ARRIS Cable Modem Has a Backdoor in the Backdoor (opens in new tab)

(w00tsec.blogspot.com)

471 pointsgeococcyxc10y ago119 comments

119 comments

> After a thoughtful analysis, the marketing committee advised w00tsec members to write a Keygen. In order to write a Keygen, we need a leet ascii art and a cool chiptune.

Something old, something new. Of course exploits and chiptunes have always gone together like bread and butter. But now exploits need marketing committees too.

a1k0n10y ago

Not a bad chiptune either: http://www.a1k0n.net/code/jsxm/#Ghidorah_-_Toilet_story_5.xm

throwaway776710y ago

Watched on YouTube, since I didn't have a FastTracker player handy: https://www.youtube.com/watch?v=Syc2NnPNnZs

Listening to that put me in a good mood :)

1 more reply

paulannesley10y ago

Hah I love this in the arris_backdoor.py output:

  > Bypassing EULA...
  > EULA served over HTTP
  > MiTMing EULA to include permissive clauses...
  > EULA bypassed using technique [1]

ericfrederich10y ago

Good catch... That is hysterical

arca_vorago10y ago

You know what really grinds my gears? The fact that on my newish surfboard modem, when I looked around for a new firmware version, low and behold, apparently Arris/Motorola refuse to release the firmware to the consumer/owner of the device, and say that it is the ISP's responsibility to update firmware!

No it's not, it's my hardware! I understand the docsis 3.0 spec says otherwise, but I disagree with it. So I call my ISP (Suddenlink), and lo and behold, they say it's not supported and therefore won't update my firmware.

Now I find out it's probably backdoored!

You know, when the NSA and everyone else start talking about cybersecurity, I don't fucking beleive a word of it anymore, because if they were really concerned about security, they would be pushing for open source firmware modems, and would be letting these companies know about the vulns and pushing them to close them. Instead they sit on the 0-days like a treasure trove of new weapons.

X-Istence10y ago

You can't update the firmware on your device even if you wanted to.

The cable company is free to push whatever firmware they would like to your device at any time, you don't have a choice in the matter.

bluedino10y ago

It's not any different than wireless companies and cell phones - they will use the reason of not controlling the firmware causing connection issues with their proprietary networks

arca_vorago10y ago

Which is such a bullshit reason... but you are correct, unfortunately.

smcl10y ago

It's a tiny bit funny that a cable modem called "arris" has a backdoor: http://www.cockneyrhymingslang.co.uk/slang/aris

contingencies10y ago

Haha, we discovered that one playing scrabble last night. What are the chances?

MaxfordAndSons10y ago

I came here to say the same, so instead I'll add this: "I'd open an umbrella up me ARRIS for her" - Super Hans

tomschlick10y ago

Does this affect their Surboard line? Specifically the SB6141? Its probably the most popular modem for people who don't wanna rent one from their provider.

jcreedon10y ago

Using this[1] humorous but still mostly effective methodology, that model seems to be okay[2], at least for now.

[1] https://twitter.com/todb/status/648956328292057088

[2] http://www.rapid7.com/db/search?utf8=%E2%9C%93&q=SB6141&t=a

rashkov10y ago

I like the idea of search metasploit and I'll be making use of it, but the models mentioned in the article aren't in metasploit's database yet either. So while it is a good step, it is not very conclusive.

DanBlake10y ago

Doesnt look like it. Likely part of the reasoning is that the 6580 has a full router built in and the 6141 is just a cable modem. I believe they both run different firmwares as well. Also, that 600k number would be in the millions if it effected the 6141- Its standard issue for many ISP's with the higher bandwidth packages now if you dont buy voip.

Also, the URL http://192.168.100.1/cgi-bin/tech_support_cgi is not present on the 6141's

scott_karana10y ago

I know the Surfboards originated from Motorola, so there's a faint hope that they're okay...

tomschlick10y ago

I bought mine from Target 3 months ago and it still looks like it is running Motorola firmware even though it has an Arris logo stamped on the front of the device.

https://s3.amazonaws.com/tomschlick-screenshots/BGYfaCbLVEsB...

