Slashdot Mirror
AT&T Uverse Modems Found To Have Several Serious Security Vulnerabilities (threatpost.com)
dustman81 writes: AT&T Uverse modems were found to have several serious vulnerabilities, including a superuser account with hardcoded username/password exposed to the internet via SSH, a HTTP server with little authentication which allows command injection, and an internet exposed service which exposes internal clients to external attacks. Information security consulting and software development firm Nomotion reports the findings in their blog: "It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem's 'cshell' client over SSH. The cshell is a limited menu driven shell which is capable of viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the internet, and even controlling what appears to be a kernel module whose sole purpose seems to be to inject advertisements into the user's unencrypted web traffic. Although no clear evidence was found suggesting that this module is actually being used currently, it is present, and vulnerable. Aside from the most dangerous items listed above, the cshell application is also capable of many other privileged actions. The username for this access is remotessh and the password is 5SaP9I26." The report continues to detail the other vulnerabilities: Default credentials 'caserver' https server NVG599; Command injection 'caserver' https server NVG599; Information disclosure/hardcoded credentials; and Firewall bypass no authentication.
Further reading: FierceTelecom; The Register
Further reading: FierceTelecom; The Register
And these companies are supposed to be trusted with actually securing the data that we provide them? I often wonder how non-IT people handle these business practices.
412077696e6e657220697320796f7521da
They need true bridge mode!!
No way any of their gear is allowed in my home or on my person
Get an AT&T UVerse coverage map and go a driving in those areas.
Just think of all the kitty porn you can get!
Tera and tera bytes of "I has Cheezburgers!"
was a back door.
comcast business (static ip) forces you to rent there hardware.
ATT forces you to rent there hardware.
We need to ban ISP's from forcing you to rent there hardware or force them to just give out an dumb open all e-net handoff.
The entire board of directors should be rotting in jail for allowing foreign agents to infiltrate US computer systems. Traitors and incompetent assholes, every single one.
There's only one explanation for such disgusting, juvenile engineering: Malevolence, not incompetence.
Instead, they should force you to rent here hardware.
That makes a lot more sense.
The last I checked I could buy my own modem and use it on my Comcast service to avoid the rental fees. They even publish a list of approved modems.
Home
https://mydeviceinfo.xfinity.c...
Business
https://business.comcast.com/h...
"AT&T Uverse modems were found to have several serious vulnerabilities, including a superuser account with hardcoded username/password"
Look it, most/all consumer grade equipment has built-in back-doors, by the various security services, get used to it.
They even publish a list of approved modems.
Only way to make the legit approved list is if they also contain officially backdoored hard/firmware?
Seven puppies were harmed during the making of this post.
As a good techie /. nerd I always buy my own modems and routers. Comcast as much as I hate them do allow third party approved modems. I bought a Motorola surfboard. It is not Docsys 3.0 and I get concerned texts every now and then but it works fine so no reason to change.
So even with an unapproved older modem it will still work. Maybe I can't download at 200 mb/s but at 100 mb/s it works fine.
http://saveie6.com/
If you have static ip with comcast then just must rent.
To bad the comcast cable tv sucks and they have that download cap on there internet.
You can use any modem you want on Comcast and flash it with anything you desire. The list of "approved" modems basically makes it easier for the masses to get one that is "known to work", and removes the "what version of the DOCSIS standard does this one support" research from the process. At the end of the day you get a modem, you tell Comcast its MAC address, and then you're off to the races. Frequently Comcast doesn't even want their old modem back...
But do they cap here internet?
Is there an actual test to run to verify whether or not a given device has these vulnerabilities? The listed ports do not seem to be open on the ones I was able to test.
COX just broke DOCSIS below 3.0, had to change modems.
I'd really wanted to use a DOCSIS HWIC module for my Cisco router, but COX specifically said that module would not be supported on their network, and then with the 3.0+ requirement, the 2.1-capable unit isn't supported anyway.
Really wish that Google Fiber hadn't stalled. Theres a dark fiber trunk line running through the neighborhood around 200' from my house, and Google was in the habit of buying dark fiber wherever they could.
Do not look into laser with remaining eye.
The ASUS Merlin project created custom firmware for ASUS routers, maybe this is a limited opportunity to create custom firmware for the AT&T modems that can increase security and add features.
Does this actually surprise anyone? Really?
This is why you should place the Uverse modem into the closest state you can get to bridgemode and disable the wifi. Then, put your own router/firewall/wifi access point behind it.
We need to ban users on Slashdot who consistently make 3rd grade level spelling mistakes.
They claimed they did and sent me scary texts and emails 6 months ago. My system still works and they left me alone. 2.1 is fully compatible and they won't disconnect your access.
http://saveie6.com/
The freebie DSL modems that ATT provided weren't very good. Most would conk out after a year or two. When I started working one day a week from home, I bought a business class modem for $200 and spent several hours understanding the new security features. That one lasted seven years.
Is not giving out the actual login details, unless the offender has not fixed the problem in many months, not days. Even then it is rather inconsiderate to those that are stuck with the hardware. I have no respect for such 'researchers'.
for not buying American communication products or services? We could pile them up for you ad nauseum, and it seems some people will just never get it - they are made insecure by design.
