MOCA Network Security

Discussion in 'TiVo Series3 HDTV DVRs' started by zabolots, May 29, 2009.

  1. danis123

    danis123 New Member

    2
    0
    Dec 17, 2013

    Advertisements

    Ha - I guess that's one way to secure your FIOS network. Didn't see anything about "a big mean dog" in the subscriber agreement. Acquiring a big mean dog does add to the overall cost of ownership.
     
  2. dianebrat

    dianebrat wait.. I did what? TCF Club

    13,102
    2,216
    Jul 6, 2002
    boston'ish
    Physical access will always give someone a huge edge in hacking a network.
    However I'm not paranoid enough to even give a damn about someone physically connecting to my external FiOS MoCA connection, others may not share my views. :D
     
  3. Gene Olson

    Gene Olson New Member

    9
    4
    Jan 11, 2017
    Unless you enter a security code into your TiVo, MoCA has no security at all. Say that again. NO SECURITY AT ALL EXCEPT PHYSICAL SECURITY.

    If you buy a TiVo MoCA Bridge, you cannot enter a security code into the bridge. So if you have a Bolt, for example, with a security code entered, the Bolt can't communicate with the Bridge. To use the bridge, you must remove the security code from the Bolt. Same with Roamio, Mini etc.

    If you have FIOS, that's no problem, because your COAX network is completely isolated from the fiber by the FIOS modem.

    However if you have a COAX cable network, like Comcast for example, the same COAX in your house runs out to the junction box in your neighborhood, where all the COAX for all your neighbors is connected together. IF YOU TAKE NO PRECAUTIONS, all your neighbors can access your internal network, just like they were plugged into your Ethernet.

    If you have a TV antenna, the MoCA signal is fed to the antenna, where it is broadcast to the world. The signal is not very strong, and it won't go very far, but it will be sent over the airwaves, much like WiFi, but w/o a password. It's not easy to do, but a determined hacker could put up an antenna nearby and access anything on your home network.

    YOU PROTECT YOUR NETWORK by placing a MoCA Filter between your internal network and the outside world. TiVo probably has the best MoCA filter available for doing this. It blocks the MoCA signal going both in and out of your home w/o significantly reducing TV and Internet signals you receive from the cable company or or the TV signal you receive through your antenna. The TiVo filter drops the MoCA power by 70 Db. That reduces the level of the MoCA signal by a factor of 3000. It might not stop the NSA, but it will stop any neighborhood hacker. Other popular filters reduce the signal by a factor of about 100, which is probably good enough. But if you are paranoid—a good thing when it comes to Internet security—consider the TiVo adapter which is 30 times better and costs a few dollars more.

    If have you have Cable TV, delivered through a COAX cable, ALWAYS, ALWAYS, ALWAYS install a MoCA filter between your internal home network and the outside COAX network. If you use a TV antenna, it's less important, but you should probably put a MoCA adapter between your home network and your antenna as well.
     
  4. krkaufman

    krkaufman TDL shepherd

    15,875
    2,956
    Nov 25, 2003
    Mr. Andrew Hunt, for one. (see here)

    And there's no intrinsic physical security with MoCA, either; steps must be taken to ensure the network is secure -- and even a MoCA filter doesn't guarantee physical security, depending on its location. (see above link to Andrew Hunt's presentation)

    The FCC likely views the "PoE" MoCA filter for the antenna a requirement, to prevent interference with OTA services authorized for the associated frequency range.

    edit: p.s. And even where not required for its security function, a "PoE" MoCA filter is recommended for its performance benefit.
     
    Gene Olson likes this.
  5. Gene Olson

    Gene Olson New Member

    9
    4
    Jan 11, 2017

    Advertisements

    Thanks very much for this reference. I spent a lot of time looking for information on MoCA, and this is the first technical paper I've seen. The MoCA marketing literature claims that MoCA has superior security to WiFi, and while WiFi has good security—a few flaws have been recently published—at least it makes a serious attempt at encryption. MoCA 2.0 has no encryption at all.

    According to Wikipedia, MoCA 2.1 will have "enhanced security". Whatever that means. Unfortunately, I could find no MoCA 2.1 adapters available for sale.

    A great point. I'm guessing the interference is rarely a problem in a residential setting, but the FCC would not approve.

    Question: The TiVo filter claims 70-80 Db MoCA bandpass signal reduction. I would think that places the MoCA signal, outside the home, deep in the noise on the external network. Do you have any data on this?
     
  6. krkaufman

    krkaufman TDL shepherd

    15,875
    2,956
    Nov 25, 2003
    None.

    p.s. The presentation referenced via the "performance benefit" link, above, is also good reading.
     