1 more reply

drmpeg10y ago

I returned my Arris TG862 because you can't really shut off the WiFi. Even though Comcast assured me that the public hotspot was disabled, I could see (with my SDR receiver) that it was still transmitting on channel 1.

http://www.w6rz.net/comcastwifi.png

userbinator10y ago

"transmitting" as in actually sending data, or just the radio left on, set by default to the lowest channel, and transmitting an otherwise useless carrier wave?

drmpeg10y ago

Transmitting with a blank SSID apparently. It just adds to the congestion on 2.4 GHz for no reason. For myself, it interferes with my wireless development activities. See this thread on the Comcast forum where folks are seeing all sorts of bad behavior.

http://forums.xfinity.com/t5/Home-Networking-Router-WiFi/Xfi...

thiagobbt10y ago

And FCC approves it?

nine_k10y ago

What kind of access should a cable company have to your cable modem? Should it at all?

I mean, your ISP does not need any access to your edge router if the ISP gives you a standard Ethernet socket. How standardized are cable interfaces? What kind of custom setup may they legitimately need to work in a particular cable network?

MertsA10y ago

It makes a little more sense once you look at the infrastructure that it's running on. You and ~500 of your neighbors are all on one local node that shares bandwidth between everyone. The way it works for upload is that your cable modem sends a request for an upload timeslot on a shared upload channel, then the CMTS which serves thousands upon thousands of people sends back your time slot when your modem is clear to use the upload channel. If anything goes screwy on your node such as significant interference or if your cable modem somehow hung up and was constantly sending on the upload channel outside of its time slot this means that absolutely everyone on the same node looses service. Not only can it affect a ton of customers all at once, your ISP doesn't have a good way of tracking down interference at a finer granularity than the node level which isn't a lot to go off of. They literally have to do a binary search by disconnecting sections of the local node and seeing what segment the interference is coming from. I've heard horror stories about interference coming from things like washing machines, treadmills, etc and being very intermittent and nearly impossible to find because of it. For the treadmill story, a whole node of customers would loose service for 15 minutes every couple of nights and whenever the ISP would get a technician out to start trying to isolate it, they'd already be off the treadmill and the problem would be over. Supposedly it took a while of having a tech in the area around when it normally started to track down which house it was coming from.

So yeah, it's your modem, but they won't let you use their network unless you're using one of their approved modems that they know are reliable and that they can manage updates on because just one person can unknowingly screw it over for a large chunk of people.

superuser210y ago

The cable modem is telco infrastructure that happens to be in your house. The boundary between telco and customer networks (called the "demarc") is between the cable modem and your router. It's entirely theirs to administrator, same as the vault down the street.

A comment I posted about this a few years ago: https://news.ycombinator.com/item?id=6998650

jwn10y ago

It's not quite that simple. In some cases it's telco infrastructure that's owned by the customer. In that case I'd say the demarc is like to be somewhere inside the modem, which is sort of nonsensical.

1 more reply

ascagnel_10y ago

In the case of cable internet service (not fiber), you'll almost never get a standard Ethernet socket. Chances are, you'll get a coaxial connection that requires a device to bridge the connectors and perform a handshake with your upstream provider.

Of course, most consumers go with whatever hardware their provider gives them (usually a gateway to provide Wifi). This presents it's own problem: in the US, cable companies are trying to set up mesh networks/guest access, and so those gateways may be running a second semi-public as a node on the mesh.

drbawb10y ago

We just got new tenants in our (commercial) building. I'm honestly a bit upset as there are now _four_ new access points for a single tenant.

"TWC WiFi", and "CableWifi", both unsecured (!!!), and then "TWC WiFi Passpoint" (which requires a TWC subscription to use.)

I sure wish people wouldn't blindly trust the cable technician to configure their wireless network properly. Now there's just tons of RF noise, and people can leech bandwidth off our building. -- I frankly find it ridiculous, given the premium we pay for commercial internet (which is slower than my residential subscription), that we are expected to share it with their "mesh network."

1 more reply

AndyMcConachie10y ago

Is this a cable modem or a router? My definition of cable modem doesn't include an IP address.

These POCs never include enough information for me. For instance, is this exploitable from the external interface, or only internal?

PhantomGremlin10y ago

Is this a cable modem or a router?

Reminds me of the inane SNL sketch, whose catchphrase was: "New Shimmer is both a floor wax and a dessert topping!"

My Arris (nee Motorola) SB6141 is a bridge and a router. It's actually very nicely done.

When the modem can't access the cable infrastructure, it turns itself into a DHCP server and hands out IP addresses in the range 192.168.100.xx. This is useful for people at home whose configurations are such that their home networks won't work properly without some sort of DHCP server provided by the ISP.

