Hitron Router Man in the Middle Attack?

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
I've Been Here Awhile
Posts: 2

Hitron Router Man in the Middle Attack?

My wife went to the https://safeboatingcourse/ca site a couple of times.  The second time, she got a TLS cert warning:

 

   Certificate is not trusted.  Issued by: CableLabs Inc. Cable Modem Root Certificate Authority

   Organization: Hitron Technologies

   Organizational Unit: No. 1-8, Lising 1st Rd, Hsinchu Science Park, Hainchu, Taiwan

 

It looks very much like the modem is acting as a man-in the-middle to an https protected site.

 

To add complexity to this I found:

  • I had inadvertently left the Guest network running for a week
  • my wife's laptop was connected to the Guest network
  • her laptop was routing to a different gateway IP (found via first hop in traceroute)
  • our modem had taken additional IPs that I was not aware of:
    • The gateway I had configured:  192.168.174.1
    • The additional gateways that the modem "camped out upon" seem to be: 192.168.100.1, 192.168.101.1, 192.168.102.1, 192.168.103.1 

Superficially, I would think "I left the Guest network on, got compromised".   But I find it strange that the cert being used is a cert provided by the modem and that the modem has multiple (hidden) gateways.

 

My questions are: 

  • has anyone heard of this attack?
  • Could this be anything other than an attack?  Does the Hitron Modem have multiple gateways?  Does it use a different gateway for the Guest network?  
  • suggested course of action

 

 

 

Moderator
Moderator
Posts: 1,248

Re: Hitron Router Man in the Middle Attack?

Hello, @bityz.

 

Welcome to the Rogers Community Forums! Smiley Happy

 

Thank you for an interesting post. I'm assuming the domain extension of the website address your wife was trying is "dot ca" not "forward slash ca". It's possible the browser was not able to reach the resource if "forward slash ca" was being used and resulted in the certificate error. 

 

We haven't heard this certificate error on our forums so far. 

 

Community - please chime in and share your expertise on this matter. 

 

 

Cheers,

RogersMoin

 

 

 

 

 

 

I've Been Here Awhile
Posts: 2

Re: Hitron Router Man in the Middle Attack?

Sorry for the typo.  Yes.  I meant dot ca.   See attached (redacted) screen grab (sorry for poor resolution)

 

man_in_the_middle_redacted.png

Highlighted
Resident Expert
Resident Expert
Posts: 13,674

Re: Hitron Router Man in the Middle Attack?

192.168.100.1 is normal for it to have.

This is where the interface is accessible while the unit is in bridge mode.



Topic Stats
  • 3 replies
  • 217 views
  • 1 Like
  • 3 in conversation