600,000 Arris Cable Modems Have 'Backdoors In Backdoors,' Researcher Claims

An anonymous reader writes: A security researcher using Shodan to probe Arris cable modems for vulnerabilities has found that 600,000 of the company's modems not only have a backdoor, but that the backdoor itself has an extra backdoor. Brazilian vulnerability tester Bernardo Rodrigues posted that he found undocumented libraries in three models, initially leading to a backdoor that uses an admin password disclosed back in 2009. Brazilian researcher Bernardo Rodrigues notes that the secondary backdoor has a password derived in part from the final five digits from the modem's serial number. However, the default 'root' password for the affected models remains 'arris.'

Wow...

I used to have that terrible modem with my previous ISP... Glad I'm not with them anymore.

Lovely

[Motherfucking+Shit]

You can bet NSA has been exploiting this one for years.

Re:Lovely

[invictusvoyd]

I'm sure it does not take an NSA to exploit this thing . AFAIK everyone has been exploiting this for years .

If the source isn't open...

...it's crap!

ISP provided modem

Time to get a customer-owned modem!

Re:ISP provided modem

[ayesnymous]

Time to get a customer-owned modem!

Like what? Motorola? Arris owns Motorola's cable modem business.

Re:ISP provided modem

[Spy+Handler]

I have a DLink docsis 3.0 cable modem I bought for $65 on sale about a year ago. Before that I was renting one from Comcast for $5 a month. Next month the DLink will have paid for itself, and anything after that will be gravy.

It's been working fine so far, haven't noticed anything different from the Motorola one that I was renting.

Re:ISP provided modem

Uh, there are modems out there besides Arris/Motorola, ya know.

Re:ISP provided modem

[michrech]

I have a Zoom 5341 8x4 DOCSIS 3 modem. Paying a monthly fee for the ISP provided modem is utterly stupid, unless you also get phone service from them and they refuse to allow you to use a third party modem for that (like my ISP)...

Re: ISP provided modem

Well if you have fios the motorola surfboards wont work. The best you can do is shutdown the wireless and add your own router. Or as always, run a hardware firewall.

Re:ISP provided modem

[DarkTempes]

If you read the article you'll see that they note D-Link puts backdoors into their stuff too.

The example was router firmware that let you bypass http authentication by specifying a certain user agent.
This was "legitimately" used by binaries/scripts on the device to change settings for things like dynamic DNS because it was apparently easier to query the http server to change settings than to rewrite it...

Also included was a proof of concept shell code execution (via buffer overflow of the http server iirc.)

Sadly for cable modems we can't exactly do nice things like run our own OpenWRT-derived firmware.
Granted people can do nefarious things like bypass ISP bandwidth limitations with custom firmware but I honestly have to wonder if that's not just an excuse for laziness on the part of ISPs.

Re:ISP provided modem

[EETech1]

Get a magicJack GO for your phone.
$35 a year, and you just plug it in your phone jack and network jack. As a bonus, you can ring your smartphone at the same time.
I love mine.

Re:ISP provided modem

[michrech]

I don't have VoIP service through my ISP -- I just used them as an example as why someone might not be able to provide their own DOCSIS device.

For my phone needs, I have Google Voice (this number is given to people I don't know / companies I don't fully trust) and my cell phone (a handful of friends and my family have this number). :)

Get a magicJack GO for your phone.
$35 a year, and you just plug it in your phone jack and network jack. As a bonus, you can ring your smartphone at the same time.
I love mine.

Shodan?

Really? Citadel Station ought to have learned by now...

Nothing to see here...

It almost certainly wasn't done maliciously by Arris. The people that built the thing and programmed it were probably just incompetent, or they cut corners somewhere so they could make more of a profit. That's usually how it works.

They even do that sort of thing with nuclear reactors, because apparently meltdowns are cheaper and more cost-effective than performing preventative maintenance. Capitalism.

Re:Nothing to see here...

[Alwin+Henseler]

Ehm.. a backdoor doesn't program itself and then ends up in firmware because of a 'programming mistake', or because 'corners were cut'. For whatever reason it was done, a backdoor has to be intentionally put there.

That automatically turns "incompetent" into "malicious". Unless end-user was informed of the presence of said backdoor and the reason(s) for its existence, and was okay with that. Which of course is never the case.

Re:Nothing to see here...

[JustAnotherOldGuy]

Ehm.. a backdoor doesn't program itself and then ends up in firmware because of a 'programming mistake', or because 'corners were cut'.

Oh, I don't know...one time I tried to program "Hello world" and accidentally coded a medical billing system with an accounts receivable dashboard.

Re:Nothing to see here...

