Around 600,000 cable modems manufactured by Arris are thought to be affected by a “backdoor-within-a-backdoor”, according to a security researcher.
According to Bernardo Rodrigues, a vulnerability tester with Brazil's Globo TV network, the flaw was unearthed when he found an undocumented library within three Arris cable modems that works as a backdoor, allowing privileged logins using a custom password.
He said that a search using Shodan, a search engine that scours the internet for devices attached to it, revealed that as many as 600,000 devices could be affected. TG862A, TG860A, and DG860A modems are all affected.
The backdoor was discovered in the concealed administrative shell that controls the cable modems. The backdoor account can be used to remotely enable Telnet and SSH through the HTTP administrative interface, or through custom SNMP MIBs.
This ARRIS password of the day is a remote backdoor known since 2009 and still intact. The default seed is MPSJKMDHAI and many ISPs won't bother changing it at all, said Rodrigues.
While analysing the backdoor library and shells, the researcher found code on the authentication check that hinted at a backdoor within a backdoor. The backdoor password is based on the last five digits of the modem's serial number.
“You get a full busybox shell when you log on the Telnet/SSH session using these passwords,” he said. Rodrigues added that Arris asked him not to reveal details about the password generation algorithm, but warned that this would do little to deter hackers.
“I'm pretty sure bad guys had been exploiting flaws on these devices for some time (just search for ARRIS DNS on Twitter, for example),” he warned.
“A broader view on firmware is not only beneficial, but necessary to discover new vulnerabilities and backdoors, correlating different device families and showing how vulnerabilities reappear across different products.”
Rodrigues said that the cable modem maker was slow to give feedback on the flaws he reported and it was only posting to CERT/CC that helped bring the issue to its attention.
In a statement released to the media, Arris said that it was “aware of the recently reported password vulnerability”.
“The risk related to this vulnerability is low, and we are unaware of any exploit related to it. However, we take these issues very seriously and review them with the highest priority. Our team has been working around the clock on modem updates that address this reported vulnerability."
A spokeswoman for Arris told SCMagazineUK.com that the issue doesn't affect modems in the UK.
Gavin Reid, VP of threat intelligence at Lancope, told SC that backdoors in software are always a bad idea.
“They are especially bad when the software or device is connected directly to the internet, and even worse when the device itself is what you use to connect to the internet. This backdoor could allow you to fully access the device to change configuration and anything else the device configuration supports. A fix would be a firmware update that removed the backdoor but would have to be pushed by the ISP or self-initiated by the end-user,” he said.
Cris Thomas, strategist at Tenable Network Security, told SC that he would call this a flaw as the library was added to the router's firmware on purpose by the manufacturer. “This is more like a feature, just a very insecure one."
"An attacker could use this 'feature' to create themselves their own account on the router and then monitor all the traffic that flows through it including email and websites visited. An attacker could also use this 'feature' to launch attacks against others or make the router join a botnet to send spam or other bad things,” said Thomas.
"The only thing the consumer can do is hope such flaws get found and patched by the manufacturer. This is why it is so important to make sure that your router has the latest firmware available. People often update their operating system or applications but forget to update their routers or other hardware."
Paco Hope, principal security evangelist at Cigital, told SC that the problem with backdoors, generally, is that they often allow more than just the intended people in, “especially when they're this badly designed”.
“Compare this backdoor to the backdoors in cryptography that legislators in the US and UK are contemplating and you'll see why most technologists oppose them,” he said. “The Arris router backdoor would allow the worst of all possible activities: monitoring or rerouting someone's internet communications. Hackers could install malicious code of their own choosing (for example, rewriting the firmware of the modem itself) and do it silently with no visible indicator to the end user.”
Hope added that such backdoors typically trigger a lot of outrage because there is literally nothing end users can do to protect themselves from vendors who code sloppy backdoors.
“This device, by definition, sits at the edge of the network facing the Internet with a horribly insecure backdoor coded into it. The backdoor is invisible to the device's owner, undocumented, and cannot be disabled.”