Once the modem can talk to the ISP, it turns itself into a bridge. The IP addresses the modem previously issued were valid for 30 seconds, so there will shortly be a new DHCPREQUEST which the modem bridges out to the ISP. From then on, the modem is transparent to IP traffic (but see below).

My definition of cable modem doesn't include an IP address.

This is highly useful. Once the modem has switched to being a bridge, it still responds to 192.168.100.1. There's all sorts of useful information there. E.g. DOCSIS status, Channel IDs, received Signal to Noise ratio, transmit Power Level, etc. There's even a nice (but short) log of the modem's interaction with the cable infrastructure.

The modem is outside my firewall, so I don't really worry about it much. It's like anything else on the Internet as far as my home network is concerned.

However, I do currently allow access to 192.168.100.1 (normally I block outbound RFC 1918 addresses). That is a potential problem should some rogue program on my network attempt to exploit a modem vulnerability. Maybe I'll just block all those addresses and only enable them in the firewall when I want to check the modem status.

MertsA10y ago

> Maybe I'll just block all those addresses and only enable them in the firewall when I want to check the modem status.

For the business networks I manage I actually go out of my way to make sure that 192.168.100.1 is blocked. With no authentication anyone can reset a Motorola modem to factory defaults which takes like 15 minutes to come back up. An attacker can just jump on a guest network and basically DoS you until you figure out what's going on and good luck with that because most people are going to assume that their modem constantly rebooting means that they need a new one, or it's the ISPs fault.

voltagex_10y ago

>normally I block outbound RFC 1918 addresses

I'm assuming LAN traffic still works in this case.

>That is a potential problem should some rogue program on my network attempt to exploit a modem vulnerability. Maybe I'll just block all those addresses and only enable them in the firewall when I want to check the modem status.

I've been looking at scraping my modem interface for info and then blocking all but one PC from accessing the admin interface

1 more reply

mikequinlan10y ago

You can address the Arris cable modem at ip address 192.168.100.1. Some providers disable this after it goes online. Here is one reference http://www.dslreports.com/forum/r20894378-What-is-the-cable-...

spydum10y ago

If It's one cross site scripting attack away, what's the difference if it's external?

nickjj10y ago

A few years ago people on my ISP were ranting and raving about getting an Arris cable modem because it was one of the newer DOCSIS 3 modems.

I wonder if the TM822 model is classified as "ARRIS SOHO-grade" because that's what the article mentions as having the backdoor.

noobermin10y ago

I have WOW internet, and their provided modem was an Arris modem. It was a piece of garbage, so I bought a Netgear modem, sent the Arris back, and got $10 savings on my internet bill (for renting the crap modem). I'm even happier about that choice now. And yes, my new modem is DOCSIS 3.

nickjj10y ago

Was it the same model?

The TM822 has been pretty good to me. It maxes out at my ISP's reported speeds (30/5), no packet loss, low single digit latency and since it's hooked up to a UPS it hasn't been power cycled or rebooted in almost a year.

1 more reply

MertsA10y ago

At least it appears to be based on the serial number. Only using the last 5 is still pretty bad though but plenty of cable modems treat the serial number as privileged information. It's already a password essentially for SNMP access provided that your ISP hasn't blocked access to it.

esseye10y ago

It is exactly as privileged as going to the website http://192.168.100.1 and clicking HW/FW versions, which proudly displays the complete serial for you. There is no authentication of any sort and it is not encrypted at any point.

ErikRogneby10y ago

Wasn't there a project a while back where someone was building a open source modem/router from the ground up? A kick starter or something?

imglorp10y ago

Since you need a DOCSIS modem box and a router, I would suggest people put a router box you fully control behind your ISP's DOCSIS brick, and just assume the latter is compromised continuously.

I use pfsense on a usb stick in a little box with 2 ethernets.

sliverstorm10y ago

Which, frankly, isn't even a paradigm shift. It just means the transition from trusted to untrusted is in your living room instead of on the street corner outside in the cable box.

Igglyboo10y ago

What is a DOCSIS modem and why can't an open source one be built? Also, how does putting your router behind your DOCSIS modem help?

Genuinely curious, don't know much about networking.

2 more replies

e4010y ago

Yeah, no need to trust these things as firewalls.

gregwtmtno10y ago

What model box do you use? I've been looking for something affordable for the job.