Ehm.. a backdoor doesn't program itself and then ends up in firmware because of a 'programming mistake', or because 'corners were cut'.

Oh, I don't know...one time I tried to program "Hello world" and accidentally coded a medical billing system with an accounts receivable dashboard.

Doh!

Re:Nothing to see here...

Also, what exactly is there to see here -- in other words, what does having root access to a cable modem give an attacker? Does the attacker have to be on the subnet to access it, or does this give full access to anyone on the Internet? And is the "full access" to all machines connecting through the cable modem, or just to the modem itself (with further cracking of individual machines still needed)?

Re: Nothing to see here...

Meltdowns cheaper than preventative maintenance? Seek out the nearest community college and look into taking a course specifically on critical thinking.

Re:Nothing to see here...

or it was put in there for a feature that was later cut and never removed, that kind of cruft happens a lot, especially when there is some scope creep.

Re:Nothing to see here...

A lot of cable modems also have a firewall, 4-5 port gigabit switch, wireless AP, and other sundries. So, having access to that can easily allow for a lot of foul play to be done.

Even a basic DOCSIS modem still can allow an attacker to see trafffic, throttle it, intercept it in flight (think Phorm) to inject malware ads, or add tags to a user's HTML headers similar to what Verizon and AT&T used to do (UIDH lines to every HTTP transaction.)

In addition, pwning the modem can be a great launching point for DDoS attacks. Who needs a comprompised computer when you can consume an entire user's bandwidth from the network fabric?

I'm not surprised about this compromise.

As a user, what can one do? The ideal would be to find a VPN provider that is quite close (close as in low latency), buy a PFSense appliance, and VPN all your outgoing traffic to that provider. It would suck for gameplay, but it would shield all other traffic.

Re:Nothing to see here...

one time I tried to program "Hello world" and accidentally coded a medical billing system with an accounts receivable dashboard.

That's what you get for using systemd!

Re:Nothing to see here...

Obligatory Dilbert: http://dilbert.com/strip/1995-11-14

Yo Dawg

"I heard you like backdoors, so I put a backdoor in your backdoor" ... yeah, I can see why someone hasn't posted this yet.

Re:Yo Dawg

backdoor - see recursive

Re:Yo Dawg

We need to go deeper.

Re:Yo Dawg

[PPH]

You forgot to include a picture.

Re:imposterers & VERY stupid idiots etc ... ap

Yet another ridicolous AC claiming to be "me"... Grow up and do something useful & you won't ever make something as good as my HOST file engine.

P.S:=> I suck dicks ... APK

P.P.S: I am the real one.

VPN router?

[AHuxley]

Interesting news for all some nations networks.
Will a VPN ready router with OpenVPN help after the telco hardware?
Spend another few $ per month to try and secure your computer from the 'provided' hardware.
This is why everyone needs good crypto. Even the hardware has extra ways in :)

how to get comcast empathy class to send patched m

so I am immagrant to here
comcast empathy class is low bandwidth but I can have for nothing until better jobs
how to return arris modem to comcast or force firmware update fix
will enabing bridge mode help if I put old cisco behind it
thank you

Old gear is old

I bought an Arris DOCSIS 2.0 modem two years ago as the purchase cost was only 4X the monthly ISP rental fee for a DOCSIS 1.X modem. The linked exploit does not work on my modem (although I'm sure it still has some vulnerabilities). The bottom line is that I have more than gotten my moneys worth and know now to periodically scan my modem with nmap to look for open telnet and ssh ports. I predict that the population of modems that can be owned with the current exploit will remain sufficiently large that I won't have any problems prior to the next best thing coming along.

Not that surprised

[tap]

I used to work for Arris. But we did the DVR software, which was originally a different company than the people doing the cable modems. The DVR software is a lot more secure than this. There still a PWOD protected technician interface, the DVRs are remotely managed device, but it doesn't let you do anything that would compromise the software. I'd be interested in seeing how someone would hack it. It shouldn't be possible to get a root shell.

Someone did want to allow the player to pair over wifi automatically to the gateway by having the WPA2-PSK be derived from the device ID. I tried to stress what a terrible idea that was but those were people in a different division who didn't need to listen to me.

Re:Not that surprised

but it doesn't let you do anything that would compromise the software.

Really? You wouldn't know until someone thoroughly tested it. That's what bug's are.

Re:Not that surprised

Unless you're updating the libraries years after deployment, including the kernel, you can guarantee there are exploits available.

Re:Not that surprised

[Zebai]

Good point, even knowing the password for the advanced interface what is the worst that you could do to it? It doesn't let you access any network data or personal details. So you could probably get an idea of how much data I use and a few technical details on the quality of my connection and maybe be able to access my IP address ( which you already have if your seeing the interface). I suppose if you were really nefarious you could probably cause my device to reboot a few times if you wanted to be persistent about it.

