protection from cable modem MAC cloning

Question

I had a problem a few months ago where the MPAA accused somebody using an IP that my cable modem service provider attributed to me of illegally downloading (or uploading) a movie.

Originally, I assumed somebody had hacked my WiFi (it was WPA2/AES, but the password would have been prone to an offline dictionary attack). But, recently, I came across this article about products that can sniff for a valid cable modem MAC address and then clone it.

Is there anything I as a user could do to protect myself from this sort of cloning? Can I detect that it's happening? Are there any countermeasures my ISP could have implemented to prevent this?

Thanks, PaulH

Answer 1

You should type 192.168.100.1 this should let you into the modem web console (just like your router) once you are inside browse through option and figure it out. Mine says service provider is allowing 2 computers to be connected under the same modem MAC address. But only one computer is recognized. So it could only be two things either your ISP provider is a fraud and violated your privacy or the technical guys who install the modem can clone your stuff. If you live in an apartment then you are screwed like me. They use a server (Ubuntu) to pipe through and filter your Internet. You can only get what they want you to see. They can control a lot of stuff. I'm sure that your ISP knows all about it. Hope this helps.

Answer 2

Most of the "MAC Cloning" writeups you find on the internet are now out-of-date, as security enhancements from way back in the DOCSIS 1.1 days have given ISPs a way to prevent these attacks.

To be a lot more specific, there is a mechanism called BPI+ which, if your ISP requires it, will ensure that people attempting to clone MAC addresses can NOT sign on. The problem is, it won't be too easy to find the person at your ISP who can actually confirm whether or not they require all modems to use BPI+. But, odds are, they do require it.

Years ago, it was common to find networks that'd let you sign on without BPI, but it's pretty rare today, so the most likely theory is that your home network really was correctly implicated in this DMCA complaint.

Answer 3

I'm not very knowledgable about the equipment used by cable companies to connect homes to their central offices. However, I imagine you are sharing some sort of switch with at the very least, people on your street. I further imagine the cable company keeps logs of MAC addresses that transit traffic through those switches. It might even work on a lower level than that - i.e. the cable company can log all MAC addresses coming in and out of your house, which should normally just be the cable modem given to you.

It's certainly detectable if the person cloning your MAC lives in a different neighboorhood - clearly then the cloner is NOT using the same physical connection to the network.

All cable modems have firmware and I would even further venture to imagine again that the MAC address assigned to the cable modem is assigned in firmware, and if you can get access to the firmware (which is likely possible by putting the cable modem in some type of test or debug mode - possibly through JTAG headers on the cable modem's motherboard or directly connecting to any NAND flash chips on it) - you could probably figure it out - if you are familiar with the CPU architecture of the cable modem and defeated any encryption.

So it is entirely possible that you took a cable modem you found or stole one from a person's house, got into the firmware, found out where the cable modem MAC address is, and then hacked your own cable modem's firmware to assign that MAC to it. The ISP can't really stop you from doing this but it can detect it, unless your cable connection is on the same physical switch as the person you are cloning. Which is unlikely unless you live on the same street.

I could be wrong about all this.