About SecureMac Advertise Security Consulting Mac Security Store Send Feedback

Site Information
Site Background
Who runs the site
Security Consulting
Feedback Form

SecureMac Software


Mac OS X Security
sudo buffer overflow exploit + fix
Disable Single User Boot Mode
Malevolence - Dumping Passwords
nidump security
Startup Security - Open Firmware Password Protection

Mac OS X Network Security
Secure FTP Wrapper
Ettercap - sniffer interceptor logger
Snort - Network Intrusion Detection System
SSH Admin
SSH Helper
xnu - enable MAC Address spoofing

Mac OS X Virus

Mac OS X Firewalls
Firewalk Firewall Utility
NetBarrier X

Mac OS X App Sec.

Mac OS X Encryption
GPGMail - PGP Functionality

Mac OS X DoS

SecureMac Library
Mac Cable Modem Security
Mac Security Auditing
Mac OS X Security Understanding
Mac OS X Security Second Lessons
Mac OS X Security Third Lesson
Mac OS X Single User Mode Root Access
Mac OS X Shareware Firewalls
Mac OS X Secure Installation
Cable & DSL Connections - Security Measures
Better Safe than Sorry Security Resources
Marketing Macintosh Security Programs

Modem Security

info, views, download, rating, security, insecure

A lot of this information was gathered from other sources on the Internet. This flaw is old. Just not well publicized. Now that it is, we can cover it a little more and explain why it happens, and what damage it can cause. This is a Denial of Service attack in most cases. There are a lot of scripts out there to execute this DoS attack. So watch out.
A excelent source for more information is the Macintouch ModemSecurity Page

This effects more than Macintosh Modems. Linux dialup users have seen this as a problem for a long time. And a lot of Windows modems are effected by this DoS as well.

The Security Flaw - Or Problem
Below is a explanation of the problem, well explained. This origionaly was sent in from Robert Wong to

From: "Wong,Robert
Subject: modem guard problem
Date: Thu, 24 Jun 1999 10:35:53 -0700

A long time ago, I used to administer the ZyXEL modem FAQ. One of the questions was about how the ZyXEL modems dealt with the modem guard sequence. If you read onwards, you will notice an excerpt from BoardWatch mag. This exerpt describes how ZyXEL got around the Hayes patent. RWW.

Subject: T.6 How do ZyXEL modems deal with escape sequences?
Byte Magazine, V18, N8, July 1993, pg 184 has a good background article about escape sequences. The information below is a less technical explanation of escape sequences.
An escape sequence switches a modem from transmission mode to command mode.
Sometimes, an AT command needs to be issued to the modem when it is on-line and connected with another modem. Since the modem is on-line, typing an AT command would send the AT command down the connection to the other modem. Thus the local modem never receives and acts on the AT command. An escape sequence is needed to bring the local modem into command mode (without dropping the connection to the other modem).
One escape sequence is to drop the DTR (Data Terminal Ready) signal on one of the wires in the serial cable. This is a reliable escape sequence. Some hardware platforms do not have a wire for the DTR signal and therefore cannot perform this escape sequence. Another type of escape sequence is needed.
An alternate escape sequence is a pause, followed by three escape characters, and then another pause. This escape sequence then puts the modem into command mode, allowing entry of AT commands. (The pauses prevent the modem from mistaking escape characters in the data stream for "true" escape characters in an escape sequence.)
Hayes has a patent on the pause, escape characters, and pause technique. Other modem manufacturers are required to pay royalties to Hayes for use of its patent. Some modem makers are not using the Hayes patent or any other method of distinguishing real escape characters. This causes factory configured modems from these modem manufacturers to inadvertently go into command mode when the Hayes test file is transmitted.
Taken from Byte Magazine, V18, N8, July 1993, pg 184 without permission: "Zyxel [sic] has its own algorithm, for which it claims compatibility with existing code. Since the Zyxel [sic] algorithm is proprietary, we can't comment on its strength or weakness. However, it caused no problem in our testing."
Taken from BoardWatch Magazine, V6, N9, November 1992 without permission: "To illustrate the technical elegance of this [ZyXEL] modem, recall our article on the Hayes brouhaha over their fixed guard time escape sequence under the Heatherington 302 patent. Hayes has licensed numerous modem manufacturers to use this escape sequence. A few have not licensed it and often, their modems will escape to command mode while transmitting files containing +++ escape sequences. Hayes caused something of a furor in July by releasing a text file that if transmitted by many modems that don't use the guard time escape sequence technique, would abort the transfer and improperly escape to command mode. Multitech's modems fail the test rather awkwardly. The ZyXEL modem does NOT license the Hayes escape sequence. According to Gordon Yang, they use a proprietary variable sampling algorithm that does the job at least as well. We tried the ZyXEL on the Hayes test file - and sure enough, it worked like a champ. ZyXEL appears to have engineered a way around the escape sequence controversy. Yang indicates that they could conceivably publish the algorithm. If they did, this would take some serious steam out of the Hayes licensing program."
Robert Wong

Date: Wed, 23 Jun 1999 18:07:13 -0500
From: Matt
Subject: Modem Flaw

Well it appears the flaw is not limited to just GV modems. I have a BestData 56k Speakerphone modem connected to a SuperMac S900, and emailed myself the + + + A T H command in the subject and the body and was kicked offline immediately.
"Widespread problem" could be an understatement with something so simple able to kick so many people.
Many thanks to MacInTouch for making us aware of this and providing workarounds for it.
Matt Perkins
Michigan USA

John Gibbs tried sending email to himself with "+++" "ATH" (without the quotes) to himself and said he got hung up on. If you are downloading a lot of mail, and you hit a email like this it will cause you to disconnect, and when you reconnect and check your mail via pop3 you will have to start the download over in most cases. Fixing this ? would involve trying to check your email web-based. Or have your system administrator delete it manually.

Fixing the problem?
On IRC, you can send a /ctcp nickname +++ "ATH" (without the quotes) and disconnect a user. Of course those IRC kiddies have made mass scripts to join channels and send the CTCP command to everyone and disconnect in mass. I suggest checking out a freeware program called HipScript, or some other CTCP flood protection scripts out there.

As far as everyone else, you will want to modify your modem script, use a text editor and look for S2= change the value to 127. So it will be S2=127. This will fix most modems. Rating:
rate rate

I do not rate this highly. Its not one of the best attacks, But you should get yourself familier with it!

Enter Email Address:

Enter your message:

Select Either of These Two Buttons

Security + OS
PowerBook Security Control Panel
Empower Pro
Deus Lock Master
Keys Off
MacOS Algorithm
Modem Security
Password Key
Shift Key Suite
Stealth Signal
SuperLock Lite
SuperLock Pro

Macintosh Viruses
Sophos Anti-Virus
Norton AntiVirus
Nav 7 Nav 6 Nav X
Virex - Oct
VirusBarrier - Netupdate
vScan - Discontinued.

Mac Physical Security

Macintosh Firewalls
DoorStop Firewall
Firewall Q & A
Norton Personal Firewall

Mac Spyware & Privacy
NetShred - Delete Files Safely

Network Security
Oyabun Tools

Application Security Issues
AIM - AOL Instant Messenger
Back Orifice
Eudora E-Mail Client
Internet Configure
IE 5.1, OE 5.1, Powerpoint, Excel Vulnerability
MS Personal webServer
Outlook Express 4.5 Password Flaw
Sub7ME Server

Resource Info
AppleShare Server Info

Mac OS Encryption
My Secret
PGP Personal
PGP Freeware
Private File
Quick Encrypt
SubRosa Utilities

Deleting Files
Eraser Pro


Apple Hardware

Mac Attack

All material (c) 2014 and respected owners