Backdoor In A Backdoor Discovered By Brazilian Security Researcher in ARRIS Modems

ARRIS TG 860


Bernardo Rodrigues, a Brazilian security researcher preparing to give a talk at the Nullbyte Security Conference on cable modem security has discovered a previously undisclosed backdoor within a backdoor that is present on some ARRIS cable modems. The backdoor affects many models including the TG862ATG862GDG860A. According to Bernardo, a search on Shodan, the world's first search-engine for interconnected devices (Internet of Things), reveals over 600,000 affected devices.


ARRIS TG 860
ARRIS TG 860

ARRIS TG 862
ARRIS TG 862


Does your modem look like either of the two above? If so, do read on as you might be affected by the new security flaw discovered.

The Backdoor In A Nutshell

The ARRIS Password of the Day is a backdoor that has been known since 2009 on many of ARRIS' small office home office cable modems. Based on a seed provided by your Internet Service Provider, which generates a "password of the day", it basically allows technicians to view and change your network settings remotely through a restricted technician's shell.

While analyzing how the earlier backdoor works, Bernardo discovered some interesting code in the authentication code, that allows you to get a full busybox shell when you log on to the Telnet/SSH session with the last 5 digits of your modem's serial number instead of the "password of the day". In other words, this is a backdoor within a backdoor. What makes this more disconcerting than the previous Password of the Day backdoor is that it grants attackers even more tools to access the modem, packet sniff and launch a sophisticated attack on your network.

What Now?

Bernardo, the security researcher, went public with this backdoor within a backdoor 65 days after reporting it and waiting to no avail for a fix. If you want a more detailed understanding of how the backdoors work, we encourage you to read his very informative blog post which includes some screen shots of the backdoor at work. 

The obvious question many people have is whether changing your modem a good solution? Given the mechanism of firmware/software updates and nature of remote diagnosis tools, we wouldn't be surprised if similar backdoors exist on other modems as well. The best thing you can do is to be aware and stay informed if and when the modem companies / ISPs patch these obvious security flaws. Pressuring them to get it fixed via social media might help too.

One additional step you can take if you're planning to buy a new modem, router or gateway, check with the customer support (especially if it's an ARRIS) if such a security loophole is present on the model you're intending to buy. It might not be perfect, but hey, at least you tried.    
Next PostNewer Post Previous PostOlder Post Home

0 comments:

Post a Comment