2 more replies

virtuallynathan10y ago

https://www.indiegogo.com/projects/turris-omnia-hi-performan... is a recent attempt. No DOCSIS modem, though.

um_ya10y ago

OpenWrt is the closest thing I can think of.

mwpmaybe10y ago

OpenWrt is for wireless access points and gateways, not modems.

1 more reply

peterwwillis10y ago

Seems like this only affects the LAN interface. Since most people aren't trying to break into your computer just to break into your cable modem, this shouldn't be considered a high priority exploit.

Malware changing the DNS server on your router's DHCP server could be bad for you. But even though malware on your desktop attacking your network is bad, what's worse is there's malware on your desktop.

Nacraile10y ago

"Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts"

It doesn't look like this is LAN-only.

Even if it were, an escalation from unprivileged code execution on a single device to MITM any connection out of a network hardly seems "low priority".

johncolanduoni10y ago

I'm guessing they used Shodan to locate the models they knew were affected (i.e. by model numbers), not to try the backdoor on unsuspecting devices (which would be illegal).

rogerbinns10y ago

Just because you can't of a useful use by the bad guys, doesn't mean they can't :-) It is also quite possible the bad guys have figured out how to exploit this using regular Javascript - ie you don't need malware in your LAN, just Javascript in a browser.

peterwwillis10y ago

Assuming you could exploit the browser's JS to submit such a request (I thought I remembered seeing a security feature of modern browsers to prevent this?) and assuming the web interface requires no authentication, you would only be able to enable WAN HTTP access. The telnet and ssh still appear to be LAN-only. And you still need the serial number to generate a password (does the web interface even show that?). I don't see a viable drive-by attack vector other than malware.

edit It does look like telnet can be accessed via WAN, which is pretty bad.

1 more reply

oasisbob10y ago

Yup!

DNS rebinding attacks are useful for things like this: https://en.wikipedia.org/wiki/DNS_rebinding

thefastlane10y ago

from a security standpoint, any recommendations for cable modem hardware and/or firmware?

anExcitedBeast10y ago

Don't trust them. Add a system you control between the device and your internal network. If you're just worried about your traffic privacy and not just internal resources, establish an end-to-end encrypted tunnel from that jump system to a network or VPN provider you trust.

Edit: excuse me, I misread your question. I thought you were asking for best practice. I don't have have a specific hardware recommendation (because I don't trust them :) )

ck210y ago

Can't most ISPs replace the firmware on demand on most Docsis 3.0 modems ?

This means they could manipulate it at any time.

moftz10y ago

Encrypt everything between your computer and the server you're connecting to, ideally use a VPN. The ISP already owns the lines anyway, 0wning the modem doesn't really make much more of a difference. The reasoning behind being able to push new firmware to a modem from the ISP is automatic configuration and to stop abuse on the network although I'd rather configure things myself.

iamthepieman10y ago

I have an Arris modem. Is there a way to mitigate this risk short of buying a new modem?

lstamour10y ago

I'm not sure I'd trust Arris products at this point. From another blog post in 2014: "It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie." http://console-cowboys.blogspot.ca/2014/09/arris-cable-modem...

With mistakes like that, and three layers of backdoors, I'm half expecting discoveries of hardware backdoors next ...

ilurk10y ago

I skimmed trough it so it wasn't clear to me.

But if you ssh and have root access, then you should be able to change the password. As well as edit a startup script to move/delete the backdoor files.

Try it at your own risk.

mark-r10y ago

The whole point of a backdoor is that changing the password is ineffective. And the backdoor isn't a file you can delete, it's just a couple of extra instructions buried in the code - the article made that clear.

throwaway204810y ago

no, as the nature of it forces it to be on your network edge.

mhurron10y ago

Wouldn't putting the Arris modem in bridging mode mitigate it? It should no longer be accessible via an outside IP at that point.

1 more reply

lstamour10y ago

That said, it's possible that your cable company could protect you (and their other customers) at the expense of you possibly losing access to port forward SSH, etc.

maximilianburke10y ago

I'n surprised this hasn't yet been branded the "ARRIS-Hole".

Neolo10y ago

Hi. I own Arris TG862G, TWC pushed their firmware on it, it seems much older than discussed here.

