cox Communications Inc. vice president of data engineering Jay Rolls is also confident the that DOCSIS control systems will ward off bandwidth thieves.

"DOCSIS has mechanisms built into its tool kit that, when properly implemented, can prevent possible bandwidth abuse," he said.

Jupiter Media Metrix broadband analyst Joe Laszlo said he doesn't see much of a problem right now, but that could change when tiered services roll out.

"I definitely think there is going to be a need — as we move from this laissez-faire, all-you-can-eat broadband model to one that is more tiered, and more regimented and more around products that have committed capacities — where you don't want someone tinkering with it so that they get more than what they are paying for," he said. "I think it does become more important to have systems that will let you audit and verify and determine who the heavy users are."