Security researcher discovers Arris cable modem backdoor-in-a-backdoor

Shawn Knight

Shawn Knight

Posts: 15,285   +192
Staff member

A Brazilian security researcher preparing to discuss cable modem security at an upcoming conference has discovered a second backdoor inside a number of Arris cable modems.

As Bernardo Rodrigues explains on his blog, some Arris cable modems contain an undocumented library (libarris_password.so) that serves as a backdoor, allowing for privileged logins that uses a different password for each day of the year. This is nothing new as this particular remote backdoor has been known since 2009.

While analyzing this backdoor, Rodrigues said he found some interesting code on the authentication check. It’s here that he found the second backdoor – yes, a backdoor inside a backdoor.

The known backdoor can be used to enable Telnet and SSH remotely via a hidden HTTP administrative interface or via custom SNMP MIBs. The second backdoor is based on the last five digits of the modem’s serial number. Exploiting the second backdoor launches a full BusyBox shell which grants a user / attacker even more capabilities.

At the time Rodrigues wrote the blog post, Shodan searches revealed more than 600,000 affected modems in the wild. Vulnerable cable modem models including TG862A, TG862G and DG860A. And believe it or not, Arris modems have a third backdoor as outlined on the ConsoleCowboys blog.

The security researcher said he went public with the backdoor after reporting it and waiting more than 65 days without a fix.

Permalink to story.

https://www.techspot.com/news/62869-security-researcher-discovers-arris-cable-modem-backdoor-backdoor.html

 
That sounds about right.

The Arris DG860A was the latest modem issue to us by the local cable company. Why am I not surprised that a cable company would issue a modem riddled with backdoors?
 
cliffordcooley said:
That sounds about right.

The Arris DG860A was the latest modem issue to us by the local cable company. Why am I not surprised that a cable company would issue a modem riddled with backdoors?
Click to expand...

I deffo know my cable modem (Netgear) has a backdoor (with Virgin Media), because in the past I have logged faults and the tech support on the end of the phone has queried my port forwarding before, dhcp settings and nat settings before, all sorts of things you can only see if logged into the router. They can also perform reboot firmware updates and reset admin passwords. A few times I have had trouble logged in, only to find the password has changed from my one back to the word "changeme". When I log in the router still has all my settings etc its just this password that has changed.
 
Emexrulsier said:
cliffordcooley said:
That sounds about right.

The Arris DG860A was the latest modem issue to us by the local cable company. Why am I not surprised that a cable company would issue a modem riddled with backdoors?
Click to expand...

I deffo know my cable modem (Netgear) has a backdoor (with Virgin Media), because in the past I have logged faults and the tech support on the end of the phone has queried my port forwarding before, dhcp settings and nat settings before, all sorts of things you can only see if logged into the router. They can also perform reboot firmware updates and reset admin passwords. A few times I have had trouble logged in, only to find the password has changed from my one back to the word "changeme". When I log in the router still has all my settings etc its just this password that has changed.
Click to expand...
All cable modems have that, it is used so the cable company can upload firmware and troubleshoot it from there side. This is also why I have a normal modem and have my own router which they cannot access or mess with at all.
 
Camikazi said:
Emexrulsier said:
cliffordcooley said:
That sounds about right.

The Arris DG860A was the latest modem issue to us by the local cable company. Why am I not surprised that a cable company would issue a modem riddled with backdoors?
Click to expand...

I deffo know my cable modem (Netgear) has a backdoor (with Virgin Media), because in the past I have logged faults and the tech support on the end of the phone has queried my port forwarding before, dhcp settings and nat settings before, all sorts of things you can only see if logged into the router. They can also perform reboot firmware updates and reset admin passwords. A few times I have had trouble logged in, only to find the password has changed from my one back to the word "changeme". When I log in the router still has all my settings etc its just this password that has changed.
Click to expand...
All cable modems have that, it is used so the cable company can upload firmware and troubleshoot it from there side. This is also why I have a normal modem and have my own router which they cannot access or mess with at all.
Click to expand...
Clarification, all cable/modem router combinations that are issued by the ISP have that. This is why it's a bad idea to use a modem/router combination from an ISP, or if one must be used, to put a managed router in front of it it on a different subnet, with UPnP turned off, preferably one that's able to run OpenWRT or DD-WRT.
 
JW0914 said:
Camikazi said:
Emexrulsier said:
cliffordcooley said:
That sounds about right.

The Arris DG860A was the latest modem issue to us by the local cable company. Why am I not surprised that a cable company would issue a modem riddled with backdoors?
Click to expand...

I deffo know my cable modem (Netgear) has a backdoor (with Virgin Media), because in the past I have logged faults and the tech support on the end of the phone has queried my port forwarding before, dhcp settings and nat settings before, all sorts of things you can only see if logged into the router. They can also perform reboot firmware updates and reset admin passwords. A few times I have had trouble logged in, only to find the password has changed from my one back to the word "changeme". When I log in the router still has all my settings etc its just this password that has changed.
Click to expand...
All cable modems have that, it is used so the cable company can upload firmware and troubleshoot it from there side. This is also why I have a normal modem and have my own router which they cannot access or mess with at all.
Click to expand...
Clarification, all cable/modem router combinations that are issued by the ISP have that. This is why it's a bad idea to use a modem/router combination from an ISP, or if one must be used, to put a managed router in front of it it on a different subnet, with UPnP turned off, preferably one that's able to run OpenWRT or DD-WRT.
Click to expand...
**in back of it, not front**

Should look like: Modem[/router combo] -> personal router -> LAN
 
JW0914 said:
Clarification, all cable/modem router combinations that are issued by the ISP have that. This is why it's a bad idea to use a modem/router combination from an ISP, or if one must be used, to put a managed router in front of it it on a different subnet, with UPnP turned off, preferably one that's able to run OpenWRT or DD-WRT.
Click to expand...
All modems actually, even just a normal modem only device can be accessed remotely by the cable company that is how they send firmware updates and troubleshoot it from their centers. It is part of a remote management protocol that is built-in to pretty much every modem called TR-069.
 
You must log in or register to reply here.

Similar threads

E
Linux could have been brought down by backdoor found in widely used utility
2
Replies
31
Views
435
ZedRM
ZedRM
D
Microsoft BitLocker encryption cracked in just 43 seconds with a $4 Raspberry Pi Pico
Replies
18
Views
459
bviktor
B
Daniel Sims
Black Myth: Wukong and Naraka Bladepoint receive path tracing, plus RTX updates en route...
Replies
16
Views
254
Disiw
D

Latest posts

Back