Saturday, January 28, 2012

Firmware Update to Motorola Surfboard Cable Modems adds 'Open Source' tab

Today I happened to look at the Logs of my customer owned Motorola Surfboard 6120 cable modem. This affordable DOCSIS 3.0 cable modem is probably the most common retail cable modem in the world (well, it an its siblings are pretty darn common anyway ;p).

My ISP is Charter Communications. Individual ISPs will be the ones pushing out firmware updates. So, what's new? One thing is obvious, a new 'Open Source' tab. A strange tab to have it seems. This tab displays a listing of open source software used in the firmware of the modem. I guess someone complained, requested the source, or a lawyer realized they weren't in compliance with the licensing of these common network device applications.

It includes a list of what they've used, the license it was released under, and their address in case you want to get the source code (as required by license in all cases).

As for other changes - well, I'm not sure. I haven't looked much further into it, and they really don't intend for customers to even be aware of firmwares, much less what changed in an update. I doubt there were many, if any, functional changes. This update seems aimed at properly crediting utilized open source software.

One thing that is made clear is that the firmware is based on embedded linux. This surprises me, as I know older versions of the router were based on VxWorks, a commercial embedded OS. In the end, what that means is that a big portion of firmware source code may be something consumers are legally entitled to. This is how most third-party WiFI router firmwares get created. Of course, in the case of cable modems, and there is an additional concern of security. That said, I believe they sufficiently use public key cryptography in DOCSIS 3.x to alleviate many security concerns. If not, offenders could easily be tracked down on the network anyway. Of course, I wouldn't risk jail time just to steal service from some cable company, but others might. You can bet they'd be caught, so let me say - don't do it! ;p Anyway, my point is that it *would* be nice to have additional access to the router's linux based firmware. The applications are many, just as they are with WiFi routers. Sadly, you probably need a private key to be able to sign ANY firmware, unless you were to manually replace the boot loader.

Even without being able to replace the firmware though, this has consequences. Individuals could discover exploits, and if on your cable node, potentially exploit your cable modem and/or sniff the network. Now, that's not something we know has been done, and there are protections in DOCSIS 3.0. Still, if an exploit did exist at the right point, it could be problematic.

No comments:

Post a Comment