It's been a number of years since I've gone into it myself so today I tried to get into the advanced settings again and apparently my connection is being refused I can only see the basic page so I'm assuming I've gotten a firmware update blocking access at some point.

Re:Not that surprised

[phantomfive]

Unless you're updating the libraries years after deployment, including the kernel, you can guarantee there are exploits available.

And even if you've updated the libraries and kernel, you can still be assured that exploits are available, though perhaps not available to common script-kiddies.

Re:Not that surprised

[bobstreo]

I'm guessing the DVR was coded to be more secure over the fear that someone may be able to copy the saved entertainment off the DVR and use it.

Probably nothing more scary for providers than free shareable movies and TV shows.

Re:Not that surprised

[tap]

The DVRs are remotely managed. New software updates go out on a regular basis. So, yes the libraries are updated years after deployment.

The kernel, not so much. They use broadcom chips and broadcom isn't exactly the best at supporting linux. You have to use one of their kernels since they don't upstream anything and they don't update the kernels themselves.

don't trust the router!

[anwyn]

Don't trust any router software unless you can put openwrt on it. The router companies have shown they can not be trusted. All companies are subject to enormous pressure from NSA. Control the software that runs on your router yourself.

Re:don't trust the router!

[Gaygirlie]

The problem is that we're talking about a cable modem, not just a regular router. I'm not aware of a single cable modem that's supported by OpenWRT or similar.

Re:don't trust the router!

[Antique+Geekmeister]

This is why you don't trust the mixed "cable modem" devices as anything but a cable modem. Many of them also include firewall, DHCP, and wifi features. Unfortunately, the extra "features" help make them more vulnerable to this kind of remote maintenance access password abuse.

Re:don't trust the router!

To be more specific, never let one of those "modems" manage your LAN, regardless of the type of modem. (DSL, Cable, etc.)

ALWAYS use a different physical router as a gateway device. (Preferably one that you can place an open source firmware on.)

The ISP provided shit will always come with this crap included and enabled by default. Why? Because dumb users want things to "just work". They've not been required to learn anything about setting things up for years now. If the ISP couldn't set it up remotely, they'd have to send someone out for on-site repairs every time a new game got released that used a new port for traffic that needed to be port forwarded. So that remote access is here to stay.

Sadly, this means more headache for those who want to keep their systems secure. Unfortunately we seem to be the minority.

Hahahahaha

[stooo]

This is simply hilarious.
The backdoors are so widespread that there is not much space left for useful software.
Fuck Backdoors.

Re:imposterers & VERY stupid idiots etc ... ap

My game bypasses your HOST engine. Ads display just fine.

You're fucked. So's your HOSTs engine. Trivial to bypass.

Captcha: slicker - yes, I am.

On that note

This is why I use Cisco enterprise equipment at home.

Obvious

[Anne+Thwacks]

With the name 'Arris, I should of thought it was a dead give away that it had a back door!

Hint: 'Arris in England has the same meaning as Azz in USA.

Re:Obvious

[rebelwarlock]

And for those of us who are from neither of those countries, what meaning are we supposed to garner?

Re:Obvious

I'm from the US... and I have no clue what "azz" means.

Re:Obvious

http://www.lmgtfy.com/?q=define+azz

Re:Obvious

It's actually "arse," not "arris." It's not even remotely pronounced like "arris." Not even by a drunk.

Why are you pretending to be from England exactly, is that some new ecyberfetish that I haven't heard about?

Cockney Rhyming Slang

[Oxygen99]

Anyone familiar with cockney rhyming slang shoudn't be too surprised when Arris products contain an unexpectedly slack backdoor...

Managed gateway exploit

It should be noted that this expoit is for the managed gateways (TG862A, TG862G, DG860A, etc).

I doubt this exploit can be used with off the shelf docis modems.

More details are at the w00tsec article.

https://w00tsec.blogspot.com.au/2015/11/arris-cable-modem-has-backdoor-in.html?m=1

It must be said...

[hyades1]

Arris Cable Modems Have 'Backdoors In Backdoors,' Researcher Claims

This is exactly like saying Donald Trump has an asshole.

Valeu!

Valeu, Bernardão!

Link to actual authors article

[jacks+smirking+reven]

https://w00tsec.blogspot.com.a...

The article in the summary doesnt list which modems are affected as i have an Arris Modem myself, but looks to be the TG862A, TG862G, and DG860A.

Also notable that a quick glance of reviews on Amazon says there is no end user support for these, they are always ISP controlled.

