Article Published on NW3C Informant Magazine

The Beauty of stealing Internet -

Broadband Theft


BY SREEKANTH.T.R, CYBER FORENSIC ANALYST, RESOURCE CENTRE FOR CYBER FORENSICS

The net piggy-back may be a new term for cyber forensic investigators, If we make it
simpler, it is Broadband theft alias Internet Time Theft. This sort of cyber crime varies from
stealing internet connection passwords to enormous theft of internet connections.

Its an era of global networkhood, either wired or wireless.The society becomes dependent
on networks and there has been exponential increase in theft of Internet hours. It is an
alarming scenario when somebody gets penalised for making use of normal broadband or
leased-line internet connections. For example, someone who owns a cyber caf may face a
huge bill for his internet connection even for the period during which the caf was closed.

Let us look in to a real scenario, A 15 year old boy resident of Kerala, The Gods Own
Country, India, was arrested for a well played techincal game.He had been a regular visitor
of the cyber cafeteria Rainbowin his locality. The boy was technically sound and was well
versed with the usage of internet. He was having a Broadband connection of a reputed ISP
owning its own TV Channels in Asia and all over the world. The boy one day explored the
internet when the modem with him gave some trouble. He started creatively
using the Broadband to correct his modem problems. He started exploring various
kinds of Modems, Modem Drivers, Modem Internals, Uncapping modems and so on.
One day he came to know about SIGMA Modem. It is a premier product for businesses
lines that require broadband communications as well as feature rich voice services and data
networking. Till that day the boy was not aware that a Modems MAC could be spoofed. It
is comparitively easier to spoof an IP address, but it is not that easy to spoof the hardcoded
address.

It was in the middle of 2007 this modem game came in to the notice of the Cyber Police
in Kerala, India.The Cyber Police registered a case on the complaint of the ISP that one of
its customers was getting huge bills, eventhough he was not using the internet connection.

Back to the story, the boy got more interested in modem hacking techniques than using
internet for general purpose.The SIGMA modem, is a certain kind of device that allows one
to use it for programming the modem and one can easily change the hardware address with
a little technical knowledge. The boy started using the modem as a hackers tool. Like all
hackers, before hacking a cable modem, he started learning about the security of the cable
modems and their vulnerabilities. He made use of the firmware modification facility in the
modem. This hackable attribute of the modem gives control of the cable modem to the
hacker.Let us look in to the layout of a Modem Hacking.

A cable modem is usually identified by the cable company by its MAC address which can
usually be found underneath the modem on a sticker with bar codes. This MAC is known as
the HFC (Hybrid Fiber Coax) Address. The ADSL modems works by using a method
known as handshaking.When you boot your modem (Switch it on), the modem will perform
some tasks. First the modem will send out a signal saying, Hey I have the MAC address
XX.xx.XX.xx.XX.xx. The service provider(Modem providers) then check the MAC
against their data base. If the MAC is not vaild the modem will not be able to communicate
with the cable company network. Once the MAC is recognized, then it will assign a
configuration file. This file defines the attributes of the connection such as the speed of the
modem. So basically the modem says hello Im this MAC address, the ISP then says Yes
we know who you are, and we want you to run at this speed. Once all this has been done,
you get assigned an IP address and away you go.

Before spoofing a MAC address, a Black hat guy will sniff the MAC addresss from any
PC that is connected to a cable modem with a valid IP address. But the MAC address alone
will be of no use. There is an important aspect that needs to be considered - no two
modems will have the same MAC.If such a situation occurs the modems will go into a
reboot loop, disallowing internet access.

Every Cable modem login to the cable network with its unique MAC address. Think of the
service area of an ISP in your city as a segmented orange. We all live in a certain segment
of the orange and no two MAC addresses of that segment will be the same. Whenever a
cloned modem comes online, as long as it is in a different segment of the network from the
original, it will simply work because the ISP primarily checks the cable modems MAC
address and does not allow 2 identical MACs to be online [registered on the network] in
the same segment. The segmented seperation of the internet cable network is done by
Broadband Hubs.

