Major Vulnerabilities Found in Arris AT&T U-verse Cable Modems
One of the largest telecommunications manufacturers in the world, Arris International Plc provides data, video and telephony systems for homes and businesses. The company’s modems and routers frequently make the top-five lists in telecommunication hardware reviews. That being said, it came as a total surprise when Joseph Hutchins of Nomotion Software reported of five easily-exploitable vulnerabilities in Arris-manufactured modems models NVG589 and NVG599 running the latest firmware 9.2.2h0d83.
In fact, in his report, Hutchins was quite surprised how these vulnerabilities have not been detected earlier and say, “It is hard to believe that no one is already exploiting this vulnerability at the detriment of innocents. Which is why this report is not passing Go, not collecting $200, and is going straight to the public domain.” In the wake of this report, Arris representatives have yet to release an official statement and are still investigating the matter.
It is important to note here that Hutchins has carefully pointed to the fact that he is, ‘In all fairness, it is uncertain whether these gaping security holes were introduced by Arris (the OEM) or if these problems were added after delivery to the ISP (AT&T U-verse). From examining the firmware, it seems apparent that AT&T engineers have the authority and ability to add and customize code running on these devices, which they then provide to the consumer (as they should).’ Although it is yet to be determined who is solely responsible for security lapses, it is certain that both AT&T, as well as Arris, are to ensure high security to end users. Even if the modem has security issues, ISPs should be able to detect the problem and immediately rectify any security holes as soon as it can.
The five vulnerabilities reported by Hutchins were:
1. Firmware Updates for the Modems Enable Ssh and Contains Hardcoded Credentials
This means that the hard-coded credentials can be used to gain access to the modem’s ‘cshell,’ and this could enable an attacker to change the WiFi SSID/password of a network and remodify the network setup. Additional vulnerabilities also include the possibility for an attacker to inject advertisements into the user’s unencrypted web traffic. According to the Nomotion report, there could be hundreds of additional vulnerabilities with the Cshell binary alone.
2. HTTPS Server of Unknown Purpose Running on Port 49955
In the second vulnerability, default credentials with the name, ‘tech’ and empty password field gave the user access to a highly vulnerable web server. What is the purpose of the web server? Is it a result of poor programming or a careless mistake? It’s hard to decipher, but the fact that a modem can connect to an unknown HTTPS using default credentials is worrisome.
3. Command Injection cserver on NVG599
The Command injection is an attack on the host operating system via a vulnerable application, and with the https server running on the NVG599 modem, it is quite easy to fall prey to this attack. Hutchin says, ‘There are countless ways to exploit this, but a few quick and dirty stacked commands using wget to download busybox with netcat (mips-BE) from an http server (no SSL support) and then spawn a reverse shell works well.’
4. A Service on Port 61001
It’s certainly not a light matter when attackers can collect WiFi credentials and MAC addresses. The good thing is the information can only be obtained if the device’s serial number is compromised and when it is, the attacker will simply have to enter the serial number, OUI and username/password to get necessary information about the device and its credentials.
5. Firewall bypass no authentication
This is the most serious and most immediate vulnerability – a firewall bypass that can be done with no authentication needed. All it will need is the device’s MAC address and we all know obtaining that is not tough these days. Once the attacker has the MAC device, they can simply enter the address with the, ‘\x2a\xce\x01’ magic value and they can easily access your entire network.
Now there are workarounds to these vulnerabilities, but they are highly technical solutions that cannot be carried out by average users. If however, you can afford some technical help, get someone really good at networking to look into the matter. In the meanwhile, let’s hope AT&T U-Verse or Arris will take accountability (or not if these security lapses are intentional) and ensure that users can use their devices safely.