600,000 Arris Cable Modems Have 'Backdoors In Backdoors,' Researcher Claims

An anonymous reader writes: A security researcher using Shodan to probe Arris cable modems for vulnerabilities has found that 600,000 of the company's modems not only have a backdoor, but that the backdoor itself has an extra backdoor. Brazilian vulnerability tester Bernardo Rodrigues posted that he found undocumented libraries in three models, initially leading to a backdoor that uses an admin password disclosed back in 2009. Brazilian researcher Bernardo Rodrigues notes that the secondary backdoor has a password derived in part from the final five digits from the modem's serial number. However, the default 'root' password for the affected models remains 'arris.'

Lovely

[Motherfucking Shit]

You can bet NSA has been exploiting this one for years.

Re:

[invictusvoyd]

I'm sure it does not take an NSA to exploit this thing . AFAIK everyone has been exploiting this for years .

Re:

[ayesnymous]

Time to get a customer-owned modem!

Like what? Motorola? Arris owns Motorola's cable modem business.

Re:

[Spy Handler]

I have a DLink docsis 3.0 cable modem I bought for $65 on sale about a year ago. Before that I was renting one from Comcast for $5 a month. Next month the DLink will have paid for itself, and anything after that will be gravy.

It's been working fine so far, haven't noticed anything different from the Motorola one that I was renting.

Re:

[DarkTempes]

If you read the article you'll see that they note D-Link puts backdoors into their stuff too.

The example was router firmware that let you bypass http authentication by specifying a certain user agent.
This was "legitimately" used by binaries/scripts on the device to change settings for things like dynamic DNS because it was apparently easier to query the http server to change settings than to rewrite it...

Also included was a proof of concept shell code execution (via buffer overflow of the http server iirc.)

Re:

[michrech]

I have a Zoom 5341 8x4 DOCSIS 3 modem. Paying a monthly fee for the ISP provided modem is utterly stupid, unless you also get phone service from them and they refuse to allow you to use a third party modem for that (like my ISP)...

Re:

[EETech1]

Get a magicJack GO for your phone.
$35 a year, and you just plug it in your phone jack and network jack. As a bonus, you can ring your smartphone at the same time.
I love mine.

Re:

[michrech]

I don't have VoIP service through my ISP -- I just used them as an example as why someone might not be able to provide their own DOCSIS device.

For my phone needs, I have Google Voice (this number is given to people I don't know / companies I don't fully trust) and my cell phone (a handful of friends and my family have this number). :)

Get a magicJack GO for your phone.
$35 a year, and you just plug it in your phone jack and network jack. As a bonus, you can ring your smartphone at the same time.
I love mine.

Re:

[Alwin Henseler]

Ehm.. a backdoor doesn't program itself and then ends up in firmware because of a 'programming mistake', or because 'corners were cut'. For whatever reason it was done, a backdoor has to be intentionally put there.

That automatically turns "incompetent" into "malicious". Unless end-user was informed of the presence of said backdoor and the reason(s) for its existence, and was okay with that. Which of course is never the case.

Re:Nothing to see here...

[JustAnotherOldGuy]

Ehm.. a backdoor doesn't program itself and then ends up in firmware because of a 'programming mistake', or because 'corners were cut'.

Oh, I don't know...one time I tried to program "Hello world" and accidentally coded a medical billing system with an accounts receivable dashboard.

Yo Dawg

[Anonymous Coward]

"I heard you like backdoors, so I put a backdoor in your backdoor" ... yeah, I can see why someone hasn't posted this yet.

Re:

[PPH]

You forgot to include a picture [handyman-30319.com].

VPN router?

[AHuxley]

Interesting news for all some nations networks.
Will a VPN ready router with OpenVPN help after the telco hardware?
Spend another few $ per month to try and secure your computer from the 'provided' hardware.
This is why everyone needs good crypto. Even the hardware has extra ways in :)

Not that surprised

[tap]

I used to work for Arris. But we did the DVR software, which was originally a different company than the people doing the cable modems. The DVR software is a lot more secure than this. There still a PWOD protected technician interface, the DVRs are remotely managed device, but it doesn't let you do anything that would compromise the software. I'd be interested in seeing how someone would hack it. It shouldn't be possible to get a root shell.

