Bernardo Rodrigues, a Brazilian security researcher, said that he uncovered not one, but two backdoors in some Arris cable modems (TG862A, TG862G, DG860A). Over 600,000 cable customers are affected by this, and according to Rodrigues, the vendor hasn't committed to fixing the software flaws yet. Arris cable modems are used by some of the largest U.S. ISPs, including Comcast, Time Warner Cable, Charter and Cox.
The firmware of the cable modems in question came with an undocumented "libarris_password.so" library that acted as a backdoor by allowing privileged account logins with a different custom password for each day of the year. This backdoor actually dates to 2009, but Arris never fixed it.
When users or attackers exploit this backdoor, they can access the modem through SSH or Telnet ports over a hidden HTTP administrative interface. The default password for the SSH user "root" is "arris." When SSH or Telnet sessions were created, the system launched a "mini_cli" shell that asked for the backdoor's password.
While the researcher was analyzing the backdoor, he discovered that there was another backdoor inside the first backdoor. This second backdoor could be accessed through SSH/Telnet by using the last five digits of the modem's serial number as its password. Once accessed, a full busybox session is opened, giving the attackers even more capabilities.
Rodrigues was asked by the vendor not to disclose the password generating algorithm, but he didn't think this will do much to slow down attackers, considering the extent of the vulnerabilities in these Arris cable modems.
"I'm pretty sure bad guys had been exploiting flaws on these devices for some time (just search for ARRIS DNS on Twitter, for example)," said Rodrigues.
Rodrigues reported the vulnerabilities to the CERT/CC, a major center for addressing Internet security problems that's funded by the U.S. federal government, which has a policy of waiting 45 days before software bugs are disclosed to the public. The researcher and CERT/CC have already waited more than 65 days for Arris to fix the problem, but that hasn't happened yet, which is why the researcher is now making it all public.
Rodrigues believes that if modem software can't be open sourced so everyone could audit the software in their modems, as Vint Cert and others recently suggested, then researchers should at least be allowed to reverse-engineer modem firmware. This way, white hat security experts could find and help fix more security issues in our modems without being potentially liable to lawsuits against them by the modem companies who don't want their vulnerabilities exposed.
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.