The challenge that our centre faced in this case was to identify whether any spoofing had
taken place. Our forensic experts assisted the cyber police in solving the issue.We analysed
the ISP connections and identified that even when the caf was not using the registerd
MAC, someone was using the same registration. Then how did he get the username and
password for login?. Here comes the role of social engineering. As we all know it is the art
of manipulating people into performing actions or divulging confidential information. In
some cases the attacker never comes face-to-face with the victim. Here the boy regularly
visited the caf and explored the systems used. He was able to install keyloggers to extract
internet passwords.

How did the boy carry out this operation?. At first he purchased a modem, online from
United States to access the broadband accounts. Then comes the role of technical
knowledge and creative usage of internet for committing the crime. During our
investigation we found that the ISP server was having vulnerability that enabled the boy to
get a list of MACs and its attributes from their database. As cyber forensic investigators
know there are several easily availble software in the internet which can be used even by a
7
th
Grader to do malicious activities. There are software like DHCP force, MAC reaper..etc
to perform sniffing of MACs. Much technical knowledge is not needed to use such
software. There are easy methods availble to spoof the hardcoded MAC using certain
hacking modems like Mototrola SB4200, SIGMA-X..and so on.With a Handful of tools for
firmware programming, and a little Knowledge of ALP, the raw addresses can be easily
modified.

It is always a challenge for the investigators to catch the criminal with proper evidence,
although it is clear that the crime has been committed. In the Court of Law for the
conviction, proper evidences linked to the crime scenario is a must. In the case we
discussed, our centre faced the same challenge. The High Tech Crime Enquiry cell, Kerala
and our Resource Centre for Cyber Forensics had lenghty discussions to formulate plans to
catch the criminal red handed. With the help of the ISP we let the accused to use the
internet account unauthorised and uninterrupted. The real owner of the Internet connection
was also present at the ISP centre and he was not using his registered connection. The
police prepared a list of suspects local to the caf who were also regular visitors. Our
investigations took us to a building near to rainbow. From the suspects list, police traced
a young boy of 15 yrs of Age, in that building who was proficient in computer usage and
who had been given a prestigious Techno Excellence award by his school. The police
raided the house when the boy was online. Police got the current MAC, current IP and
Login informations. It is found that he had a set of high-end tools installed in his system
and the Hero HACKING MODEM. He was also owning three storage media of size 800
GB and a set of Discs both CD, DVD and Blue-rays. The police confiscated all the
equipment and arrested him.

Cyber criminals have existed in the past and will continue to thrive in the future. A
remedial tip for malicious activity is practicing geuine usage of internet. A good internet
culture should grow from your house, schools and colleges and spread to surrounding
society. The cyber police, E-Security guys and Law Enforcement have to attempt to catch
up with the new technologies and crime techniques.

About the Organization
Resource Centre for Cyber Forensics (RCCF) at C-DAC-Centre for Development of
Advanced Computing, Thiruvananthapuram is a core competency centre in Cyber Forensics
established by the Dept. of Information Technology(DIT), Govt. of India. Our mission is to
attain self reliance in Information Security and Cyber forensics.The centre helps in creating
awareness about cyber crimes, investigation of cyber crimes, and provides cyber forensic
analysis service with a state-of-the-art cyber forensics lab.

We are striving to build responsive and preventive measures for tackling cyber crimes. We
are happy to be a part of the global community that puts efforts to combat high-tech crimes
across the world.

CONTACT DETAILS
RESOURCE CENTRE FOR CYBER FORENSICS (RCCF),
CENTRE FOR DEVELOPMENT OF ADVANCED COMPUTING (CDAC),
VELLAYAMBALM, THIRUVANANTHAPURAM,
KERALA, PINCODE: 695033,
INDIA.
TELEPHONE: + 91-471-2723333 EXT:218
FAX: + 91-471-2723456, 2722230
AGENCY REPRESENTATIVE EMAIL: bhadran@cdactvm.in
WEBSITE: www.cyberforensics.in

MEMBERSHIP ID : AIINO1 DATED: 9
TH
JAN 08