Someone did want to allow the player to pair over wifi automatically to the gateway by having the WPA2-PSK be derived from the device ID. I tried to stress what a terrible idea that was but those were people in a different division who didn't need to listen to me.

Re:

[phantomfive]

Unless you're updating the libraries years after deployment, including the kernel, you can guarantee there are exploits available.

And even if you've updated the libraries and kernel, you can still be assured that exploits are available, though perhaps not available to common script-kiddies.

Re:

[tap]

The DVRs are remotely managed. New software updates go out on a regular basis. So, yes the libraries are updated years after deployment.

The kernel, not so much. They use broadcom chips and broadcom isn't exactly the best at supporting linux. You have to use one of their kernels since they don't upstream anything and they don't update the kernels themselves.

Re:

[Zebai]

Good point, even knowing the password for the advanced interface what is the worst that you could do to it? It doesn't let you access any network data or personal details. So you could probably get an idea of how much data I use and a few technical details on the quality of my connection and maybe be able to access my IP address ( which you already have if your seeing the interface). I suppose if you were really nefarious you could probably cause my device to reboot a few times if you wanted to be persisten

Re:

[bobstreo]

I'm guessing the DVR was coded to be more secure over the fear that someone may be able to copy the saved entertainment off the DVR and use it.

Probably nothing more scary for providers than free shareable movies and TV shows.

don't trust the router!

[anwyn]

Don't trust any router software unless you can put openwrt on it. The router companies have shown they can not be trusted. All companies are subject to enormous pressure from NSA. Control the software that runs on your router yourself.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Antique Geekmeister]

This is why you don't trust the mixed "cable modem" devices as anything but a cable modem. Many of them also include firewall, DHCP, and wifi features. Unfortunately, the extra "features" help make them more vulnerable to this kind of remote maintenance access password abuse.

Hahahahaha

[stooo]

This is simply hilarious.
The backdoors are so widespread that there is not much space left for useful software.
Fuck Backdoors.

Obvious

[Anne Thwacks]

With the name 'Arris, I should of thought it was a dead give away that it had a back door!

Hint: 'Arris in England has the same meaning as Azz in USA.

Re:

[rebelwarlock]

And for those of us who are from neither of those countries, what meaning are we supposed to garner?

Cockney Rhyming Slang

[Oxygen99]

Anyone familiar with cockney rhyming slang shoudn't be too surprised when Arris products contain an unexpectedly slack backdoor...

It must be said...

[hyades1]

Arris Cable Modems Have 'Backdoors In Backdoors,' Researcher Claims

This is exactly like saying Donald Trump has an asshole.

Link to actual authors article

[jacks smirking reven]

https://w00tsec.blogspot.com.a... [blogspot.com.au]

The article in the summary doesnt list which modems are affected as i have an Arris Modem myself, but looks to be the TG862A, TG862G, and DG860A.

Also notable that a quick glance of reviews on Amazon says there is no end user support for these, they are always ISP controlled.

I'd assume all of them

[almechist]

The article in the summary doesnt list which modems are affected as i have an Arris Modem myself, but looks to be the TG862A, TG862G, and DG860A.

Well actually what they say is "affecting many of their devices including TG862A, TG862G, DG860A" so technically all one can say is that those models are definitely affected, but my reading is that others may be affected as well. Does anyone know of a comprehensive list of every known backdoored Arris model? And yeah, I know, the safe and likely correct answer is "probably all of them."

One of only XFinity/Comcast Accepted

[retroworks]

had to buy one of these, one of the only models I could replace my Xfinity rented box with (providing telephone as well as internet). As I understand, it was originally produced for Comcast / Xfinity, or at least Comcast still has a lot of confused technicians who think this Arris was made only for Comcast and can't be purchased... I had to go through 3 techs to get them to hook it up. I wonder if the backdoor of the router was designed in for Comcast, which I can imagine has thought of justifications (

Motorola Modems?

[DERoss]

I purchased a Motorola modem three years ago. Arris acquired Motorola's modem business, but I do not know when. How can I tell if my modem is affected?

Affected models

[JThundley]

"While researching on the subject, I found a previously undisclosed backdoor on ARRIS cable modems, affecting many of their devices including TG862A, TG862G, DG860A."

Double Negative

[peawormsworth]

The back door of your back door is: The front door.