(This message was sent a couple of days ago to UPC Cablecom support, however, since I received no reply over e-mail, I am posting here)
As a cablecom user I have a question regarding the compliance of Cablecom to the latest industry standards regarding security. In particular, I noticed that the latest firmware used in Technicolor TC7200 is STD6.02.11 Thowever, it is vulnerable to the following attacks:
- KRACK (discovered a couple of weeks ago)
- EDB-ID: 40157 (you can read more about it at https://www.exploit-db.com/exploits/40157/)
Can you please tell if Cablecom considers to fix these serious vulnerabilities? If yes, is there is any estimation when this will be done? Meanwhile it is not fixed, is Cablecom accountable for any potential security related accidents happened to customers and related to the exploitation of these vulnerabilities?
Thanks in advance,
Yeah, there's KRACK Attack that affects all WPA2 routers and that can easily be fixed but UPC Cablecom doesn't look like they're caring.
You can consider switching to an open source firmware if that's possbiel
Thank you for the reply. Unfortunately, I don't think that as a user ofUPC Cablecom products I should switch to open source firmwares.
As a user of UPC Cablecom products I should expect to have a decent service and regular updates to their products that resolve any stability or security related problems.
Have you received a reply from UPC?
I'm annoyed as well that there are no updates anymore for this device.
However, regarding KRACK: According to the FAQ of the official KRACK website, it is probably not necessary to update the Technicolor TC7200 modem:
What if there are no security updates for my router or access point? Or if it does not support 802.11r?
Routers or access points (APs) are only vulnerable to our attack if they support the Fast BSS Transition (FT) handshake, or if they support client (repeater) functionality. First, the FT handshake is part of 802.11r, and is mainly supported by enterprise networks, and not by home routers or APs. Additionally, most home routers or APs do not support (or will not use) client functionality. In other words, your home router or AP likely does not require security updates. Instead, it are mainly enterprise networks that will have to update their network infrastructure (i.e. their routers and access points).
That said, some vendors discovered implementation-specific security issues while investigating our attack. For example, it was discovered that hostapd reuses the ANonce value in the 4-way handshake during rekeys. Concretely this means that, even if your router or AP does not support 802.11r, and even if it does not support client functionality, it might still have to be updated. Contact your vendor for more details.
Finally, we remark that you can try to mitigate attacks against routers and APs by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). Additionally, update all your other client devices such as laptops and smartphones. If one or more of your client devices is not receiving updates, you can also try to contact your router's vendor and ask if they have an update that prevents attacks against connected devices.
edited on 20-11-2018 20:03 by Daniele_UPC
As a user of UPC Cablecom products I should expect to have a decent service and regular updates to their products that resolve any stability or security related problems