Re:how to get comcast empathy class to send patche

If you do not understand shit about it, stop using computers

One of only XFinity/Comcast Accepted

[retroworks]

had to buy one of these, one of the only models I could replace my Xfinity rented box with (providing telephone as well as internet). As I understand, it was originally produced for Comcast / Xfinity, or at least Comcast still has a lot of confused technicians who think this Arris was made only for Comcast and can't be purchased... I had to go through 3 techs to get them to hook it up. I wonder if the backdoor of the router was designed in for Comcast, which I can imagine has thought of justifications (e.g. providing tech support to subscribers).

On the plus side, it eliminated the XFinity login by wifi (see Slashdot a few links up)

http://mydeviceinfo.comcast.net/

Motorola Modems?

[DERoss]

I purchased a Motorola modem three years ago. Arris acquired Motorola's modem business, but I do not know when. How can I tell if my modem is affected?

Re:Motorola Modems?

It's very easy to tell if your modem is affected.
Just look for the word ARRIS.

Seriously speaking, backdoors are all about software (e.g. firmware). Not hardware.
So if ARRIS wrote the firmware, then your model is backdoor'ed.

"Impersonating" me, AGAIN? Please... apk

See subject: How damn lame could you puny trolls be? You cannot successfully imitate my inimitable style! You wish you were me - this merely proves it!

APK

P.S.=> You know it's true - trying to be me merely reinforces it in your impersonating me... apk

"Impersonating" me? You wish you were me!

See subject: How damn lame could you puny trolls be? You can't successfully imitate my inimitable style!

* You wish you were me!

APK

P.S.=> You know it's true - trying to be me merely reinforces it in your impersonating me... apk

Arris Modem Features

Check out these greate Arris Modem Features:

- 3X Faster than Wi-Fi N (wohoo!)
- 8X Faster than DOCSIS 2.0 (super!)
- 2X Backdoored (awesome!)

Something to keep in mind

When it comes to modems as a whole you should NEVER trust the modem as a primary gateway/router. Using a bridged mode pass through to a full firewall, and secured router separate from the modem is highly recommended for both wired and wireless communications. Most ISP modems have security holes built into the firmware by the modem manufacturers for different purposes. This was something I learned early on from systems engineers I worked with when pen testing network security flaws. Previous posts were correct when it was stated that such exploits were intentional, and never removed post production.

Re:Integrity is fundamental.

"With a straight face, I'm imploring you to trust me with a part of your information security. "

Nope. My game can bypass your HOSTs file, ads load just fine in it. Browsers can bypass it. The operating system itself can ignore it if it so chooses. Programs can ignore it all day. It is trivially bypassed.

Useless. I expect nothing less from someone relying upon Windows 9x computer naming technology for 'security.'

Re:Obvious (idiot)

https://www.google.com/search?q=harris+rhyming+slang&ie=utf-8&oe=utf-8

Quoting Ozymandias from "The Watchmen"

See subject & this quote: "Even Dr. Manhattan can't be everywhere @ once..." & neither can I, or hosts - I never said hosts files 'cure all'" did I?

Show us where I did... ok??

* What I have said, repeatedly, is that hosts do MORE than ANY single other "so-called 'solution'" out there for speed & security, bar-none, doing so with less (less is more = good engineering, using what you have natively already vs. stupidly & illogically "Bolting on 'MoAr'"...)

APK

P.S.=> I'm fucked? No, it appears YOU'RE fucked - who knows what's in those ads you're seeing & if hosts can't stop it, learn to trace such things using tools like wireshark & block it in a firewall if hosts don't stop it (hosts only stop host-domain names, NOT IP address served ads OR threats - that's a firewall's job)... apk

I'd assume all of them

[almechist]

The article in the summary doesnt list which modems are affected as i have an Arris Modem myself, but looks to be the TG862A, TG862G, and DG860A.

Well actually what they say is "affecting many of their devices including TG862A, TG862G, DG860A" so technically all one can say is that those models are definitely affected, but my reading is that others may be affected as well. Does anyone know of a comprehensive list of every known backdoored Arris model? And yeah, I know, the safe and likely correct answer is "probably all of them."

Addendum: Hosts do stop the most used... apk

See subject: Hosts do stop online threats of host-domain name using ones (most used type by far vs. IP address served) & by far more dangerous/harder to stop due to "fastfluxing"...

* Should've noted that earlier but I didn't, so I am now...

APK

P.S.=> "And, there ya go..."

... apk

Affected models

[JThundley]

"While researching on the subject, I found a previously undisclosed backdoor on ARRIS cable modems, affecting many of their devices including TG862A, TG862G, DG860A."

Double Negative

[peawormsworth]

The back door of your back door is: The front door.

So it basically is

recursive goatse