Sign in / up

back to article Alert: AT&T customers with Arris modems at risk of remote hacking, claim infosec bods

Infosec consulting firm Nomotion has reported vulnerabilities in Arris broadband modems and which it says are trivial to exploit, and could affect nearly 140,000 devices. The report claims the modems carry hard-coded credentials, serious since a firmware update turned on SSH by default. That would let a remote attacker access …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    This is why you configure modems for RFC1483 bridging

    And use your own router, preferably running DD-WRT/OpenWRT. Then port scan yourself from the outside as a sanity check, because you shouldn't trust the modem vendor to know the definition of a "bridge" means it must be transparent to all traffic.

    If I configure my Actiontec Q1000 VDSL2 modem as a router, it has an open port that can't be disabled - for TR-069 support. I can change the password on it, but I can't know there isn't a default password hidden in the firmware. Luckily, when configured as a bridge, it follows the RFC. Thus I can sleep in peace knowing the only exploit that could get me from the outside is a 0 day in Linux OpenSSH.

    0 0 Reply
    1. WolfFan
      Reply Icon

      Re: This is why you configure modems for RFC1483 bridging

      And use your own router, preferably running DD-WRT/OpenWRT.

      You can't replace the Arris NVG 589 or 599 with your own router, unless it's another 589 or 599. AT&T won't send U-verse signals to anything except their own hardware or something which can pretend to be its own hardware. https://forums.att.com/t5/AT-T-Internet-Equipment/I-want-to-replace-my-ATT-supplied-NVG-589-modem-router-with/td-p/4739598

      Please note that DD-WRT and OpenWRT cannot emulate the responses AT&T wants from a 589 or 599, so that even if it were possible to hack a 589 or 599 to use *WRT, and it's not possible, it still wouldn't work. U-Verse is basically souped-up DSL, and doesn't work the same way that cable does. If this were ComLast or any other cableco, then, yes, it would be trivial to replace the device.

      The best you can do would be to place the 589 or 599 into bridge mode and use your own router behind it. Please note that placing the 589 or 599 into bridge mode might have unexpected results wrt your tv and/or telephone usage. If you don't use AT&T for tv or landline phone, then there should be few problems. If you have tv or phone service, be prepared to have to do some fairly serious work.

      2 1 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: This is why you configure modems for RFC1483 bridging

        Putting the 589 in bridge mode and putting your own router behind it is exactly what I was talking about. Did you not read what I wrote?

        1 0 Reply
      2. Gene Cash Silver badge
        Reply Icon

        Re: This is why you configure modems for RFC1483 bridging

        Had fun poking an AT&T door-to-door salesman who was just insisting I **HAD** to get their new fiber at double my current price for less mb/sec.

        First, he kept quoting the 6-mos promo price, so I kept prodding until he finally grudgingly told me the standard price, at which point I told him my current deal.

        Then he insisted AT&T fiber was much better, so I told him "I'd have Google fiber, if you people weren't suing them specifically to stop it" and he argued about that, so I told him "google the at&t one-touch-make-ready lawsuit" and he shut up.

        Then I told him "well $CURRENT_ISP lets me use my own cable modem & router/firewall, and AT&T won't..."

        Dude started foaming at the mouth so hard, his partner with him left to wait in the truck.

        I have not had a salesman scream at me like that in a long time. Felt good.

        3 0 Reply
      3. swschrad
        Reply Icon

        gaping holes for remote ATT service, no doubt

        as in "upgrade firmware," "let me check your credentials," and "your printer is jamming the network, try turning it off and see if you can surf."

        0 0 Reply
  2. David Roberts
    Flame

    Firewall bypass?

    This looks like the usual development software with all the hooks for a lazy developer still in place.

    Quite a few back doors left in.

    0 0 Reply
  3. Jamesit

    " – and there's also access to a kernel module “whose sole purpose seems to be to inject advertisements into the user’s unencrypted web traffic.”"

    Arris can fcuk right off injecting ads into any traffic should not be permitted.

    I hope my digital phone terminal isn't vulnerable.

    1 0 Reply
    1. Samizdata
      Reply Icon

      Some of the article's vulnerabilities seem a little questionable. I am still testing to see the open web server. Nope. External port scan shows 49955 is closed and unresponsive. Also, that kernal module for injection has never shown up on my end.

      0 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    AT&T - the retail arm of the NSA

    Making America grate again

    5 0 Reply
    1. Fatman
      Reply Icon
      Joke

      Re: AT&T - the retail arm of the NSA

      <quote>Making America grate again</quote>

      I see what you did there!

      1 0 Reply
  5. scaryface

    AT&T has a reputation of particularly embarassing security holes in their routers. Let's just say this isn't a new occurrence: https://www.soldierx.com/bbs/201704/voip-router-hacking .

    0 0 Reply
  6. Anonymous Coward
    Terminator

    Just the usual procession of firmware vulnerabilities?

    I don't think so, these kind of accidental backdoors are happening to many times to be mistakes. I would suspect all consumer grade hardware comes with such features.

    0 0 Reply
  7. jelabarre59

    suXfinity

    I wonder if my Arris modem from Crapcast has the same vulnerabilities. Granted, it's set to bridged mode (since their management software for the router/wifi functionality is absolute shiite) and I have my own Linksys as router (someday I'll upgrade the firmware on it to DD-WRT). If it weren't that I have VoIP on suXfinity I could use my OWN cable modem.

    0 0 Reply
  8. Samizdata
    Thumb Down

    Also, port 49152 seems closed to external scanning. I am thinking the company was doing research with outdated kit.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like