Slashdot Mirror
600,000 Arris Cable Modems Have 'Backdoors In Backdoors,' Researcher Claims (thestack.com)
An anonymous reader writes: A security researcher using Shodan to probe Arris cable modems for vulnerabilities has found that 600,000 of the company's modems not only have a backdoor, but that the backdoor itself has an extra backdoor. Brazilian vulnerability tester Bernardo Rodrigues posted that he found undocumented libraries in three models, initially leading to a backdoor that uses an admin password disclosed back in 2009. Brazilian researcher Bernardo Rodrigues notes that the secondary backdoor has a password derived in part from the final five digits from the modem's serial number. However, the default 'root' password for the affected models remains 'arris.'
You can bet NSA has been exploiting this one for years.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
"I heard you like backdoors, so I put a backdoor in your backdoor" ... yeah, I can see why someone hasn't posted this yet.
Interesting news for all some nations networks. :)
Will a VPN ready router with OpenVPN help after the telco hardware?
Spend another few $ per month to try and secure your computer from the 'provided' hardware.
This is why everyone needs good crypto. Even the hardware has extra ways in
Domestic spying is now "Benign Information Gathering"
Ehm.. a backdoor doesn't program itself and then ends up in firmware because of a 'programming mistake', or because 'corners were cut'. For whatever reason it was done, a backdoor has to be intentionally put there.
That automatically turns "incompetent" into "malicious". Unless end-user was informed of the presence of said backdoor and the reason(s) for its existence, and was okay with that. Which of course is never the case.
Ehm.. a backdoor doesn't program itself and then ends up in firmware because of a 'programming mistake', or because 'corners were cut'.
Oh, I don't know...one time I tried to program "Hello world" and accidentally coded a medical billing system with an accounts receivable dashboard.
Just cruising through this digital world at 33 1/3 rpm...
Time to get a customer-owned modem!
Like what? Motorola? Arris owns Motorola's cable modem business.
I used to work for Arris. But we did the DVR software, which was originally a different company than the people doing the cable modems. The DVR software is a lot more secure than this. There still a PWOD protected technician interface, the DVRs are remotely managed device, but it doesn't let you do anything that would compromise the software. I'd be interested in seeing how someone would hack it. It shouldn't be possible to get a root shell.
Someone did want to allow the player to pair over wifi automatically to the gateway by having the WPA2-PSK be derived from the device ID. I tried to stress what a terrible idea that was but those were people in a different division who didn't need to listen to me.
Don't trust any router software unless you can put openwrt on it. The router companies have shown they can not be trusted. All companies are subject to enormous pressure from NSA. Control the software that runs on your router yourself.
This is simply hilarious.
The backdoors are so widespread that there is not much space left for useful software.
Fuck Backdoors.
aaaaaaa
I have a DLink docsis 3.0 cable modem I bought for $65 on sale about a year ago. Before that I was renting one from Comcast for $5 a month. Next month the DLink will have paid for itself, and anything after that will be gravy.
It's been working fine so far, haven't noticed anything different from the Motorola one that I was renting.
Hint: 'Arris in England has the same meaning as Azz in USA.
Sent from my ASR33 using ASCII
Anyone familiar with cockney rhyming slang shoudn't be too surprised when Arris products contain an unexpectedly slack backdoor...
I had a dream, bright and carefree, but now there's doubt and gravity
Arris Cable Modems Have 'Backdoors In Backdoors,' Researcher Claims
This is exactly like saying Donald Trump has an asshole.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
I have a Zoom 5341 8x4 DOCSIS 3 modem. Paying a monthly fee for the ISP provided modem is utterly stupid, unless you also get phone service from them and they refuse to allow you to use a third party modem for that (like my ISP)...
bork bork bork!
https://w00tsec.blogspot.com.a...
The article in the summary doesnt list which modems are affected as i have an Arris Modem myself, but looks to be the TG862A, TG862G, and DG860A.
Also notable that a quick glance of reviews on Amazon says there is no end user support for these, they are always ISP controlled.
had to buy one of these, one of the only models I could replace my Xfinity rented box with (providing telephone as well as internet). As I understand, it was originally produced for Comcast / Xfinity, or at least Comcast still has a lot of confused technicians who think this Arris was made only for Comcast and can't be purchased... I had to go through 3 techs to get them to hook it up. I wonder if the backdoor of the router was designed in for Comcast, which I can imagine has thought of justifications (e.g. providing tech support to subscribers).
On the plus side, it eliminated the XFinity login by wifi (see Slashdot a few links up)
http://mydeviceinfo.comcast.net/
Gently reply
I purchased a Motorola modem three years ago. Arris acquired Motorola's modem business, but I do not know when. How can I tell if my modem is affected?
If you read the article you'll see that they note D-Link puts backdoors into their stuff too.
The example was router firmware that let you bypass http authentication by specifying a certain user agent.
This was "legitimately" used by binaries/scripts on the device to change settings for things like dynamic DNS because it was apparently easier to query the http server to change settings than to rewrite it...
Also included was a proof of concept shell code execution (via buffer overflow of the http server iirc.)
Sadly for cable modems we can't exactly do nice things like run our own OpenWRT-derived firmware.
Granted people can do nefarious things like bypass ISP bandwidth limitations with custom firmware but I honestly have to wonder if that's not just an excuse for laziness on the part of ISPs.
Get a magicJack GO for your phone.
$35 a year, and you just plug it in your phone jack and network jack. As a bonus, you can ring your smartphone at the same time.
I love mine.
The article in the summary doesnt list which modems are affected as i have an Arris Modem myself, but looks to be the TG862A, TG862G, and DG860A.
Well actually what they say is "affecting many of their devices including TG862A, TG862G, DG860A" so technically all one can say is that those models are definitely affected, but my reading is that others may be affected as well. Does anyone know of a comprehensive list of every known backdoored Arris model? And yeah, I know, the safe and likely correct answer is "probably all of them."
"While researching on the subject, I found a previously undisclosed backdoor on ARRIS cable modems, affecting many of their devices including TG862A, TG862G, DG860A."
The back door of your back door is: The front door.
I don't have VoIP service through my ISP -- I just used them as an example as why someone might not be able to provide their own DOCSIS device.
For my phone needs, I have Google Voice (this number is given to people I don't know / companies I don't fully trust) and my cell phone (a handful of friends and my family have this number). :)
Get a magicJack GO for your phone.
$35 a year, and you just plug it in your phone jack and network jack. As a bonus, you can ring your smartphone at the same time.
I love mine.
bork bork bork!