Firmware Name: TS070563C_032913_MODEL_862_GW_TW_SIP_PC20 Firmware Build Time: Fri Mar 29 2013

I got a permanent password to advanced page/technician. But I don't have URL http://192.168.100.1/cgi-bin/tech_support_cgi, it's 404 and as a result I don't know how to enable SSH. Can anyone help with this old firmware?

df_cryptostorm10y ago

I also have a TG862G, but from Xfinity (a Comcast company). The default admin page is @ http://192.168.100.1/ & http://10.0.0.1/, but neither of them have a /cgi-bin/tech_support_cgi.

However, I discovered this page: http://10.0.0.1/wireless_network_configuration-1.php (probably also exists on 192.168.100.1) which looks like a secret wifi config page that has more advanced options than the normal wifi config page @ http://10.0.0.1/wireless_network_configuration.php (I found the wireless_network_configuration-1.php file by viewing the source of a few pages on 10.0.0.1, it was hiding in some HTML comments).

On the normal wifi config page, you can only edit the settings for your "Private" wifi hotspot, but on this -1.php page you can also edit the two "Public" hotspots: "xfinitywifi", and one that (on mine) looked like: "XHS-A6B18523". Since you can edit these two "Public" ones, you can also viewed the stored WPA key for XHS ("xfinitywifi" has no key).

Once I grabbed the XHS-* key and connected to it, I received a 172.16.12.100 IP (a subnet I've never seen on the other access point). On this one the gateway IP was 172.16.12.1. Nmap shows these ports on that gw IP: 443 = NET-DK 1.0 (ssl) 5001 = Arris/1.0 UPnP/1.0 miniupnpd/1.0 (Status: 501 Not Implemented) 8080 = (SIP end point; Status: 501 Not Implemented) and same as the above for ports 8081 & 8888 & 5540.

All of those SIP ports were just HTTP servers that looked exactly like the customer version you see on http://10.0.0.1/ , except that my admin pass didn't work on it (tried the defaults too, plus some guesses).

When I went to https://172.16.12.1/ it redirected me to /cgi-bin/status_cgi, which contains a link to /cgi-bin/tech_support (which redirects to /cgi-bin/adv_pwd_cgi).

So maybe you could try all of that to see if your TG862G works the same :-)

P.S. I tried the password of the day thing but the seed must be different on this one, and the SNMP thing doesn't exist on any of these webservers.

Neolo10y ago

Thank you for reply, but I don't have xfinity firmware anymore, cause TWC wiped it out and wrote their own. It seems I don't have wireless_network_configuration.php pages anywhere and it doesn't broadcast wi-fi at all (I actually can't enable it, there is bug or something, it just shuts down), so I can't try that subnet either. This is frustrating, cause I do have a password to /cgi-bin/adv_pwd_cgi but I can't find the SSH/Telnet options to enable.

ars10y ago

When I try http://192.168.100.1/cgi-bin/tech_support_cgi on an Arris modem it says:

   NET-DK/1.0 Error: 401 Unauthorized

merlincorey10y ago

Yes, that's demonstrated in the video. You have to login on another page before that page will work.

jesalg10y ago

That login page doesn't exist on mine: http://192.168.100.1/cgi-bin/adv_pwd_cgi

  NET-DK/1.0 Error: 404 Not Found

ars10y ago

Ah, missed that part.

nandhp10y ago

On my (newish) SB6183, I get "Read error: connection reset by peer".

cxseven10y ago

I get that for any URL it doesn't serve

Demoneeri10y ago

Can they access the mainframe?

annacollins10y ago

That's really great.

reviseddamage10y ago

yo dawg...

j / k navigate · click thread line to collapse

119 comments

rspeer10y ago

> After a thoughtful analysis, the marketing committee advised w00tsec members to write a Keygen. In order to write a Keygen, we need a leet ascii art and a cool chiptune.

Something old, something new. Of course exploits and chiptunes have always gone together like bread and butter. But now exploits need marketing committees too.

a1k0n10y ago

Not a bad chiptune either: http://www.a1k0n.net/code/jsxm/#Ghidorah_-_Toilet_story_5.xm

throwaway776710y ago

Watched on YouTube, since I didn't have a FastTracker player handy: https://www.youtube.com/watch?v=Syc2NnPNnZs

Listening to that put me in a good mood :)

1 more reply

paulannesley10y ago

Hah I love this in the arris_backdoor.py output:

  > Bypassing EULA...
  > EULA served over HTTP
  > MiTMing EULA to include permissive clauses...
  > EULA bypassed using technique [1]

ericfrederich10y ago

Good catch... That is hysterical

arca_vorago10y ago

Now I find out it's probably backdoored!

