Modems distributed by AT&T vulnerable (opens in new tab)

(threatpost.com)

20 pointscrgt8y ago12 comments

12 comments

11 comments · 4 top-level

laken8y ago· 4 in thread

I don't understand how so many internet connected device's manufacturers don't even think to check if they have an open ports, especially an open SSH port. Or is it that they just don't care? I can't tell anymore.

mrguyorama8y ago

A lot of these things are done for "support" reasons.

For example, someone I know works for one of the big cable internet providers. To paraphrase him: What they can do to your modem remotely is terrifying.

I know for one thing, My modem is an Arris SBG6580. For some reason, it seems that I don't have the ability as an individual to update/change/modify my own hardware. This is hardware I purchased outright, instead of leased telcom hardware, yet the only way it will ever be updated/patched is if my ISP pushes an update through (I believe) DOCSIS commands.

Of course, when all the individual companies created different backdoors for support, and now are all purchasing each other, it's likely many of the backdoors get forgotten or ignored.

closeparen8y ago

Which is why businesses typically run their own "edge" firewall gear between their own networks and ISP customer-premise equipment.

1 more reply

monocasa8y ago

Try and probe a big ISP switch sometime. They're generally running an ancient unpatched Linux and SSH with known vulnerabilities.

They don't care about their own crap, much less yours.

X86BSD8y ago

And until we have liability laws written to hold them accountable for not maintaining the security of their products this will continue to be the case.

yegle8y ago· 3 in thread

I'm very interested to get a copy of the said vulnerable firmware to poke around. How can I get one?

One use case is for ATT Fiber users to get the 802.1x certificate from the router, and use your own router instead (RouterOS etc.).

esaym8y ago

Here you go: http://tinyurl.com/yatdzfsu

I managed to root my 589 awhile back pretty easy by just using a crafted http post request. I run my modem in IP passthrough mode (like DMZ), and as far as I can tell, most of the open ports are not there that the article mentions (at least not on the WAN side)

schraitle8y ago

I did something similar to a modem supplied by Cox to enable bridge mode a few years ago. It required going to one of the modem settings pages, using browser tools to uncomment some html in the source of one of the forms, and then just submitting the form.

jlgaddis8y ago

I'd love to be able to get the certificates out of my Arris router to be able to use my own. I have a 5268AC and want the public IP on my own router instead of theirs. You can come really close to getting it in "bridged mode", but not completely.

anonova8y ago

Another popular and flawed modem Arris released into the wild is the SB6190. You can easily DoS it: https://www.dslreports.com/shownews/Puma-6-Flaw-Lets-Attacke...

sjbase8y ago

> "There’s no way people are not exploiting this in the wild"

Hard to disagree there.

Does it really usually take 2 months for something like this to get disclosed? Seems like anyone bored enough to run a SYN scan on one of these would find the vulnerable services instantly.

j / k navigate · click thread line to collapse