[CLUE-Talk] Security Issue with @Home
Warren
warren at guano.org
Sun Aug 26 14:47:35 MDT 2001
If you are considering broadband service with @Home, be aware of the
following security issue of "IP address hijacking" being discussed on
Bugtraq.
Aside from the inconvenience, it is possible that someone could use your
IP address for subversive activities, trading mp3s or sending
instructions on how to rip CDs, for example, and point the finger at
you. Refer to http://www.salon.com/tech/feature/2001/08/23/pirate/index.html
Forwarded message:
From: Roadkill Randu <randy at viopac.com>
To: bugtraq at securityfocus.com <bugtraq at securityfocus.com>
Date: Saturday, 25 August, 2001, 4:20:25 PM
Subject: @Home network subject to DHCP hijacking
======================Original message text=================
Greetings:
Problem:
The @Home network assigns IP addresses on a fairly permanent basis to its
subscribers, but it does use DHCP for IP address assignment. It is
trivial matter, however, to take over another @Home account's IP address
by simply providing another customer's ID for the hostname parameter in
DHCP. It is also trivial to acquire this hostname parameter, since all it
requires is 'host @HomeIPaddress' to determine what the customer ID is.
Notification:
I have notified @Home of this problem twice in the last two months. Not
being an expert in DHCP, I do not know what could be done to fix this. I
figure at least using something different than my actual hostname for my
hostname parameter would at least raise the bar to sniffing for DHCP
packets, instead of the trivial hack it currently is.
Reason for this message:
I have had my @Home connection hijacked from me repeatedly in the last six
months. Given @Home's aparent lack of concern for this problem, and the
current mood of ISPs shutting down users without warning whenever the MPAA
rattles it saber, I felt that the larger community needed to be aware of
this potential problem. It should not be this trivially easy for someone
to break the law in your name.
Randy
=================End of original message text===============
--
</W>
http://guano.org/~warren/pgp.txt
More information about the clue-talk
mailing list