Hacker News new | ask | show | jobs
by ad_hominem 2349 days ago
If you have fiber you're probably plugging your SFP into an ONT which is already acting like a modem anyway.

> With cable this becomes a lot harder or even impossible due to all kinds of network specific systems such as DOCSIS.

You're probably on a PON which doesn't use DOCSIS exactly but it's still doing TDM and/or WDM multiplexing because you're sharing a laser diode with a bunch of your neighbors - the ONT transceives the multiplexed laser signal. You're still dealing with DOCSIS-like functionality.
2 comments
Hello71 2349 days ago
By my reckoning, as long as the modem has no public- or customer-facing IP address, it's probably not going to be a vector for easy attacks. It might be accessible from within the ISP network, but if someone has access there then they can probably just tap your line directly, no need for additional exploits.
link
ad_hominem 2349 days ago
ONTs typically terminate to Ethernet at the customer premises so it's effectively the exact same thing as a cable modem. So not any more secure than having cable and using the cable company's provided modem.

If you tapped someone's fiber line, all the traffic between the ISP headend and customer premises (OLT and ONT if we're talking fiber) will be encrypted. In fact on a PON network using TDM it has to be, because if you stared down your own fiber you would be seeing all your neighbors' traffic as you're all time-sharing the same laser diode at the ISP headend (because it's a passive network, you will be seeing your neighbor's traffic when the diode is transmitting outside of your designated time cycle).

Anyway my only point was to inform OP that contrary to their belief, they effectively are in the situation of having an ISP-owned modem.

link
solotronics 2348 days ago
When I was setting this up for an ISP a few years ago the TDM was just a SFP that has its own MAC address inside. Its doing the TDM part inside the SPF itself. When we configured a new customer it was just adding the MAC to the config of an interface on an alcatel router at the hub side. You might not be able to transmit without interference but I bet you could spoof the MAC of a neighbor on the same fiber and listen in.
link
ad_hominem 2346 days ago
Wow that is very interesting! That would be a worthwhile experiment to test out for sure.
link
neilalexander 2348 days ago
In the case of Openreach in the UK, the majority of subscriber lines carry PPPoE traffic over VLAN 101 which is bridged on the modem to the consumer equipment.

There's also an additional VLAN 301 for TR069 management traffic, which is used by the HG612 modems (and possibly others) that Openreach used to enjoy flinging at all VDSL subscribers. The modem itself claims an IP address in this VLAN.

Although usually hidden from the end-user, it's actually surprisingly easy to drop yourself onto VLAN 301 even with the HG612 and get an IP address on that management network. I imagine that this is the kind of way that modem exploits become dangerous if they are indeed routable on networks like this.

link
aftbit 2348 days ago
Can you recommend any resources to learn more about this kind of stuff?
link
vlan0 2348 days ago
NANOG.

https://www.youtube.com/watch?v=__wn9zXFiy8

link