Far too often we spend a great deal of time focusing on protecting networks and often forget that even ISP systems are often targets as well.
Arris, a modem manufacturer for the bulk of the North American internet service providers offering DSL and Cable Internet Services has been the most recent target by security researchers, identifying five gaping holes in firmwares running on Arris Modems, of which three are hardcoded backdoor accounts.
Security Experts from Nomotion Labs found that the vulnerabilities opened up a whole new wave of risk to consumers and businesses whereby an attacker could use any of the three hardcoded backdoor accounts to take over the device with elevated privileges (root), and install new firmware ensnaring the modem to partake as yet another tool in many of different world wide botnets.
AT&T, whose the largest ISP leveraging the Arris models compromised, was found to also be at fault for adding the two additional vulnerabilities above and beyond the three hardcoded backdoors Arris introduced into it’s firmware.
Researches said the flaws affect NVG589 and NVG599 modems, both of which do not appear to be publically available to through Arris’ website and are discontinued products. Based on Censys and Shodan data, it’s believed that there are at least 220,000 modems still in use today with these vulnerabilities.
Below are a list of all of the flaws researchers discovered:
Modems come with SSH enabled by default and exposed to external connections. Attackers could use the default “remotessh/5SaP9I26” username and password combo to authenticate on any modem with root access. This means an attacker can do ANYTHING they want once connected to the device. It’s also worth noting that researchers believe that only 15,000 Arris Modems featured this backdoor meaning ISP’s or OEM’s blocked external SSH access to most devices.
Arris modems come with a built-in web server that runs its internal admin panel and can be authenticated against via port 49955 with the username of tech and no password.
The built-in web server is vulnerable to command injection flaws that allow attackers to run shell commands in the context of the web server, which is pretty high level privileges to take advantage of considering the server is used to manage the device via that web panel.
Nomotion estimates that over 220,000 devices are vulnerable to this flaw and can be exploited even without the use of one of the hardcoded backdoors. All the attacker needs is a malformed network request sent to the modem’s 49955 port.
It’s probably worth noting that ISP’s could easily filter and stop the exploitation of this bug.
Attackers can use the “bdctest/bdctest” username and password to authenticate on the device via port 61001. Exploiting this flaw requires the attacker to know the device’s serial number, which would ultimately make this much harder to exploit but could still be a viable attack vector.
A well-crafted HTTP request sent via port 49152 will allow attackers to bypass the modem’s internal firewall and open a TCP proxy connection to the device. This vulnerability is especially scary because it allows the attack to exploit the other four vulnerabilities previously mentioned even is the user thought they secured their router by enabling an on-device firewall. This vulnerability simply requires a public IP address to exploit, and with services like SHodan, Censys, or Zoomeye, it can easily be obtained.
Every single AT&T modem has been found to accept port 49152 open and responding.
Nomotion has provided a fix for closing these holes, no official response or word from ISP’s or Arris has been made.