Double Backdoor Exposed In Arris Cable Modems

[Lucian Armasu]

Brazilian security researcher Bernardo Rodrigues discovered two backdoors inside some of Arris' cable modems used by many U.S. Internet providers.

Double Backdoor Exposed In Arris Cable Modems : Read more

 

[James Mason]

The modem in that picture looks exactly like mine -_-

 

[CaedenV]

So glad my model number isn't listed... but it makes me wonder if I should replace it anyways...

 

[SkyBill40]

As above, I'm glad my SB6141 isn't on that list. This is pretty negligent on the part of ARRIS; however, at least there are some good natured and intelligent people out there to catch things like this and elicit change.

 

[Kevin McCormick]

Get a Zoom modem. They seem to work better than Motorola or Arris modems.

 

[LotusTeaDragon]

Is there anything that can be done, in the meantime, for those of us with one of these modems? I have no money to replace a cable modem, and I doubt TWC will issue me a new one because this one isn't secure.

 

[Ddt3]

I am an engineer for a US top ten cable company, and we were given access to the firmware fix for this issue before this article was even posted. The amount of fear mongering in this post is disappointing. Arris came to us and told us themselves and then had the new firmware sent to us two days after. There will be some needed testing of the firmware, but the article is completely wrong about saying Arris hasn't acknowledged or worked to fix this.

 

[LotusTeaDragon]

I am an engineer for a US top ten cable company, and we were given access to the firmware fix for this issue before this article was even posted. The amount of fear mongering in this post is disappointing. Arris came to us and told us themselves and then had the new firmware sent to us two days after. There will be some needed testing of the firmware, but the article is completely wrong about saying Arris hasn't acknowledged or worked to fix this.

I sincerely hope you're right. I don't like having a security issue outside of my control. It's one thing to tighten down one's own security holes, and quite another to wait while the necessary steps are carried out well above one's own head. You say that you work for a top ten cable company in the U.S., so do you think this article, as it gets posted elsewhere across the internet, will force your company (and others as well) to move up the release date on this patch?

 

[Ddt3]

I am an engineer for a US top ten cable company, and we were given access to the firmware fix for this issue before this article was even posted. The amount of fear mongering in this post is disappointing. Arris came to us and told us themselves and then had the new firmware sent to us two days after. There will be some needed testing of the firmware, but the article is completely wrong about saying Arris hasn't acknowledged or worked to fix this.

I sincerely hope you're right. I don't like having a security issue outside of my control. It's one thing to tighten down one's own security holes, and quite another to wait while the necessary steps are carried out well above one's own head. You say that you work for a top ten cable company in the U.S., so do you think this article, as it gets posted elsewhere across the internet, will force your company (and others as well) to move up the release date on this patch?

There's many steps that can be taken the mitigate the risk, which most cable companies do in the first place. We block all traffic to the cable modem itself unless it sources from a network we specify. You can't exploit a modem you can't connect to. With that said, public knowledge of the threat makes us move up our time line as much as we can, but that doesn't mean deploying a firmware load we aren't certain won't break or service to customers. This is a concerning exploit, but I think the article overstated the risk to customers.

 

[alidan]

I am an engineer for a US top ten cable company, and we were given access to the firmware fix for this issue before this article was even posted. The amount of fear mongering in this post is disappointing. Arris came to us and told us themselves and then had the new firmware sent to us two days after. There will be some needed testing of the firmware, but the article is completely wrong about saying Arris hasn't acknowledged or worked to fix this.

I sincerely hope you're right. I don't like having a security issue outside of my control. It's one thing to tighten down one's own security holes, and quite another to wait while the necessary steps are carried out well above one's own head. You say that you work for a top ten cable company in the U.S., so do you think this article, as it gets posted elsewhere across the internet, will force your company (and others as well) to move up the release date on this patch?

There's many steps that can be taken the mitigate the risk, which most cable companies do in the first place. We block all traffic to the cable modem itself unless it sources from a network we specify. You can't exploit a modem you can't connect to. With that said, public knowledge of the threat makes us move up our time line as much as we can, but that doesn't mean deploying a firmware load we aren't certain won't break or service to customers. This is a concerning exploit, but I think the article overstated the risk to customers.

with this one line "but that doesn't mean deploying a firmware load we aren't certain won't break or service to customers." and the service we have come to expect in the us, i have to doubt the legitimacy of your claim. i'm just remembering the week+ at the end of our stint with direct tv where everything was broken and they told us to pound sand till they learned we had options.

