Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Uverse Modems Found To Have Several Serious Security Vulnerabilities (threatpost.com)

Posted by BeauHD on from the careless-vulnerabilities dept.

dustman81 writes: AT&T Uverse modems were found to have several serious vulnerabilities, including a superuser account with hardcoded username/password exposed to the internet via SSH, a HTTP server with little authentication which allows command injection, and an internet exposed service which exposes internal clients to external attacks. Information security consulting and software development firm Nomotion reports the findings in their blog: "It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem's 'cshell' client over SSH. The cshell is a limited menu driven shell which is capable of viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the internet, and even controlling what appears to be a kernel module whose sole purpose seems to be to inject advertisements into the user's unencrypted web traffic. Although no clear evidence was found suggesting that this module is actually being used currently, it is present, and vulnerable. Aside from the most dangerous items listed above, the cshell application is also capable of many other privileged actions. The username for this access is remotessh and the password is 5SaP9I26." The report continues to detail the other vulnerabilities: Default credentials 'caserver' https server NVG599; Command injection 'caserver' https server NVG599; Information disclosure/hardcoded credentials; and Firewall bypass no authentication.

Further reading: FierceTelecom; The Register

40 of 75 comments (clear)

  1. Trust Issues by Fragholio · · Score: 1

    And these companies are supposed to be trusted with actually securing the data that we provide them? I often wonder how non-IT people handle these business practices.

    --
    412077696e6e657220697320796f7521da
    1. Re:Trust Issues by PolygamousRanchKid+ · · Score: 5, Interesting

      And these companies are supposed to be trusted with actually securing the data that we provide them?

      No, that's incorrect. A big part of their business is providing private data to security services: see Lawful Interception (LI) https://en.wikipedia.org/wiki/...

      They are coerced by government agencies to do this. And just about every government passes laws requiring that ISPs and Telcos implement components that allow the security services to "just drop in" whenever they want. Usually, the government agencies are supposed to obtain warrants before tapping and sipping up someone's data, but these days . . . who's checking warrants any more . . . ?

      I worked on an ISP platform for a major telco in Europe, and it was interesting to see their LI system. Even the ISP operators themselves are not able to determine who and when the government is tapping. This is done so the "enemies" can't smuggle in mole operators into the ISPs who could alert their friends outside not to talk too loud on the line.

      Someone just found one of these hidden features for "special" users in AT&T.

      That's all.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  2. They need true bridge mode!! by Joe_Dragon · · Score: 4, Insightful

    They need true bridge mode!!

    1. Re:They need true bridge mode!! by jmcharry · · Score: 2

      Their older DSL modems used to operate purely as a modem if you connected using PPPoE. I don't know whether that is still an option. Of course then you have to provide your own firewall, NAT, and DHCP.

    2. Re:They need true bridge mode!! by starblazer · · Score: 1

      Supposedly there's a certificate on the modem which is needed for authentication preventing true bridge mode. I don't know how true it is because I've swapped out modems before for friends and I've never had an issue where a modem hasn't come back online provided the circuit is still active.

    3. Re:They need true bridge mode!! by arth1 · · Score: 1

      Of course then you have to provide your own firewall, NAT, and DHCP.

      You don't have to. Firewall and NAT is generally a good idea, but DHCP is just a convenience - static IPs work well too, and for IPv6, you can also auto-assign IP addresses on the host side without DHCP.

    4. Re:They need true bridge mode!! by aaarrrgggh · · Score: 1

      You can put them in bridge mode, but that doesn't change much. They are still capable of "remote management".

  3. War driving made easy. by Anonymous Coward · · Score: 2, Funny

    Get an AT&T UVerse coverage map and go a driving in those areas.

    Just think of all the kitty porn you can get!

    Tera and tera bytes of "I has Cheezburgers!"

  4. I Thought The Whole AT&T Network by zenlessyank · · Score: 1

    was a back door.

  5. comcast business forces you to rent there hardware by Joe_Dragon · · Score: 1

    comcast business (static ip) forces you to rent there hardware.

    ATT forces you to rent there hardware.

    We need to ban ISP's from forcing you to rent there hardware or force them to just give out an dumb open all e-net handoff.

  6. Arrest the board by Dog-Cow · · Score: 1

    The entire board of directors should be rotting in jail for allowing foreign agents to infiltrate US computer systems. Traitors and incompetent assholes, every single one.

    1. Re:Arrest the board by arth1 · · Score: 2

      The entire board of directors should be rotting in jail for allowing foreign agents to infiltrate US computer systems.

