There are a number of DOCSIS-specific specifications designed to address this problem:
- TFTP Server Timestamp (TLV 19): This puts a timestamp in the TLV, which the CMTS uses to prevent a modem from downloading old files and incorrectly provisioning the device.
- IP Address Verification (TLV 20): The IP address is included in the TLV to enable the CMTS to verify that the correct IP is being provisioned.
- DOCSIS 3.0 Message Integrity Check (MIC): This feature provides additional security for file generation by ensuring the file the CMTS gives to the cable modem is correct.
- Baseline Privacy Plus (BPI+): When enabled on the DOCSIS network, this causes the CMTS to authenticate the cable modem through an exchange of certificates that includes the MAC address of the modem. The certificate exchange is very difficult to hack. This means that if the cable modem attempts to authenticate with a different MAC address than what is listed in the certificate, the CMTS will detect MAC address spoofing and will not authorize the CM for data services. As a result, BPI+ prevents simple MAC spoofing, which is one of the most common forms of theft of service, although further measures are required to detect whether the actual certificate itself has been cloned.
Only provisioning solutions that dynamically generate DOCSIS and PacketCable configuration files on-demand can include features such as IP verification and TFTP server timestamp. Furthermore, in addition to the above specifications, further security measures should be considered for an extra level of protection against cable modem cloning.
Dynamic File Generation
It is more secure to generate dynamic files than static files as the unique file names can’t be used in file replay attacks. In addition to the unique file name, the IP address assigned to a device must be verified to download the file.
Why is this useful? Consider someone sniffing the network to see what is being downloaded (for example, a file called gold.bin). The person may assume this file is a gold-service package and they might attempt to download it. To prevent this from occurring, the file is stored in a short-term cache and the DHCP server assigns an IP to the device, along with the unique file. As a result, if a device with the wrong IP tries to download the file, it will not succeed.
Dynamic file generation also offers operators a simple and secure way to change the MIC setting (also known as a Shared Secret). This is because any given CMTS may generate hundreds or even thousands of unique configuration files for devices. Without dynamic file configuration, an operator would need to manually rebuild every unique configuration file to change the Shared Secret, whereas a device provisioning solution that supports dynamic file generation gives operators the ability to make one central change.
Limiting the number of IPs that the DHCP service can give to CPEs behind a modem can prevent more basic forms of service theft. For example, a DOCSIS provisioning service that includes IP limiting will restrict a legitimate subscriber from allowing a neighbor or friend who does not live in the household from accessing the service.
This feature prevents the cable modem to move around the network illegitimately. It is designed for use in one cluster, rather than multiple, and may be useful in regions where there are legal restrictions about moving service from one point to another.
Prevention of Denial of Service
This is a security feature that aims to increase the availability of the provisioning system by preventing DHCP Denial of Service (DoS) attacks. For instance, if someone attempts to attack an operator and tries to cause problems with the provisioning system, denial of service is in place to prevent this. The feature works by detecting the DoS attack and the related device, and then dropping all DHCP packets/traffic associated with the attack.
Lease Query and Bulk Lease Query
This feature authorizes hosts on the network in order to allow the transmission of IP packets. The CMTS checks with the provisioning system to ensure the IP is legitimate and if the DHCP service authorizes the IP, the packet can go through. If the IP is not authorized, the packet is not transmitted.
The CMTS snoops DHCP packets to build IP-to-cable modem mapping to ensure there is an entry for every IP given out. If this data is out-of-sync, for example due to a CMTS reboot, the CMTS can obtain this information from the provisioning service via lease query to built the table.
Central Lease Service
An additional measure for more comprehensive protection is to store, track, and manage leases in a central solution that integrates directly with the provisioning solution. This makes it much simpler to keep track of lease information in large networks where there may be multiple provisioning servers in use.
This gives operators the ability to catch any modem that attempts to be cloned and prevents that clone from appearing anywhere else in the network. Even in the case of a full cloning where the BPI+ specification misses the fraudulent modem, a central repository of lease data will detect fraudulent cloning even if the MAC certificate is cloned.
Overall, a comprehensive device provisioning solution with security features can protect your network from cloned devices trying to access service for free, or problem devices from launching denial of service attacks. You should be able to configure these features to suit your needs, whether it is to deny service to any suspicious device or take it to a walled garden.
The last thing you need is a barrage of fraudulent devices accessing your service for free, affecting not only your bottom line, but also potentially the quality of service of your legitimate customers. Want to learn more? Discover how a Tier 1 North American service provider eliminated 88% of CPE cloning with a comprehensive device provisioning solution that included security mechanisms.