X-Istence10y ago

You can't update the firmware on your device even if you wanted to.

The cable company is free to push whatever firmware they would like to your device at any time, you don't have a choice in the matter.

bluedino10y ago

It's not any different than wireless companies and cell phones - they will use the reason of not controlling the firmware causing connection issues with their proprietary networks

arca_vorago10y ago

Which is such a bullshit reason... but you are correct, unfortunately.

smcl10y ago

It's a tiny bit funny that a cable modem called "arris" has a backdoor: http://www.cockneyrhymingslang.co.uk/slang/aris

contingencies10y ago

Haha, we discovered that one playing scrabble last night. What are the chances?

MaxfordAndSons10y ago

I came here to say the same, so instead I'll add this: "I'd open an umbrella up me ARRIS for her" - Super Hans

tomschlick10y ago

Does this affect their Surboard line? Specifically the SB6141? Its probably the most popular modem for people who don't wanna rent one from their provider.

jcreedon10y ago

Using this[1] humorous but still mostly effective methodology, that model seems to be okay[2], at least for now.

[1] https://twitter.com/todb/status/648956328292057088

[2] http://www.rapid7.com/db/search?utf8=%E2%9C%93&q=SB6141&t=a

rashkov10y ago

DanBlake10y ago

Also, the URL http://192.168.100.1/cgi-bin/tech_support_cgi is not present on the 6141's

scott_karana10y ago

I know the Surfboards originated from Motorola, so there's a faint hope that they're okay...

tomschlick10y ago

I bought mine from Target 3 months ago and it still looks like it is running Motorola firmware even though it has an Arris logo stamped on the front of the device.

https://s3.amazonaws.com/tomschlick-screenshots/BGYfaCbLVEsB...

1 more reply

drmpeg10y ago

http://www.w6rz.net/comcastwifi.png

userbinator10y ago

"transmitting" as in actually sending data, or just the radio left on, set by default to the lowest channel, and transmitting an otherwise useless carrier wave?

drmpeg10y ago

http://forums.xfinity.com/t5/Home-Networking-Router-WiFi/Xfi...

thiagobbt10y ago

And FCC approves it?

nine_k10y ago

What kind of access should a cable company have to your cable modem? Should it at all?

MertsA10y ago

superuser210y ago

A comment I posted about this a few years ago: https://news.ycombinator.com/item?id=6998650

jwn10y ago

1 more reply

ascagnel_10y ago

drbawb10y ago

We just got new tenants in our (commercial) building. I'm honestly a bit upset as there are now _four_ new access points for a single tenant.

"TWC WiFi", and "CableWifi", both unsecured (!!!), and then "TWC WiFi Passpoint" (which requires a TWC subscription to use.)

1 more reply

AndyMcConachie10y ago

Is this a cable modem or a router? My definition of cable modem doesn't include an IP address.

These POCs never include enough information for me. For instance, is this exploitable from the external interface, or only internal?

PhantomGremlin10y ago

Is this a cable modem or a router?

Reminds me of the inane SNL sketch, whose catchphrase was: "New Shimmer is both a floor wax and a dessert topping!"

My Arris (nee Motorola) SB6141 is a bridge and a router. It's actually very nicely done.

My definition of cable modem doesn't include an IP address.

The modem is outside my firewall, so I don't really worry about it much. It's like anything else on the Internet as far as my home network is concerned.

MertsA10y ago

> Maybe I'll just block all those addresses and only enable them in the firewall when I want to check the modem status.

voltagex_10y ago

>normally I block outbound RFC 1918 addresses

I'm assuming LAN traffic still works in this case.

I've been looking at scraping my modem interface for info and then blocking all but one PC from accessing the admin interface

1 more reply

mikequinlan10y ago

spydum10y ago

If It's one cross site scripting attack away, what's the difference if it's external?

nickjj10y ago

A few years ago people on my ISP were ranting and raving about getting an Arris cable modem because it was one of the newer DOCSIS 3 modems.

I wonder if the TM822 model is classified as "ARRIS SOHO-grade" because that's what the article mentions as having the backdoor.

noobermin10y ago

nickjj10y ago

Was it the same model?