      I'd rather have foreign agents being able to access my systems than native agents. The foreign agents have far less power to use the data in a way that's harmful to me or my interests.

      Giving native agencies access, on the other hand, is deeply scary, for a multitude of reasons, including democracy. It's we the people who are supposed to be their bosses, not feudal lords and kings telling them what to do to whom.

  7. AT&T is a multibillion $ company by Anonymous Coward · · Score: 1

    There's only one explanation for such disgusting, juvenile engineering: Malevolence, not incompetence.

  8. Re:comcast business forces you to rent there hardw by Anonymous Coward · · Score: 2, Funny

    Instead, they should force you to rent here hardware.

    That makes a lot more sense.

  9. Re: comcast business forces you to rent there hard by mprindle · · Score: 4, Informative

    The last I checked I could buy my own modem and use it on my Comcast service to avoid the rental fees. They even publish a list of approved modems.

    Home
    https://mydeviceinfo.xfinity.c...
    Business
    https://business.comcast.com/h...

  10. Re: comcast business forces you to rent there hard by Dunbal · · Score: 1

    They even publish a list of approved modems.

    Only way to make the legit approved list is if they also contain officially backdoored hard/firmware?

    --
    Seven puppies were harmed during the making of this post.
  11. Re:comcast business forces you to rent there hardw by Billly+Gates · · Score: 4, Interesting

    As a good techie /. nerd I always buy my own modems and routers. Comcast as much as I hate them do allow third party approved modems. I bought a Motorola surfboard. It is not Docsys 3.0 and I get concerned texts every now and then but it works fine so no reason to change.

    So even with an unapproved older modem it will still work. Maybe I can't download at 200 mb/s but at 100 mb/s it works fine.

    --
    http://saveie6.com/
  12. Re: comcast business forces you to rent there hard by Joe_Dragon · · Score: 2

    If you have static ip with comcast then just must rent.

    To bad the comcast cable tv sucks and they have that download cap on there internet.

  13. Re: comcast business forces you to rent there hard by Anonymous Coward · · Score: 1

    You can use any modem you want on Comcast and flash it with anything you desire. The list of "approved" modems basically makes it easier for the masses to get one that is "known to work", and removes the "what version of the DOCSIS standard does this one support" research from the process. At the end of the day you get a modem, you tell Comcast its MAC address, and then you're off to the races. Frequently Comcast doesn't even want their old modem back...

  14. Actual test to verify? by jabberw0k · · Score: 4, Interesting

    Is there an actual test to run to verify whether or not a given device has these vulnerabilities? The listed ports do not seem to be open on the ones I was able to test.

  15. Re:comcast business forces you to rent there hardw by TWX · · Score: 4, Interesting

    COX just broke DOCSIS below 3.0, had to change modems.

    I'd really wanted to use a DOCSIS HWIC module for my Cisco router, but COX specifically said that module would not be supported on their network, and then with the 3.0+ requirement, the 2.1-capable unit isn't supported anyway.

    Really wish that Google Fiber hadn't stalled. Theres a dark fiber trunk line running through the neighborhood around 200' from my house, and Google was in the habit of buying dark fiber wherever they could.

    --
    Do not look into laser with remaining eye.
  16. Upload custom firmware.... is an opportunity by Proudrooster · · Score: 1

    The ASUS Merlin project created custom firmware for ASUS routers, maybe this is a limited opportunity to create custom firmware for the AT&T modems that can increase security and add features.

  17. Re:comcast business forces you to rent there hardw by Billly+Gates · · Score: 2

    They claimed they did and sent me scary texts and emails 6 months ago. My system still works and they left me alone. 2.1 is fully compatible and they won't disconnect your access.

    --
    http://saveie6.com/
  18. Pass on the freebie modems... by __aaclcg7560 · · Score: 1

    The freebie DSL modems that ATT provided weren't very good. Most would conk out after a year or two. When I started working one day a week from home, I bought a business class modem for $200 and spent several hours understanding the new security features. That one lasted seven years.

    1. Re:Pass on the freebie modems... by ls671 · · Score: 1

      I am sorry but I don't believe you. After all, you need at least an enterprise class modem to do the kind of work you do.

      --
      Everything I write is lies, read between the lines.
    2. Re:Pass on the freebie modems... by pnutjam · · Score: 1

      I used PfSense on an old computer and got all the enterprise features. later I bought an embedded x86 system.
      Unfortunately, Uverse At&T won't let you provide your own router, you can just put yours behind theirs, and it ain't a real pass through either.

