back to article Popular cable modem vulnerable to remote reboot/reset flaw

Security defence man David Longenecker says millions of users could have their internet connections severed thanks to a flaw in Surfboard SB6141 modems. The soon-to-be-patched cross-site request forgery flaw allows attackers to cut off users from the internet until their modem renegotiates with the ISP and reconfigures itself …

  1. Anonymous Coward
    Anonymous Coward

    The modem is always the weak link, and invariably you can't just install openWRT because the cable/DSL chipset is some closed-source broadcom thing.

  2. Nate Amsden Silver badge

    more people

    With too much time on their hands.

    To the prev poster this is for modems. Can't re flash them normally. My modem(motorolla) is not the model listed but am sure ia affected. It is basically a layer 2 bridge with a management ip (on a different subnet than my internal subnet but still reachable). My "router " is a soekris box running openbsd.

    Though there are probably routers with the same or similar code on them.

    1. Tom Samplonius

      Re: more people

      "My modem(motorolla) is not the model listed but am sure ia affected."

      Unlikely. Arris and Motorola are bitter competitors in the cable modem market, so it is unlikely they share any code. And over the years, Arris has some weird ideas about security: Google "arris password of the day".

      The issue with password of the day, is that some providers have not changed the seed. And even they have, the seed and the password of the day are too short.

      1. Adam 52 Silver badge

        Re: more people

        From the researcher's blog post:

        "ARRIS (which purchased Motorola's broadband modem business in 2014)"

      2. joebob2000

        Re: more people

        Um lol. Motorola sold their cable modem unit to Arris and Motorola were the ones who made the original SB6141 so yes, Motorola-made modems are affected because Motorola made the code that's vulnerable. That being said it's a silly exploit since 99% of ISPs dont require any intervention during a factory reset.

    2. DougS Silver badge

      Re: more people

      What do you mean "can't reflash them normally". Look up TR-069, even if you change the password your ISP can still get in. I know how to block it in my DSL modem via a hidden TR-069 config page but have chosen not to - even though the modem is like 8 years old I still get several new firmware versions delivered by my ISP each year - presumably to protect against exploits like this that haven't been made public.

      1. joebob2000

        Re: more people

        Modems like the SB6141 (and others affected, the SB6121) don't let the user set a password and they dont let the user change the firmware. They literally only let the user do a soft reset or a factory reset. The ISP decides what firmware runs on the modem, even if it's customer-provided.

      2. Tom Samplonius

        Re: more people

        "Look up TR-069".

        TR-69 is a xDSL only. Cable modems don't do TR-069. But I think the original poster meant that he/she couldn't reflash his/her own modem as per the "normal" (for him/her) process.

        The normal process is that ISPs should be updating their crap.

  3. Anonymous Coward
    Unhappy

    Annoying

    I love clicking on random links to see if they'll screw my connection up. Unfortunately it takes me to a Google login page. Ah well. No fun today.

  4. Adam 52 Silver badge

    "Personal information is not exposed in the attacks ... logs"

    Sort of depends on what's in the logs I'd have thought.

  5. John Brown (no body) Silver badge
    Black Helicopters

    Strangely...

    My cable modem rebooted as I was middle clicking the stories on The Reg front page into new tabs ready for reading. It started with Europe's biggest radiotelescope in fast-burst-finding upgrade and all the subsequent pages.

    It's a VM Superhub in modem only mode so it's more likely a VM issue than anything else. Or is it?

    Considering the page it first happened on, it might be aliens! On the other hand, it was only El Reg pages. BBC and Google were ok. It's not the first time I've noticed this happen either.

    I'm off to buy some tinfoil.

    1. Old Handle

      Re: Strangely...

      Are you by any chance using some kind of software that pre-fetches pages? If so I guess it's conceivable it automatically visited RebootMyModem.net for you.

  6. PNGuinn Silver badge
    Trollface

    w10 auto update?

    So the w10 update didn't work out so well?

    Driver problems?

  7. Someone_Somewhere

    Arris

    An appropriate name - given that their customers have been kicked right up it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019