The researchers have found five holes in the firmware running on Arris modems, three of which are hardcoded backdoor accounts. An attacker could use any of these three accounts to access and take over the device with elevated privileges — even root — install new firmware, and ensnare the modem in a larger botnet. According to Nomotion, the flaws are found in both the standard Arris firmware, but also in the extra code added on top by OEMs. In their research, experts looked at an Arris modem installed on the network of AT&T.
Tod Beardsley, Research Director at Rapid7, commented on this story below.
Tod Beardsley, Research Director at Rapid7:
These vulnerabilities present a golden opportunity for widespread, automated damage at the hands of malicious hackers, up to and including another Mirai-like mass-hijack of affected modems. AT&T U-Verse customers are urged to take this disclosure seriously, and keep a close watch on AT&T’s plans for pushing out updated firmware to resolve these issues.
A faint silver lining for this disclosure is that Nomotion offers technical stop-gap solutions to all of these issues. The firewall bypass issue is resolved by a fairly straight-forward configuration change on the modem’s normal configuration interface, but it’s unlikely that most of AT&T customers will be comfortable with making these changes on their own. Shoring up the three maintenance interfaces involves some fairly advanced “self-hacking” to implement, though, and that comes with its own risks of accidentally (and permanently) disabling the affected hardware through a misplaced typo. So, while customers who have the technical chops to implement these fixes have some hope of side-stepping disaster, the vast majority of U-Verse customers are strongly urged to make a service call to AT&T’s technical support for assistance and updates.”