Security researcher discovers Arris cable modem backdoor-in-a-backdoor

By Shawn Knight ยท 14 replies
Nov 21, 2015
Post New Reply
  1. A Brazilian security researcher preparing to discuss cable modem security at an upcoming conference has discovered a second backdoor inside a number of Arris cable modems.

    As Bernardo Rodrigues explains on his blog, some Arris cable modems contain an undocumented library ( that serves as a backdoor, allowing for privileged logins that uses a different password for each day of the year. This is nothing new as this particular remote backdoor has been known since 2009.

    While analyzing this backdoor, Rodrigues said he found some interesting code on the authentication check. It’s here that he found the second backdoor – yes, a backdoor inside a backdoor.

    The known backdoor can be used to enable Telnet and SSH remotely via a hidden HTTP administrative interface or via custom SNMP MIBs. The second backdoor is based on the last five digits of the modem’s serial number. Exploiting the second backdoor launches a full BusyBox shell which grants a user / attacker even more capabilities.

    At the time Rodrigues wrote the blog post, Shodan searches revealed more than 600,000 affected modems in the wild. Vulnerable cable modem models including TG862A, TG862G and DG860A. And believe it or not, Arris modems have a third backdoor as outlined on the ConsoleCowboys blog.

    The security researcher said he went public with the backdoor after reporting it and waiting more than 65 days without a fix.

    Permalink to story.

  2. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 9,405   +3,417

    That sounds about right.

    The Arris DG860A was the latest modem issue to us by the local cable company. Why am I not surprised that a cable company would issue a modem riddled with backdoors?
  3. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 8,647   +3,268

    But Arris is different, they have red carpets leading to the backdoors.
    cliffordcooley and Julio Franco like this.
  4. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 8,647   +3,268

    The solution seems pretty simple, don't buy an Arris modem then.
  5. Per Hansson

    Per Hansson TS Server Guru Posts: 1,952   +203

    Backdoors based on the movie Inception :D
    yRaz and Julio Franco like this.
  6. tonylukac

    tonylukac TS Evangelist Posts: 1,366   +67

    What are they doing if they need to change the password every day?
  7. drjekelmrhyde

    drjekelmrhyde TS Addict Posts: 246   +59

    Not that simple. They own PACE and Motorola. Comcast and Att(maybe others) uses them for STBs, gateways and modems.
  8. drjekelmrhyde

    drjekelmrhyde TS Addict Posts: 246   +59

    In 2014 they held 25% of the market in North America, which might go up since At&t just got DirectTV.
  9. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 8,647   +3,268

    I never knew that. Tbh this is the first time I've ever heard of them.
  10. Emexrulsier

    Emexrulsier TS Evangelist Posts: 567   +66

    I deffo know my cable modem (Netgear) has a backdoor (with Virgin Media), because in the past I have logged faults and the tech support on the end of the phone has queried my port forwarding before, dhcp settings and nat settings before, all sorts of things you can only see if logged into the router. They can also perform reboot firmware updates and reset admin passwords. A few times I have had trouble logged in, only to find the password has changed from my one back to the word "changeme". When I log in the router still has all my settings etc its just this password that has changed.
  11. Camikazi

    Camikazi TS Evangelist Posts: 923   +283

    All cable modems have that, it is used so the cable company can upload firmware and troubleshoot it from there side. This is also why I have a normal modem and have my own router which they cannot access or mess with at all.
  12. JW0914

    JW0914 TS Member Posts: 16   +8

    Clarification, all cable/modem router combinations that are issued by the ISP have that. This is why it's a bad idea to use a modem/router combination from an ISP, or if one must be used, to put a managed router in front of it it on a different subnet, with UPnP turned off, preferably one that's able to run OpenWRT or DD-WRT.
  13. JW0914

    JW0914 TS Member Posts: 16   +8

    **in back of it, not front**

    Should look like: Modem[/router combo] -> personal router -> LAN
  14. Camikazi

    Camikazi TS Evangelist Posts: 923   +283

    All modems actually, even just a normal modem only device can be accessed remotely by the cable company that is how they send firmware updates and troubleshoot it from their centers. It is part of a remote management protocol that is built-in to pretty much every modem called TR-069.
  15. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 9,405   +3,417

    Thanks for the info. :)

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...