back to article Oh no, Moto! Cable modem has hardcoded 'technician' backdoor

Researchers at Rapid7 have turned up a set of typically dumb vulnerabilities in Motorola's DOCSIS/EuroDOCSIS 3.0-capable SURFboard SBG 6580 cable broadband modem. The device, which also ships under the Arris brand, has vulnerabilities included hardcoded login credentials that will allow an outside attacker to take control of …

  1. This post has been deleted by its author

    1. Lee D

      Have always done this.

      As far as I'm concerned, a modem or cable router or ADSL router is just a modem. It's also the "hostile" side of the network. Invariably I then plug it into a real router/firewall that I have control over. Historically, for both work and personal, that's been everything from a Freesco single-floppy-linux router, to Slackware distributions, to WRT54G's with custom firmware, you name it.

      Currently my Virgin Superhub is in modem-only mode and goes to a proper firewall. Even then, doing something like DMZ'ing my machine to the world would trigger the software firewall on the individual clients too (not to mention the IPS on the firewall). Hell, for many years I used to VPN across my internal home wireless network because WEP couldn't be trusted and WPA2 was too expensive to deploy. And I'm a gamer and it barely added 1ms to my gaming pings, even over wireless, even with all the house machines doing the same (so there's really NO excuse).

      Sure, you might get into my modem, but the modem isn't party to anything SSL-encrypted anyway, and all unencrypted stuff I assume is perfectly sniffable by anyone else on the net - if they are in my modem or not! And trying to get into the local net from there will be blocked just as any other malicious traffic coming from the Internet.

      I deploy work and home networks this way precisely because of problems like this. You can't trust the cheap routers you're given by your ISP and you can't even go out and buy a decent home router and trust that alone.

      At my previous workplace there was still a pile of untouched BT ADSL2 routers in their boxes and wrapping because we never used them. Their replacements were pure modems that didn't try to offer their own wireless / BTOpenZone, etc. that went into a Linux router with multiple Ethernet cards, which secured the 500 users behind it and load-balanced the connections.

      At this workplace - same thing, but with a set of Cisco routers doing HSRP failover in between so the Linux machines doesn't have to.

      Even bridging / modem mode, however, is not a defence in itself - in the same way that it's possible for YOU to turn it back into a router with DMZ to the network, it's possible (theoretically) for an attacker to do the same. Virgin SuperHubs still offer a web interface on 192.168.100.1, I believe, that lets you turn modem mode off and the firmware auto-updates. One slip in that configuration and you have a modem that's working against you.

      Always put something in front of it, even just for one machine. And if WPA2 is ever weakened, investigate putting VPN over local wireless links. It costs nothing with OpenVPN, IPSec functionality in Windows, etc. And when, as often happens for me in work, you come up against odd traffic flows you have a machine on the border already that you can analyse traffic from without needing to port-mirror or use DMZ etc. to diagnose it.

      1. launcap Silver badge
        Happy

        > As far as I'm concerned, a modem or cable router or ADSL router is just a modem. It's also the >"hostile" side of the network.

        Indeed. As a certified paranoid (what else do you call someone who has a background in networks and security?) I'm very, very loathe to trust a manufacturers idea of security.

        Might be a bit OTT for a single home-user though. I suspect there a few of those on El Reg though

  2. Crisp

    A hardcoded backdoor?

    What on earth made them think that wouldn't get found? Security by obscurity isn't secure.

    1. Graham Marsden
      Big Brother

      Re: A hardcoded backdoor?

      Hey, if it's good enough for the US Government...

    2. LDS Silver badge
      Joke

      Re: A hardcoded backdoor?

      It's just to ensure the password doesn't get lost or forgot... what's the best place to store it??

  3. clocKwize

    "Lets add a hidden backdoor!" Nobody could possibly disassemble the firmware and find it! Famous last words..

  4. David Knapman

    What you have to remember

    Is that this is 1995 and practically nothing is connected to this "internet" thing, so a backdoor should be perfectly safe. In a "Cable modem", whatever that may be.

    1. Major N

      Re: What you have to remember

      in my day, we called em 'Null Modem Cables'...

      1. David Knapman

        Re: What you have to remember

        Oh dear. Flashbacks to DB-25 connectors and a soldering iron.

  5. Anonymous Coward
    Anonymous Coward

    Insecure by Design

    We must assume that everything we buy is hacked to allow TPTB free access to our dick pics.

  6. Tromos
    Joke

    Sounds safe enough to me

    Who would think to type 'technician' rather than 'admin'?

  7. JimmyPage
    Facepalm

    field, service

    nuff said

  8. TitterYeNot

    Arris

    A suitable brand for a device that appears to be a load of arse*, and sublimely appropriate that it has a backdoor.

    *For those of non-Blightyan origin not familiar with Cockney derivations:- Aris <- Aristotle <- Bottle <- Bottle and Glass <- Arse. As in 'a bloody good kick up the aris'. English, 'tis a right bugger...

  9. Vimes

    Doesn't the BT hub have a similar issue of having an admin backdoor?

  10. Anonymous Coward
    Anonymous Coward

    Hang on - a quick Google of the hard-coded technician password shows that these credentials have been publically-known for at least THREE YEARS:

    http://forums.speedguide.net/showthread.php?279842-MasterPassword-for-the-SB6580-Cable-modem&s=9deaffc0142c3f1a03a31a9d13851eba

    I'm not exactly certain how this means that Rapid7 'discovered' the vulnerability in CVE-2015-0966 - but of more concern, frankly, is that this has been in the wild for as long as it has. Bloody brilliant.

  11. JaitcH
    Unhappy

    These modems are approved, and recommended, by

    GCHQ and NSA.

    You don't trust your governments?

  12. Anonymous Coward
    Anonymous Coward

    "typically dumb vulnerabilities"

    Well done

  13. Crazy Operations Guy

    "drop a user's computer into the DMZ, leaving the machine naked to the outside world."

    Then someone seriously misunderstands what a DMZ is supposed to do... The point of a DMZ is to be behind a minimal firewall, not being put right out on the edge of the network.

  14. Anonymous Coward
    Anonymous Coward

    And they thought I was crazy as a teenager in the 90's to study Amateur Radio and Microwave communications. A friend of mine does embedded development, so we worked together and reverse engineered a Motorola modem and built our own. It ignores nearly every packet the ISP sends down for control and just reports itself as the Motorola modem that we pulled apart. Its highly secure since it doesn't do much than convert QAM-encoded packets and turn them into Ethernet frames; firmware updates and configuration require plugging a JTAG header into the thing.

    Anon because of how many FCC rules and regulations I am violating doing this, despite the analog coming off of this thing is cleaner than, and behaves much better overall, than the piece of crap I am masquerading as.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like