System Security Issue Lingers For Host-Based Cable Modem

Companies developing an industry specification for a new
"host-based" cable-modem architecture are grappling with how to ensure that such
devices do not compromise cable-system security.

The issue remains a key factor in the development of a
host-based internal modem -- called that because it uses the processing power of its host
computer -- as Cable Television Laboratories Inc. is within weeks of releasing an interim
specification that vendors will use to assemble and test prototypes.

Because host-based modems are supposed to cost much less to
produce than self-contained external and PC-card cable modems, developers are walking a
tightrope between addressing the security concern and overengineering more expenses into
the spec.

"As always, when you get a group of very technical
people working, features, advantages and improvements are brought up," Intel Corp.
broadband-development manager Teri Lasley said. "We're trying to be careful not
to enhance it to the point where you've just nullified all of the cost savings
you've professed to have in the first place."

Some service providers, most vocally Excite@Home Corp., are
concerned that when used in Microsoft Corp. Windows-based PCs, host-based cable modems are
more vulnerable to malicious hackers seeking to disrupt the shared cable network.

For example, a computer virus might cause the modem to
repeatedly chatter into the network, flooding it with transmissions on the same frequency
that an operator uses for telephone traffic.

"The basic problem is that when you move stuff into a
host-based environment, the control of the transmitter and the crypto and a whole set of
other things moves out of the piece of software that the cable operator controls and into
a piece of software that nobody controls -- i.e., Windows," Excite@Home chief
technical officer Milo Medin said. "We think it's a prescription for
disaster."

Hardware developers said security is a resolvable issue as
they continue working on a host-based specification, agreeing that it must be addressed to
the satisfaction of operators and Internet-service providers such as Excite@Home and Road
Runner.

"Security was, continues to be and will be going
forward an area of discussion," said Rich Harris, director of marketing for
cable-television products at chip-maker Broadcom Corp. "I think it's an issue
that will be resolved, or there will not be any product shipped. It's pretty much
that black-and-white."

The host-based development relies on the Data Over Cable
Service Interface Specification interoperability protocols created at CableLabs.

Silicon and hardware vendors, spearheaded by chip-makers
Intel and Libit Signal Processing Ltd. -- the latter of which was acquired in June by
Texas Instruments Inc. -- have been working on the project for some 18 months to address
network architecture, network management and operating aspects of host-based processing.

Along with security, key issues include how to handle
software downloads, which would be used to upgrade the modem, and demarcation between the
modem and computer, which is needed for remote diagnosis of whether problems reported by
users stem from the network, modem or computer.

CableLabs has a working host-based specification that might
be ready for release as an interim spec in the next four weeks or so, according to DOCSIS
project director Rouzbeh Yassini.

Broadcom, Libit and others have already publicly
demonstrated host-based modem-reference designs, with actual products for interoperability
certification expected to be available late next year.

The host-based modem is seen by many as the fastest path
toward offering a relatively cheap broadband-cable-access device that can be bundled as an
option with PCs, creating a potentially huge new retail channel for cable ISPs.

By moving as much modem functionality as possible to the
host computer's processor and random-access memory, manufacturers hope to cut the
bill of materials for an internal cable modem card to below $50.

That would mark a significant discount from the $200 or so
that it now costs to make a standards-based cable modem. And it would match the producer
cost of digital-subscriber-line modems that major PC-makers -- such as Dell Computer Corp.
and Compaq Computer Corp. -- already offer as an add-on option.

"To date, you don't see even any [cable-modem]
PCI cards really out there on the market," Lasley said. "The PC OEMs
[original-equipment manufacturers] to date have just been reluctant to bundle a $150-or-up
board."

While there is agreement that security must be addressed,
there is apparently divergence about the best way to do it. Medin argued that the cost
advantages of host-based modems will be nowhere near as significant as the PC OEMs claim,
and that they could be offset by higher customer-care costs to operators.

Yassini and others said the continuing evolution of the
spec should address security and cost issues, on top of work that has already been done
regarding such elements as ensuring that network management will detect attempts to hack
the modem's media-access controller, for example.

"We bring the pain level so far up that the average
hacker would not be able to go there," Yassini said. "I think we're doing
OK."