No this is NOT offtopic! You're offtopic! You're offtopic! This whole site is offtopic! We are in great danger, and we need to take action now! We either do this, or we all die! So, fuck you, moderators! You're a bunch of commie terrorist cunts!
Not true for AT&T. Your modems have to be able to talk to their modems, you can't buy a compatible one at Fry's. I'd buy my own if I could.
I understand what you're saying, but in a way, that's still a kind of malevolence—it's basically a minor kind of fraud.
"It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem's 'cshTell' client over SSH. ... [how to escalate this into full access ...]
The latest update pushed to the modems opened this hole. Hmmm...
AT&T just pushed a couple updates to my Android phone a few weeks back. Like a complete version jump on the Android OS, followed by a tweak update a week or two later.
I wonder if they did the same sort of thing to the phones that they did to the U-Verse modems?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
FYI, I discovered some of these open ports using nmap on my Arris. You can block them even if you have the tainted firmware: Just set up manual port redirects in the modem for each one, and point them to some garbage internal address/port.
What about AT&T? Not all ISPs will let you. :P
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Yo moron we're not talking about Comcast, With ATT U-verse there are no options these are dual band DSL modems and you cannot buy your own anywhere that I can find. They have us by the balls and and are squeezing hard especially when they're the only ISP in town and have a monopoly which by the way should be criminal .
He means you must rent if you have a static IP. In my case they added a rental fee after the fact, told me I could buy a device then wouldn't activate it once I'd bought it.
I can't believe AT&T are such cheap bastards that they're still shipping Wi-Fi 802.11g routers to their customers.
Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
Not with Uverse, their IPtv won't work with your own equipment and there is no bridge mode. The best you an do is DMZ, or there is a router behind router option that puts in the necessary route for another subnet, theoretically, if never worked for me.
God forbid you put in you own routes.
The damn routers seem to forget the DMZ and port forwarding settings every 6 months or so, I'm not sure if AT&T was resetting things, or the hardware just sucked.
Just had a client who's router forgot all the port forwarding I had configured.
Cheap storage VM.
I have a 1TB cap, which is sufficient with 4 kids using ipads to watch videos such.
Cheap storage VM.
Funny how ATT never really came to grips with Unix. Beyond licensing and cash intake. They are just as clueless when it comes to user land equipment as anyone else. Even the hacks in China. One does wonder how many of their products have the same user/password combo.
"Vulnerabilities" that benefit the provider for the selling of traffic information? No...... Why does this surprise people? You don't actually own the cable modem the company gives you. For several months now, your ISP has had the right to sell your browsing information to anyone but for some reason, people have completely forgotten about it.
Nitpicking; with old-style DSL you could walk into Best Buy and get a Siemens modem that worked out of the box with AT&T. Which you then plugged into your own router. That's no longer the case with Uverse. You must rent their "gateway" which does have a Bridge Mode if you want to use your own router behind it. One would expect that Bridge Mode is not 100% that - AT&T certainly controls the firmware and can do things within the Bridge if they want to (or some agency with the right number of letters in their acronym asks then nicely). If you're using their whole box, then anybody who can spell "tech" understands that what you do from your side of the admin interface is always subject to revision by what AT&T does from theirs. So Not News unless these are new features being added. And what about old models like mine - where once I got on a different plan from the one they had me on (expensive) upon conversion from DSL I started having to pay rental for the box that's been up on top of the kitchen cabinets since Day One of Uverse.
a kernel module whose sole purpose seems to be to inject advertisements into the user's unencrypted web traffic.
Wow. That's a heck of a sleeper statement. I wonder whether Google already knew this?
The ability to inject advertisements into HTTP traffic would be a minor tweak away from replacing advertisements that are already there. This could render the metrics from advertisement giants like Google worthless for HTTP traffic and become a large threat to their business model - even more so perhaps than ad blockers.
I wonder if this is part of what is in Google's thoughts in their push for HTTPS. Perhaps it isn't about our security but theirs. Imagine if Comcast, Time Warner, AT&T, Verizon, and others started replacing the ads going to their users with ones they've sold. Any ads not flowing via HTTPS could be replaced. That would be a big, big hit.
Interestingly, since the device closest to the user would win the battle, Google Wifi could be used to counter-attack such an effort, and I bet Google Home would be updated overnight to act as a mesh router. They might even start offering free Youtube Red or Google Play Music as an incentive to those using their mesh routing and enabling ad injection.
Service kept dropping out. Didn't have to pay for my modem anyway since we have the home telephone line, so they supplied the model with the VOIP capability.
Do not look into laser with remaining eye.
I purchased an upscale Cable Modem with Gig Ethernet ports and wireless 802.11 AC only to find out that it fails when sent a stream of UDP packets. My son noticed the performance drop immediately while playing Steam.
Here is a test to see if your modem contains the infamous Intel Puma 6 Chipset.
Yeah, but that's neither hear nor they're.
Pace Pic is the current supplier and replaced tu faulty Arris unit I had. What holes are in this unit? I suspect even more...........
i had both of these! and they both eventually died lololololol. horray for that.
I have Comcast business service. I am using their Cisco BWG hardware... and it is connected only to my firewall/router which isolates my systems from Comcast's network.
I am required to use their equipment to connect to their network, but I do not have to give them uncontrolled access to my network.