 

[Calvin Huang]

Is there anything that can be done, in the meantime, for those of us with one of these modems? I have no money to replace a cable modem, and I doubt TWC will issue me a new one because this one isn't secure.

Your modem itself shouldn't be directly accessible from WAN IPs. So the main risk is from someone on your LAN or if you're targeted with a very complex CSRF attack. If your LAN is secure, then you just need to avoid going to untrusted sites.

 

[Ddt3]

with this one line "but that doesn't mean deploying a firmware load we aren't certain won't break or service to customers." and the service we have come to expect in the us, i have to doubt the legitimacy of your claim. i'm just remembering the week+ at the end of our stint with direct tv where everything was broken and they told us to pound sand till they learned we had options.

I really don't care if you believe me or not, I'm not looking to argue with anonymous people on the internet. I simply felt it was important to educate people properly, as opposed to this article which was written to promote fear and panic. You obviously have chosen to go the route of fear and panic, and that's your decision. To the rest of the people who read this, maybe they won't be as pessimistic and closed minded, and my information will help alleviate the overblown fear the author appears to want to create.

 

[Christopher1]

They might not have a choice as to replace these modems or not. At the very least Arris should release updated firmware that permanently removes the backdoors now that they are insecure.
My question is "Why put backdoors in this hardware in the first place?" and if the answer is "Because the government told us to!" the government needs a kick up the keister.

 

[Lucian Armasu]

I am an engineer for a US top ten cable company, and we were given access to the firmware fix for this issue before this article was even posted. The amount of fear mongering in this post is disappointing. Arris came to us and told us themselves and then had the new firmware sent to us two days after. There will be some needed testing of the firmware, but the article is completely wrong about saying Arris hasn't acknowledged or worked to fix this.

According to the researcher, Arris hasn't replied to him about any fix. Why wouldn't Arris do that, if he's he one that told the company about it?

> As of this writing, Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts and the vendor did not state whether it's going to fix it yet.

 

[Ddt3]

According to the researcher, Arris hasn't replied to him about any fix. Why wouldn't Arris do that, if he's he one that told the company about it?

> As of this writing, Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts and the vendor did not state whether it's going to fix it yet.

I don't know why they haven't, or if that's factual information. That's the reason I chose to respond because of the misinformation this article is spreading. Whether or not the hacker received a comment back from Arris, and whether or not he's being honest about that, or if the author of this article took the liberties to add that, I can't speak to. What I can speak to is that we have the firmware fix, and we're looking to deploy it once we can certify the firmware. We are by no means a high priority on Arris' list, so if we have it, all the top US cable providers have it.

 

[LotusTeaDragon]

There's many steps that can be taken the mitigate the risk, which most cable companies do in the first place. We block all traffic to the cable modem itself unless it sources from a network we specify. You can't exploit a modem you can't connect to. With that said, public knowledge of the threat makes us move up our time line as much as we can, but that doesn't mean deploying a firmware load we aren't certain won't break or service to customers. This is a concerning exploit, but I think the article overstated the risk to customers.

Thank you for your professional opinion on the subject. That's good to know. Still, I'll feel better once they patch this particular hole, especially now that it's all over the place.

Is there anything that can be done, in the meantime, for those of us with one of these modems? I have no money to replace a cable modem, and I doubt TWC will issue me a new one because this one isn't secure.

Your modem itself shouldn't be directly accessible from WAN IPs. So the main risk is from someone on your LAN or if you're targeted with a very complex CSRF attack. If your LAN is secure, then you just need to avoid going to untrusted sites.

Good! I don't deal with networking very much. I'm much more comfortable with hardware and software. Thanks for the reply.

 

[mlee 2500]

This is why you put your own firewall between your cable modem and your own infrastructure.

 

[Calvin Huang]

This is why you put your own firewall between your cable modem and your own infrastructure.

Pretty much all systems already have built-in firewalls. The issue here is that they can take control of your modem, not your machine. That means they're in a position to sniff all of your Internet traffic, launch MitM attacks, disable your internet connection, use your internet connection to launch DDoS attacks, etc.