The researchers have found five holes in the firmware running on Arris modems, three of which are hardcoded backdoor accounts. An attacker could use any of these three accounts to access and take over the device with elevated privileges — even root — install new firmware, and ensnare the modem in a larger botnet. According to Nomotion, the flaws are found in both the standard Arris firmware, but also in the extra code added on top by OEMs. In their research, experts looked at an Arris modem installed on the network of AT&T.
Tod Beardsley, Research Director at Rapid7, commented on this story below.
Tod Beardsley, Research Director at Rapid7:
“This morning’s disclosure on the AT&T U-Verse hardware by security consulting firm Nomotion is a stark reminder of the many challenges and risks still dogging the home networking industry. The findings include three separate maintenance interfaces over SSH and two hidden HTTP-based services, all of which are reachable from the internet with hard-coded credentials and susceptible to command injection attacks. In addition, Nomotion discovered an unauthenticated firewall bypass vulnerability, which appears to be a rudimentary reverse TCP proxy, allowing unfettered access from the internet to computers on the LAN side. Any one of these vulnerabilities is disastrous for AT&T U-Verse customers, since they ultimately bypass any security controls offered by these modems.
These vulnerabilities present a golden opportunity for widespread, automated damage at the hands of malicious hackers, up to and including another Mirai-like mass-hijack of affected modems. AT&T U-Verse customers are urged to take this disclosure seriously, and keep a close watch on AT&T’s plans for pushing out updated firmware to resolve these issues.
A faint silver lining for this disclosure is that Nomotion offers technical stop-gap solutions to all of these issues. The firewall bypass issue is resolved by a fairly straight-forward configuration change on the modem’s normal configuration interface, but it’s unlikely that most of AT&T customers will be comfortable with making these changes on their own. Shoring up the three maintenance interfaces involves some fairly advanced “self-hacking” to implement, though, and that comes with its own risks of accidentally (and permanently) disabling the affected hardware through a misplaced typo. So, while customers who have the technical chops to implement these fixes have some hope of side-stepping disaster, the vast majority of U-Verse customers are strongly urged to make a service call to AT&T’s technical support for assistance and updates.”