Hitron Router Man in the Middle Attack?

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
bityz
I've Been Here Awhile
Posts: 2

Hitron Router Man in the Middle Attack?

My wife went to the https://safeboatingcourse/ca site a couple of times.  The second time, she got a TLS cert warning:

 

   Certificate is not trusted.  Issued by: CableLabs Inc. Cable Modem Root Certificate Authority

   Organization: Hitron Technologies

   Organizational Unit: No. 1-8, Lising 1st Rd, Hsinchu Science Park, Hainchu, Taiwan

 

It looks very much like the modem is acting as a man-in the-middle to an https protected site.

 

To add complexity to this I found:

  • I had inadvertently left the Guest network running for a week
  • my wife's laptop was connected to the Guest network
  • her laptop was routing to a different gateway IP (found via first hop in traceroute)
  • our modem had taken additional IPs that I was not aware of:
    • The gateway I had configured:  192.168.174.1
    • The additional gateways that the modem "camped out upon" seem to be: 192.168.100.1, 192.168.101.1, 192.168.102.1, 192.168.103.1 

Superficially, I would think "I left the Guest network on, got compromised".   But I find it strange that the cert being used is a cert provided by the modem and that the modem has multiple (hidden) gateways.

 

My questions are: 

  • has anyone heard of this attack?
  • Could this be anything other than an attack?  Does the Hitron Modem have multiple gateways?  Does it use a different gateway for the Guest network?  
  • suggested course of action

 

 

 

RogersMoin
Moderator
Moderator
Posts: 1,945

Re: Hitron Router Man in the Middle Attack?

Hello, @bityz.

 

Welcome to the Rogers Community Forums! 🙂

 

Thank you for an interesting post. I'm assuming the domain extension of the website address your wife was trying is "dot ca" not "forward slash ca". It's possible the browser was not able to reach the resource if "forward slash ca" was being used and resulted in the certificate error. 

 

We haven't heard this certificate error on our forums so far. 

 

Community - please chime in and share your expertise on this matter. 

 

 

Cheers,

RogersMoin

 

 

 

 

 

 

bityz
I've Been Here Awhile
Posts: 2

Re: Hitron Router Man in the Middle Attack?

Sorry for the typo.  Yes.  I meant dot ca.   See attached (redacted) screen grab (sorry for poor resolution)

 

man_in_the_middle_redacted.png

Gdkitty
Resident Expert
Resident Expert
Posts: 14,300

Re: Hitron Router Man in the Middle Attack?

192.168.100.1 is normal for it to have.

This is where the interface is accessible while the unit is in bridge mode.



calebpalmer
I've Been Here Awhile
Posts: 2

Re: Hitron Router Man in the Middle Attack?

Wow I just ran into this same issue.  I installed a replacement Hitron modem from Rogers just this morning and afterwords I received a certificate warning from outlook.office365.com from the same CA (CableLabs Inc. Cable Modem Root Certificate Authority) from outlook connecting to my work email.  Thankfully I know enough to click "no" but I know alot of people would not be.  This is not cool Rogers.

RogersCorey
Moderator
Moderator
Posts: 1,430

Re: Hitron Router Man in the Middle Attack?

Greetings Community!

 

I think the best course of action here would be to send an email with these findings to abuse@rogers.com. 

 

That is normally the place for customers to report and forward any concerns regarding the abuse of Rogers network.

 

Regards,

RogersCorey