      --
      Cheap storage VM.
  19. Responsible reporting... by Fly+Swatter · · Score: 1

    Is not giving out the actual login details, unless the offender has not fixed the problem in many months, not days. Even then it is rather inconsiderate to those that are stuck with the hardware. I have no respect for such 'researchers'.

    1. Re: Responsible reporting... by Narcocide · · Score: 1

      One problem; ATT U-Verse staff updates the modems remotely, automatically, and without notice or recourse.

  20. Re: comcast business forces you to rent there hard by Darinbob · · Score: 1

    Not true for AT&T. Your modems have to be able to talk to their modems, you can't buy a compatible one at Fry's. I'd buy my own if I could.

  21. Wonder if they pushed equiv onto android phones? by Ungrounded+Lightning · · Score: 1

    "It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem's 'cshTell' client over SSH. ... [how to escalate this into full access ...]

    The latest update pushed to the modems opened this hole. Hmmm...

    AT&T just pushed a couple updates to my Android phone a few weeks back. Like a complete version jump on the Android OS, followed by a tweak update a week or two later.

    I wonder if they did the same sort of thing to the phones that they did to the U-Verse modems?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  22. Re: comcast business forces you to rent there hard by antdude · · Score: 1

    What about AT&T? Not all ISPs will let you. :P

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  23. Re: comcast business forces you to rent there hard by Spamalope · · Score: 1

    He means you must rent if you have a static IP. In my case they added a rental fee after the fact, told me I could buy a device then wouldn't activate it once I'd bought it.

  24. They're also slow AF by jsepeta · · Score: 1

    I can't believe AT&T are such cheap bastards that they're still shipping Wi-Fi 802.11g routers to their customers.

    --
    Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
  25. Re: comcast business forces you to rent there hard by pnutjam · · Score: 1

    Not with Uverse, their IPtv won't work with your own equipment and there is no bridge mode. The best you an do is DMZ, or there is a router behind router option that puts in the necessary route for another subnet, theoretically, if never worked for me.

    God forbid you put in you own routes.
    The damn routers seem to forget the DMZ and port forwarding settings every 6 months or so, I'm not sure if AT&T was resetting things, or the hardware just sucked.
    Just had a client who's router forgot all the port forwarding I had configured.

    --
    Cheap storage VM.
  26. Re: comcast business forces you to rent there hard by pnutjam · · Score: 1

    I have a 1TB cap, which is sufficient with 4 kids using ipads to watch videos such.

    --
    Cheap storage VM.
  27. So, this is the birthplace of Unix. by Darkness+Of+Course · · Score: 1

    Funny how ATT never really came to grips with Unix. Beyond licensing and cash intake. They are just as clueless when it comes to user land equipment as anyone else. Even the hacks in China. One does wonder how many of their products have the same user/password combo.

  28. "inject advertisements"? !!!! by RhettLivingston · · Score: 1

    a kernel module whose sole purpose seems to be to inject advertisements into the user's unencrypted web traffic.

    Wow. That's a heck of a sleeper statement. I wonder whether Google already knew this?

    The ability to inject advertisements into HTTP traffic would be a minor tweak away from replacing advertisements that are already there. This could render the metrics from advertisement giants like Google worthless for HTTP traffic and become a large threat to their business model - even more so perhaps than ad blockers.

    I wonder if this is part of what is in Google's thoughts in their push for HTTPS. Perhaps it isn't about our security but theirs. Imagine if Comcast, Time Warner, AT&T, Verizon, and others started replacing the ads going to their users with ones they've sold. Any ads not flowing via HTTPS could be replaced. That would be a big, big hit.

    Interestingly, since the device closest to the user would win the battle, Google Wifi could be used to counter-attack such an effort, and I bet Google Home would be updated overnight to act as a mesh router. They might even start offering free Youtube Red or Google Play Music as an incentive to those using their mesh routing and enabling ad injection.

    1. Re:"inject advertisements"? !!!! by Narcocide · · Score: 1

      Yea, even better, when you try to look up a hostname and get no DNS response, the router forwards your HTTP request directly to itself. (this causes some very interesting conflicts with Slashdot's annoying auto-refresh redirects)

  29. Re:comcast business forces you to rent there hardw by TWX · · Score: 1

    Service kept dropping out. Didn't have to pay for my modem anyway since we have the home telephone line, so they supplied the model with the VOIP capability.

    --
    Do not look into laser with remaining eye.
  30. HAH by bobmajdakjr · · Score: 1

    i had both of these! and they both eventually died lololololol. horray for that.