mailing list archives
RE: A question about modem security
From: Steven Trewick <STrewick () joplings co uk>
Date: Tue, 27 Apr 2004 09:54:30 +0100
I have read somewhere that dial-up questions using
modems are inherently insecure. Can somebody please
explain to me why it is so?
It isn't so. What was your source ?
A dial up modem connection is no more 'inherently' insecure than
any other kind of connection.
Due to the lack of encryption on the connection. Which is
caused by the
limited amount of packets than can be sent over dial up speeds.
This is simply not true, you can send as many packets as you like,
(although obviously you will incur a time penalty), but aside from
that, not having encryption enabled makes dial up lines no more
'inherently' insecure than any other unencrypted connection
(EG nearly all of them). Encryption is most certainly not the issue.
The insecurity comes from the fact that anyone is capable of
to the modem simply by dialling it and then can brute force there way
onto a system. Also most modems are left on systems by
non-administrators (ie some guy in the off) who do not make
to secure them.
By and large, that isn't true either. Firstly, lets look at typical
deployment roles for a modem.
1) Client dial out
In this scenario, a user has a modem attached to her machine which
she uses to dial out to connect to remote machines (eg her ISP)
Firstly, by far the majority of modems will not pick up incoming
calls out of the box. This has been the default on every modem I
have seen since the 80s from my first 1200 baud to my last 56kbps
Secondly, even assuming the modem *was* configured to autoanswer,
either by default or because the user changed the setting,
it makes no difference if there no terminal software on
the machine capable of accepting an incoming connection.
Thirdly, again, even if the modem is configured to answer inbound
calls, an 'attacker' would have to find it. This involves a
social engineering attack or a wardial. In the first case, the
'attacker' must be aware of the existence of the modem and have
some motivation to dial into it. Its feasible that a modem would
be found by a random wardial*, but if it was, the above two issues
will prevent anything other than the inference that there is a
modem connected system, even in the worst case scenario.
All of this assumes that the line the modem is on is directly
available to outside callers. While this is (probably) true of a
domestic line, not all organisations offer all their staff a DDI*
2) Server dial in.
In this scenario, the modem will pick up inbound calls by default,
and will route them to some form of accepting software on the remote
host. (EG a terminal program or a PPP login, etc)
In this scenario, the first two mitigations from above will not
protect us, as we are allowing dial ins to connect to our back end
However, the likelihood of someone being able to 'simply dial in and
brute force' *should* most certainly be mitigated by the fact that
our mission critical host is logging such things, and will alert
our eagle eyed sysadmins to the problem, should such a thing occur.
There are certainly other things to consider, such as ease of physical
access to telecomms infrastructure (cables, junction boxes, etc) on the
path between nodes, but these factors exist for any method of
In a worst case scenario, dangerously configured, open modem connections
most certainly are a security nightmare. However, there is no particular
'inherent' reason that this should be so.
* this is less true outside the US, since many countries have no
free local calls, thus presenting a significant barrier to entry for
would be wardiallers.
* Direct Dial Inward, the ability of the PBX in your org to
forward outside calls direct to your desk phone as though it was
really an external facing line with its own telephone number.
The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only.
If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in
this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group
operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by
viruses being passed.
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at: