Its a firmware update signed by the ISP for that CM
https://www.excentis.com/blog/using-exce...are-images
read here
https://www.excentis.com/blog/secure-sof...-docsis-31
The biggest hole in BPI+ is that cable operators turn on the “allow self-signed certificates” in their CMTS. Why do they do this? Because they are using legacy test equipment, outdated test equipment or non-conforming test equipment that does not support BPI+ certificates. If your hand-held test equipment vendor cannot upgrade your equipment to BPI+, find a new vendor, because you are enabling hackers in your network to create their own self-signed certificates, install them in their own cable modems with “valid MAC addresses” sniffed from your network and steal your service.
Disable self-signed certificates and plug the hole
Another hole in BPI+ is that many systems still have old cable modems that do not support BPI+ and so operators will enable BPI+ in its most limited mode. In this case, modems that support BPI+ will be required to register with BPI+, but modems that do not support BPI+ will register in BPI mode or with no encryption at all. This is an open door once again for hackers.
Require “bpi-plus-enforce” on all CMTSs – this means only modems that support BPI+ will be able to register
Monitor “cloned MAC Addresses” across your network – a good hacker will still be able to clone a cable modem MAC along with its digital certificate, but this will show up on your CMTS logs. Automatic monitoring of your CMTS logs for this event will rapidly identify this hacker and enable you to give him the boot.
https://www.excentis.com/blog/using-exce...are-images
read here
https://www.excentis.com/blog/secure-sof...-docsis-31
The biggest hole in BPI+ is that cable operators turn on the “allow self-signed certificates” in their CMTS. Why do they do this? Because they are using legacy test equipment, outdated test equipment or non-conforming test equipment that does not support BPI+ certificates. If your hand-held test equipment vendor cannot upgrade your equipment to BPI+, find a new vendor, because you are enabling hackers in your network to create their own self-signed certificates, install them in their own cable modems with “valid MAC addresses” sniffed from your network and steal your service.
Disable self-signed certificates and plug the hole
Another hole in BPI+ is that many systems still have old cable modems that do not support BPI+ and so operators will enable BPI+ in its most limited mode. In this case, modems that support BPI+ will be required to register with BPI+, but modems that do not support BPI+ will register in BPI mode or with no encryption at all. This is an open door once again for hackers.
Require “bpi-plus-enforce” on all CMTSs – this means only modems that support BPI+ will be able to register
Monitor “cloned MAC Addresses” across your network – a good hacker will still be able to clone a cable modem MAC along with its digital certificate, but this will show up on your CMTS logs. Automatic monitoring of your CMTS logs for this event will rapidly identify this hacker and enable you to give him the boot.
Knowledge=Power