1 more reply

MertsA10y ago

esseye10y ago

ErikRogneby10y ago

Wasn't there a project a while back where someone was building a open source modem/router from the ground up? A kick starter or something?

imglorp10y ago

Since you need a DOCSIS modem box and a router, I would suggest people put a router box you fully control behind your ISP's DOCSIS brick, and just assume the latter is compromised continuously.

I use pfsense on a usb stick in a little box with 2 ethernets.

sliverstorm10y ago

Which, frankly, isn't even a paradigm shift. It just means the transition from trusted to untrusted is in your living room instead of on the street corner outside in the cable box.

Igglyboo10y ago

What is a DOCSIS modem and why can't an open source one be built? Also, how does putting your router behind your DOCSIS modem help?

Genuinely curious, don't know much about networking.

2 more replies

e4010y ago

Yeah, no need to trust these things as firewalls.

gregwtmtno10y ago

What model box do you use? I've been looking for something affordable for the job.

2 more replies

virtuallynathan10y ago

https://www.indiegogo.com/projects/turris-omnia-hi-performan... is a recent attempt. No DOCSIS modem, though.

um_ya10y ago

OpenWrt is the closest thing I can think of.

mwpmaybe10y ago

OpenWrt is for wireless access points and gateways, not modems.

1 more reply

peterwwillis10y ago

Seems like this only affects the LAN interface. Since most people aren't trying to break into your computer just to break into your cable modem, this shouldn't be considered a high priority exploit.

Nacraile10y ago

"Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts"

It doesn't look like this is LAN-only.

Even if it were, an escalation from unprivileged code execution on a single device to MITM any connection out of a network hardly seems "low priority".

johncolanduoni10y ago

I'm guessing they used Shodan to locate the models they knew were affected (i.e. by model numbers), not to try the backdoor on unsuspecting devices (which would be illegal).

rogerbinns10y ago

peterwwillis10y ago

edit It does look like telnet can be accessed via WAN, which is pretty bad.

1 more reply

oasisbob10y ago

Yup!

DNS rebinding attacks are useful for things like this: https://en.wikipedia.org/wiki/DNS_rebinding

thefastlane10y ago

from a security standpoint, any recommendations for cable modem hardware and/or firmware?

anExcitedBeast10y ago

Edit: excuse me, I misread your question. I thought you were asking for best practice. I don't have have a specific hardware recommendation (because I don't trust them :) )

ck210y ago

Can't most ISPs replace the firmware on demand on most Docsis 3.0 modems ?

This means they could manipulate it at any time.

moftz10y ago

iamthepieman10y ago

I have an Arris modem. Is there a way to mitigate this risk short of buying a new modem?

lstamour10y ago

With mistakes like that, and three layers of backdoors, I'm half expecting discoveries of hardware backdoors next ...

ilurk10y ago

I skimmed trough it so it wasn't clear to me.

But if you ssh and have root access, then you should be able to change the password. As well as edit a startup script to move/delete the backdoor files.

Try it at your own risk.

mark-r10y ago

throwaway204810y ago

no, as the nature of it forces it to be on your network edge.

mhurron10y ago

Wouldn't putting the Arris modem in bridging mode mitigate it? It should no longer be accessible via an outside IP at that point.

1 more reply

lstamour10y ago

That said, it's possible that your cable company could protect you (and their other customers) at the expense of you possibly losing access to port forward SSH, etc.

maximilianburke10y ago

I'n surprised this hasn't yet been branded the "ARRIS-Hole".

Neolo10y ago

Hi. I own Arris TG862G, TWC pushed their firmware on it, it seems much older than discussed here.

Firmware Name: TS070563C_032913_MODEL_862_GW_TW_SIP_PC20 Firmware Build Time: Fri Mar 29 2013

df_cryptostorm10y ago

I also have a TG862G, but from Xfinity (a Comcast company). The default admin page is @ http://192.168.100.1/ & http://10.0.0.1/, but neither of them have a /cgi-bin/tech_support_cgi.

When I went to https://172.16.12.1/ it redirected me to /cgi-bin/status_cgi, which contains a link to /cgi-bin/tech_support (which redirects to /cgi-bin/adv_pwd_cgi).

So maybe you could try all of that to see if your TG862G works the same :-)

P.S. I tried the password of the day thing but the seed must be different on this one, and the SNMP thing doesn't exist on any of these webservers.

Neolo10y ago

ars10y ago

When I try http://192.168.100.1/cgi-bin/tech_support_cgi on an Arris modem it says: