# MOCA Network Security



## zabolots (May 24, 2007)

I know a few people here are running with MOCA adapters to provide ethernet to their Tivo units. I'm hoping somebody can answer this for me.

How secure is a home network with MOCA? Obviously, the devices are connected to the coax in the home, which in turn runs out to the street and is connected to the nearest "hub" in the neighborhood. Is there some type of filter that you put on the inbound coax line to prevent the MOCA signals from leaving your house? Alternately, is there some security setup to be done on the MOCA devices themselves to encrypt data so only local devices can see each other?

Thanks...Scott


----------



## sinanju (Jan 3, 2005)

MoCA uses DES encryption. 

Of course, if you have FiOS, the coax doesn't leave the house.


----------



## zabolots (May 24, 2007)

sinanju said:


> MoCA uses DES encryption.
> 
> Of course, if you have FiOS, the coax doesn't leave the house.


So do you need to configure each MoCA box in the house to use the same encryption key? I thought it was simple plug-and-play.


----------



## aaronwt (Jan 31, 2002)

Yes. Just like wireless. But it's still basically plug and play. You just have to enter the decryption key during setup.


----------



## fyodor (Sep 19, 2006)

It's my (non-authoritative) understanding that the signal is designed specifically so it doesn't make it through the feeds entering back through your home/unit.

Also, I've never been able to get it to work back through amplified splitters, so insofar as you have one of those at your drop, you're probably protected.

You also need someone be living nearby also with a moca adapter connected to their cable.

F


----------



## skillmey (Feb 28, 2009)

If you have FioS, you can't turn the password on if you want to stay connected to their network. However, you don't have to worry about security since the cable is isolated from other homes.

If you don't have FioS, you can just enable a password on each device. Although it's not likely that the signal is going to go all the way from one house to the next, but it really depends on the cable network. So if you're paranoid, turn it on.


----------



## DCIFRTHS (Jan 6, 2000)

skillmey said:


> If you have FioS, you can't turn the password on if you want to stay connected to their network. However, you don't have to worry about security since the cable is isolated from other homes.
> 
> If you don't have FioS, you can just enable a password on each device. Although it's not likely that the signal is going to go all the way from one house to the next, but it really depends on the cable network. So if you're paranoid, turn it on.


I never understood how a person could see another person's "computer", without sniffing packets, even if you both connect to the same node 

I imagine that the node would have to allow broadcasting of all upstream traffic, on the cable, before it converts the RF to light. Is this a reasonable guess?


----------



## wmcbrine (Aug 2, 2003)

DCIFRTHS said:


> I never understood how a person could see another person's "computer", without sniffing packets, even if you both connect to the same node


Sniffing packets is not especially difficult, so I see no need for that qualifier. But also, a lot of stuff, like Windows file sharing and even TiVo MRV/TTG, uses broadcast packets to find other systems. This shouldn't be a problem as long as you're behind a NAT, but it's possible (and used to be common) to hook up a PC directly to a cable modem. In such a case, you could open up "Network Neighborhood" and literally see your neighbors' systems.


----------



## DCIFRTHS (Jan 6, 2000)

wmcbrine said:


> Sniffing packets is not especially difficult, so I see no need for that qualifier. But also, a lot of stuff, like Windows file sharing and even TiVo MRV/TTG, uses broadcast packets to find other systems. This shouldn't be a problem as long as you're behind a NAT, but it's possible (and used to be common) to hook up a PC directly to a cable modem. In such a case, you could open up "Network Neighborhood" and literally see your neighbors' systems.


Ah... I didn't consider that people hooked their computer(s) directly to a cable modem without a firewall in between. I have never considered doing something like that.

Even when I first got symmetrical DSL (approximately 1999) from Covad, and Northpoint) I used software firewall solutions (Black Ice / Zone Alarm). That was long time ago, so my dates are approximate. It also doesn't help that my memory isn't as sharp as it once was 

grc.com was one of my favorite websites.


----------



## flynz4 (Jun 20, 2009)

I have Verizon Fios, and I am upgrading my DVRs. I currently have 3 Verzion (Motorola) DVRs (with internal MoCA) that will be replaced by 3 Tivo HDs (one is XL) and 3 NIM 100's.

My question is around security. In my current setup:


Fiber enters the ONP attached to the garage
ONP is connected to my Verizon Actiontec home router with coax (internal MoCA)
ONP is also connected via coax to each of my three television set top boxes (internal MoCA)
Actiontec router has a NAT firewall
Actiontec router drives my internal wired and wireless home network
It seems to me that by definition... my wired/wireless home network is behind the NAT firewall... and that my television set top boxes (MoCA) are outside of the NAT firewall. Doesn't that create a security risk since I have equipment connected outside of my NAT firewall?

/Jim


----------



## socrplyr (Jul 19, 2006)

flynz4 said:


> I have Verizon Fios, and I am upgrading my DVRs. I currently have 3 Verzion (Motorola) DVRs (with internal MoCA) that will be replaced by 3 Tivo HDs (one is XL) and 3 NIM 100's.
> 
> My question is around security. In my current setup:
> 
> ...


The internal MoCA adapter in the actiontec router is on the internal side of the router.


----------



## wmcbrine (Aug 2, 2003)

flynz4 said:


> Doesn't that create a security risk since I have equipment connected outside of my NAT firewall?


You're concerned about people hacking your set-top boxes? Seriously? 

Anyway, no -- as far as the IP network is concerned, your STBs are also behind the firewall. IP traffic flows from the STB to the router, and from the router to the ONT (note: not "ONP"). Only QAM video goes directly from the ONT to the STBs. If you doubt it, disconnect the router, and you should see VOD stop working.


----------



## flynz4 (Jun 20, 2009)

wmcbrine said:


> You're concerned about people hacking your set-top boxes? Seriously?
> 
> Anyway, no -- as far as the IP network is concerned, your STBs are also behind the firewall. IP traffic flows from the STB to the router, and from the router to the ONT (note: not "ONP"). Only QAM video goes directly from the ONT to the STBs. If you doubt it, disconnect the router, and you should see VOD stop working.


I am not worried about someone hacking my STB... I am worried about someone bypassing my NAT in the router. I also stand corrected on "ONT" (instead of "ONP").

The thing that is confusing to me, is that the WAN input to my Actiontec router is the coax cable. Also, this same coax cable is what connects the router to the STBs. So you are saying that somehow, this coax input to my router is simultaneously on the WAN and LAN side of the router.

My next question is in regard to the NIM 100 boxes. Can I connect other equipment (ex: a PC) to the RJ45 jacks in addition to the new Tivo units? If so... is there still no security concern? In practice, I am not really considering adding other devices at this time... but I am curious about their operation.

/Jim


----------



## wmcbrine (Aug 2, 2003)

Even if the STBs _were_ outside the NAT (which they aren't), that would not constitute a security risk. Only the STBs themselves would be vulnerable; there would be no path from them to the inside of the NAT.

There is no difficulty in the single jack serving as both LAN and WAN interfaces, nor does that constitute a security risk, either. And yes, you can hook up anything you want to the MoCA adapters.


----------



## flynz4 (Jun 20, 2009)

wmcbrine said:


> Even if the STBs _were_ outside the NAT (which they aren't), that would not constitute a security risk. Only the STBs themselves would be vulnerable; there would be no path from them to the inside of the NAT.
> 
> *There is no difficulty in the single jack serving as both LAN and WAN interfaces, nor does that constitute a security risk*, either. And yes, you can hook up anything you want to the MoCA adapters.


Thanks. The answer is non-intuitive to me, but I realize that your answer must be correct. When I look at my IP address assignments... I can see that my STBs are indeed on the LAN side of my router.

Next question: When I disconnect my 3 Verizon (Motorola) STBs, and attach the 3 Tivos through the new NIM 100's... is there any setup necessary for the NIM 100's... or is it simply plug and play?

/Jim


----------



## fyodor (Sep 19, 2006)

flynz4 said:


> Thanks. The answer is non-intuitive to me, but I realize that your answer must be correct. When I look at my IP address assignments... I can see that my STBs are indeed on the LAN side of my router.
> 
> Next question: When I disconnect my 3 Verizon (Motorola) STBs, and attach the 3 Tivos through the new NIM 100's... is there any setup necessary for the NIM 100's... or is it simply plug and play?
> 
> /Jim


It's completely plug and play. As far as the Tivo knows, it's directly connected to your router.


----------



## fyodor (Sep 19, 2006)

flynz4 said:


> The thing that is confusing to me, is that the WAN input to my Actiontec router is the coax cable. Also, this same coax cable is what connects the router to the STBs. So you are saying that somehow, this coax input to my router is simultaneously on the WAN and LAN side of the router.
> 
> /Jim


Keep in mind, that just because they're sharing a physical medium, doesn't mean that they can communicate. So even if though there is a physical link between them, the devices connected through the MoCA adapter can't communicate with the ONT. They need to communicate with your router, which can communicate with the ONT.

F


----------



## flynz4 (Jun 20, 2009)

fyodor said:


> Keep in mind, that just because they're sharing a physical medium, doesn't mean that they can communicate. So even if though there is a physical link between them, the devices connected through the MoCA adapter can't communicate with the ONT. They need to communicate with your router, which can communicate with the ONT.
> 
> F


Yes... this was the confusing part. I guess we are programmed to believe that the WAN and the LAN would be on different physical medium. Thanks again for both of your replies!

/Jim


----------



## danis123 (Dec 17, 2013)

Many people have upgraded from other cable providers to FIOS. Many of the old cable providers had runs going to each TV set which all terminated at spliters located outside the house (mounted to the side of the house). In that case the FIOS COAX is run from the ONT & Router (as the router is just connected to a splitter inside the house which goes to the ONT and the outside splitter) to the outside splitter. If verizon does not encrypt their MOCA then what stops someone from just attaching a MOCA network adapter to the splitter outside of the house and getting onto your network behind the NAT?????


----------



## unitron (Apr 28, 2006)

danis123 said:


> Many people have upgraded from other cable providers to FIOS. Many of the old cable providers had runs going to each TV set which all terminated at spliters located outside the house (mounted to the side of the house). In that case the FIOS COAX it run from the ONT & Router (as the router is just connected to a spliiter which is inside) to the outside splitter. If verizon does not encrypt their MOCA then what stops someone from just attaching a MOCA network adapter to the splitter outside of the house and getting onto your network behind the NAT?????


A big mean dog?


----------



## danis123 (Dec 17, 2013)

unitron said:


> A big mean dog?


Ha - I guess that's one way to secure your FIOS network. Didn't see anything about "a big mean dog" in the subscriber agreement. Acquiring a big mean dog does add to the overall cost of ownership.


----------



## dianebrat (Jul 6, 2002)

danis123 said:


> Many people have upgraded from other cable providers to FIOS. Many of the old cable providers had runs going to each TV set which all terminated at spliters located outside the house (mounted to the side of the house). In that case the FIOS COAX is run from the ONT & Router (as the router is just connected to a splitter inside the house which goes to the ONT and the outside splitter) to the outside splitter. If verizon does not encrypt their MOCA then what stops someone from just attaching a MOCA network adapter to the splitter outside of the house and getting onto your network behind the NAT?????


Physical access will always give someone a huge edge in hacking a network.
However I'm not paranoid enough to even give a damn about someone physically connecting to my external FiOS MoCA connection, others may not share my views.


----------



## Gene Olson (Jan 11, 2017)

Unless you enter a security code into your TiVo, MoCA has no security at all. Say that again. NO SECURITY AT ALL EXCEPT PHYSICAL SECURITY.

If you buy a TiVo MoCA Bridge, you cannot enter a security code into the bridge. So if you have a Bolt, for example, with a security code entered, the Bolt can't communicate with the Bridge. To use the bridge, you must remove the security code from the Bolt. Same with Roamio, Mini etc.

If you have FIOS, that's no problem, because your COAX network is completely isolated from the fiber by the FIOS modem.

However if you have a COAX cable network, like Comcast for example, the same COAX in your house runs out to the junction box in your neighborhood, where all the COAX for all your neighbors is connected together. IF YOU TAKE NO PRECAUTIONS, all your neighbors can access your internal network, just like they were plugged into your Ethernet.

If you have a TV antenna, the MoCA signal is fed to the antenna, where it is broadcast to the world. The signal is not very strong, and it won't go very far, but it will be sent over the airwaves, much like WiFi, but w/o a password. It's not easy to do, but a determined hacker could put up an antenna nearby and access anything on your home network.

YOU PROTECT YOUR NETWORK by placing a MoCA Filter between your internal network and the outside world. TiVo probably has the best MoCA filter available for doing this. It blocks the MoCA signal going both in and out of your home w/o significantly reducing TV and Internet signals you receive from the cable company or or the TV signal you receive through your antenna. The TiVo filter drops the MoCA power by 70 Db. That reduces the level of the MoCA signal by a factor of 3000. It might not stop the NSA, but it will stop any neighborhood hacker. Other popular filters reduce the signal by a factor of about 100, which is probably good enough. But if you are paranoid—a good thing when it comes to Internet security—consider the TiVo adapter which is 30 times better and costs a few dollars more.

If have you have Cable TV, delivered through a COAX cable, ALWAYS, ALWAYS, ALWAYS install a MoCA filter between your internal home network and the outside COAX network. If you use a TV antenna, it's less important, but you should probably put a MoCA adapter between your home network and your antenna as well.


----------



## krkaufman (Nov 25, 2003)

dianebrat said:


> Physical access will always give someone a huge edge in hacking a network.
> However I'm not paranoid enough to even give a damn about someone physically connecting to my external FiOS MoCA connection, *others may not share my views*.


Mr. Andrew Hunt, for one. (see here)



Gene Olson said:


> Unless you enter a security code into your TiVo, MoCA has no security at all. Say that again. NO SECURITY AT ALL EXCEPT PHYSICAL SECURITY.


And there's no intrinsic physical security with MoCA, either; steps must be taken to ensure the network is secure -- and even a MoCA filter doesn't guarantee physical security, depending on its location. (see above link to Andrew Hunt's presentation)



Gene Olson said:


> If have you have Cable TV, delivered through a COAX cable, ALWAYS, ALWAYS, ALWAYS install a MoCA filter between your internal home network and the outside COAX network. If you use a TV antenna, it's less important, but you should probably put a MoCA adapter between your home network and your antenna as well.


The FCC likely views the "PoE" MoCA filter for the antenna a requirement, to prevent interference with OTA services authorized for the associated frequency range.

edit: p.s. And even where not required for its security function, a "PoE" MoCA filter is recommended for its performance benefit.


----------



## Gene Olson (Jan 11, 2017)

krkaufman said:


> And there's no intrinsic physical security with MoCA, either; steps must be taken to ensure the network is secure -- and even a MoCA filter doesn't guarantee physical security, depending on its location. (see above link to Andrew Hunt's presentation)


Thanks very much for this reference. I spent a lot of time looking for information on MoCA, and this is the first technical paper I've seen. The MoCA marketing literature claims that MoCA has superior security to WiFi, and while WiFi has good security-a few flaws have been recently published-at least it makes a serious attempt at encryption. MoCA 2.0 has no encryption at all.

According to Wikipedia, MoCA 2.1 will have "enhanced security". Whatever that means. Unfortunately, I could find no MoCA 2.1 adapters available for sale.



krkaufman said:


> The FCC likely views the "PoE" MoCA filter for the antenna a requirement, to prevent interference with OTA services authorized for the associated frequency range.


A great point. I'm guessing the interference is rarely a problem in a residential setting, but the FCC would not approve.

Question: The TiVo filter claims 70-80 Db MoCA bandpass signal reduction. I would think that places the MoCA signal, outside the home, deep in the noise on the external network. Do you have any data on this?


----------



## krkaufman (Nov 25, 2003)

Gene Olson said:


> Question: The TiVo filter claims 70-80 Db MoCA bandpass signal reduction. I would think that places the MoCA signal, outside the home, deep in the noise on the external network. Do you have any data on this?


None.

p.s. The presentation referenced via the "performance benefit" link, above, is also good reading.


----------



## krkaufman (Nov 25, 2003)

Gene Olson said:


> According to Wikipedia, MoCA 2.1 will have "enhanced security". Whatever that means. Unfortunately, I could find no MoCA 2.1 adapters available for sale.


FYI... MoCA 2.1 won't see the light of day. MoCA 2.5 is the new target, and some hardware is supposedly becoming available ... though only to ISPs, per Actiontec's associated product pages:

MoCA 2.5 Network Adapter ECB6250 - Actiontec.com


----------



## Gene Olson (Jan 11, 2017)

krkaufman said:


> MoCA 2.5 Network Adapter ECB6250 - Actiontec.com


I saw that also. Too bad the BUY NOW button doesn't work ...


----------



## snerd (Jun 6, 2008)

Gene Olson said:


> The TiVo filter drops the MoCA power by 70 Db. That reduces the level of the MoCA signal by a factor of 3000. It might not stop the NSA, but it will stop any neighborhood hacker. Other popular filters reduce the signal by a factor of about 100, which is probably good enough. But if you are paranoid-a good thing when it comes to Internet security-consider the TiVo adapter which is 30 times better and costs a few dollars more.


Nitpick: When quoting dB and power, each 10dB represents a factor of 10, so 70dB represents a *power *reduction of 10 million. The factor of 3000 is roughly the reduction in signal voltage levels.

Similarly, the 40dB reduction from less effective PoE filters represents a factor of 100 in voltage levels and a factor of 10,000 in power.

For the uber-paranoid, there is also the option of isolating the MoCA network to coax which never reaches outside the home.


----------



## tapokata (Apr 26, 2017)

And then keep the ECB controlling that MoCA traffic on a completely separate router segment, for additional belt-and-suspenders isolation... use something like an EdgeRouter, which can create multiple unbridged DHCP servers. Feed the MoCA traffic to one DHCP segment, and the normal traffic to the other: as they aren't bridged, both networks are blind to each other. The only way then to penetrate the MoCA network is to breach an open port in the firewall.


----------



## Gene Olson (Jan 11, 2017)

There are lots of exotic solutions. Most people just want to use their TiVo in their home, w/o exposing their home network to hackers. As far as I know, the easiest way to do that is to install a (TiVo approved) MoCA filter in their COAX cable, just before the COAX goes outside, where it can be compromised.

That's what I'm doing.


----------



## nyjklein (Aug 8, 2002)

Gene Olson said:


> There are lots of exotic solutions. Most people just want to use their TiVo in their home, w/o exposing their home network to hackers. As far as I know, the easiest way to do that is to install a (TiVo approved) MoCA filter in their COAX cable, just before the COAX goes outside, where it can be compromised.
> 
> That's what I'm doing.


Yes, a MoCa filter at the premises entry is a must. But additional MoCa Security is helpful too. I'm not sure about the TiVo MoCa adapter, but both ActionTec and Motorola MoCa bridges support MoCa Security (encryption). Both older MoCa 1.1 and newer MoCa 2.0 models.

MoCA Security - Motorola Network

Jeff


----------



## krkaufman (Nov 25, 2003)

Good to have that info for the MM1000; though the properly-installed "PoE" MoCA filter should suffice.

I believe the Actiontec MoCA 2.0 adapters provide similar configuration access, but can't say for certain.

edit: Or maybe not: 

How can I change configuration settings on the ECB6000 adapter
Does this adapter support MoCA privacy password capability?


----------



## Gene Olson (Jan 11, 2017)

nyjklein said:


> Yes, a MoCa filter at the premises entry is a must. But additional MoCa Security is helpful too. I'm not sure about the TiVo MoCa adapter, but both ActionTec and Motorola MoCa bridges support MoCa Security (encryption). Both older MoCa 1.1 and newer MoCa 2.0 models.
> 
> MoCA Security - Motorola Network


Thank you, thank you. I went looking for encryption on a MoCA 2.0 device, and could find nothing on it. The MM1000 literature on the website mentions nothing, and when I called Motorola Tech Support (last Thursday) asking about security, the person I talked to knew nothing about encryption.


----------



## krkaufman (Nov 25, 2003)

nyjklein said:


> Yes, a MoCa filter at the premises entry is a must. But additional MoCa Security is helpful too. I'm not sure about the TiVo MoCa adapter, but* both ActionTec* and Motorola MoCa bridges support MoCa Security (encryption). Both older MoCa 1.1 and newer MoCa 2.0 models.
> 
> MoCA Security - Motorola Network


Jeff, do you have a similar reference for the Actiontec ECB6000/ECB6200 MoCA 2.0 adapters?


----------



## nyjklein (Aug 8, 2002)

krkaufman said:


> Jeff, do you have a similar reference for the Actiontec ECB6000/ECB6200 MoCA 2.0 adapters?


The text below was all I was able to dig up. I'm not sure why ActionTec hides this information. Note that the instructions are for upgrading the firmware. But it also shows you how to get in to configure the devices with a browser.

I had to upgrade the firmware to version 2_11_1_50_6200_727 to get MoCa Security support. If you need updated firmware, you'll need to contact ActionTec to get it.

Jeff

_The steps to upgrade the units are as follows:
Use the following steps to upgrade the units:
1. Unplug the coax cable
2. Connect PC to ECB6200 and set PC IP address to 192.168.144.10 
3. Open web browser and enter URL: "192.168.144.30"
4. Click "SW Update" 
5. Click "choose file" and select the .bin file 
6. Click "Upload", then system will reboot by itself after finishing the upgrade.
7. Upgrade all other ECB6200
8. Plug the coax cable

After the upgrade process is complete, please reset your ECBs. Press and hold the reset button for 
13 seconds and release. Allow the units to power on and test functionality. 
Please be advised the Actiontec does not recommend changing your MoCA security (listed under 
Configuration) and will not be able to access you with any issues that you may encounter after the 
change is implemented._


----------