    Gene Olson likes this.
  7. krkaufman

    krkaufman TDL shepherd

    15,875
    2,956
    Nov 25, 2003
    FYI... MoCA 2.1 won't see the light of day. MoCA 2.5 is the new target, and some hardware is supposedly becoming available ... though only to ISPs, per Actiontec's associated product pages:

    MoCA 2.5 Network Adapter ECB6250 - Actiontec.com
     
    Gene Olson likes this.
  8. Gene Olson

    Gene Olson New Member

    9
    4
    Jan 11, 2017
    I saw that also. Too bad the BUY NOW button doesn't work ...
     
    krkaufman likes this.
  9. snerd

    snerd Well-Known Member

    1,495
    526
    Jun 6, 2008
    Nitpick: When quoting dB and power, each 10dB represents a factor of 10, so 70dB represents a power reduction of 10 million. The factor of 3000 is roughly the reduction in signal voltage levels.

    Similarly, the 40dB reduction from less effective PoE filters represents a factor of 100 in voltage levels and a factor of 10,000 in power.

    For the uber-paranoid, there is also the option of isolating the MoCA network to coax which never reaches outside the home.
     
    Gene Olson likes this.
  10. tapokata

    tapokata Active Member

    490
    181
    Apr 26, 2017
    Sacramento, CA
    And then keep the ECB controlling that MoCA traffic on a completely separate router segment, for additional belt-and-suspenders isolation... use something like an EdgeRouter, which can create multiple unbridged DHCP servers. Feed the MoCA traffic to one DHCP segment, and the normal traffic to the other: as they aren't bridged, both networks are blind to each other. The only way then to penetrate the MoCA network is to breach an open port in the firewall.
     
  11. Gene Olson

    Gene Olson New Member

    9
    4
    Jan 11, 2017
    There are lots of exotic solutions. Most people just want to use their TiVo in their home, w/o exposing their home network to hackers. As far as I know, the easiest way to do that is to install a (TiVo approved) MoCA filter in their COAX cable, just before the COAX goes outside, where it can be compromised.

    That's what I'm doing.
     
    krkaufman likes this.
  12. nyjklein

    nyjklein J-E-T-S JetsJetsJets TCF Club

    260
    56
    Aug 8, 2002
    North...
    Yes, a MoCa filter at the premises entry is a must. But additional MoCa Security is helpful too. I'm not sure about the TiVo MoCa adapter, but both ActionTec and Motorola MoCa bridges support MoCa Security (encryption). Both older MoCa 1.1 and newer MoCa 2.0 models.

    MoCA Security - Motorola Network

    Jeff
     
    Gene Olson and krkaufman like this.
  13. krkaufman

    krkaufman TDL shepherd

    15,875
    2,956
    Nov 25, 2003
    tapokata likes this.
  14. Gene Olson

    Gene Olson New Member

    9
    4
    Jan 11, 2017
    Thank you, thank you. I went looking for encryption on a MoCA 2.0 device, and could find nothing on it. The MM1000 literature on the website mentions nothing, and when I called Motorola Tech Support (last Thursday) asking about security, the person I talked to knew nothing about encryption.
     
  15. krkaufman

    krkaufman TDL shepherd

    15,875
    2,956
    Nov 25, 2003
    Jeff, do you have a similar reference for the Actiontec ECB6000/ECB6200 MoCA 2.0 adapters?
     
  16. nyjklein

    nyjklein J-E-T-S JetsJetsJets TCF Club

    260
    56
    Aug 8, 2002
    North...
    The text below was all I was able to dig up. I'm not sure why ActionTec hides this information. Note that the instructions are for upgrading the firmware. But it also shows you how to get in to configure the devices with a browser.

    I had to upgrade the firmware to version 2_11_1_50_6200_727 to get MoCa Security support. If you need updated firmware, you'll need to contact ActionTec to get it.

    Jeff

    The steps to upgrade the units are as follows:
    Use the following steps to upgrade the units:
    1. Unplug the coax cable
    2. Connect PC to ECB6200 and set PC IP address to 192.168.144.10
    3. Open web browser and enter URL: "192.168.144.30"
    4. Click "SW Update"
    5. Click "choose file" and select the .bin file
    6. Click "Upload", then system will reboot by itself after finishing the upgrade.
    7. Upgrade all other ECB6200
    8. Plug the coax cable

    After the upgrade process is complete, please reset your ECBs. Press and hold the reset button for
    13 seconds and release. Allow the units to power on and test functionality.
    Please be advised the Actiontec does not recommend changing your MoCA security (listed under
    Configuration) and will not be able to access you with any issues that you may encounter after the
    change is implemented.
     
    krkaufman likes this.

Share This Page

spam firewall

Advertisements