back to article 35,000 ARRIS cable modems at risk from firmware dumper bot

Hackers have exploited a back door in more than 35,000 ARRIS modems, making off with firmware and certificates, according to security researcher Bernardo Rodrigues. ARRIS makes cable modems and associated home networking kit. It recently shipped a patch to address 2015 zero day which at the time of disclosure impacted 600,000 …

  1. Anonymous Coward
    Anonymous Coward

    Affected models? Link to a fix? Beuller? Beuller?

    Which ARRIS devices were affected? Without such a list then how are we to know if this affects us?

    Are there any fixes we can apply? If so then where are the links to them so that we might apply them?

    Without telling us which models are getting hacked & how to stop the hackers then all you've done is post a Chicken Little style "The sky is falling!" bit of fear mongering.

  2. Anonymous Coward
    Anonymous Coward

    VM Superhub 3

    these are ARRIS TG2492S/CE

    are these vulnerable, who knows.

    Not holding my breath for a statement from VM

    1. BenR

      Re: VM Superhub 3

      Very glad you came here to say this, as I was about to ask the very same thing.

  3. Anonymous IV

    Compulsory pun

    May I be the first to say that they don't know their ARRIS from their elbow?

    And to repeat a statement I lifted from a much-earlier comment:

    "Virgin Media SuperHub:

    Warning! Device might be at least 80% less super than advertised..."

  4. Anonymous South African Coward Silver badge

    'ere, 'arris it lovely?

    More vulnerable devices.

    Smoothwall/IPCop/pfSense should be able to negate that 'orrible 'ole then?

    1. Crazy Operations Guy

      Nope, the attack happens on the outside edge, before it ever gets to your firewall. The modem is listening for ssh packets coming from the ISP (so that they can configure your router). So even if both you and the ISP have firewalls blocking all ssh traffic you are still vulnerable if anyone on your loop is infected.

      The SSH channel will also work even if the modem doesn't have an IP address, it will still respond to ssh packets addressed to the modem's MAC address and port 22.

  5. phuzz Silver badge

    "Rodrigues cooked up a keygen, complete with a chiptune"

    Nice to see someone is still kicking it oldschool :)

    Remember (s)kiddies, your crackz ain't leet unless they have their own soundtrack.

  6. John Smith 19 Gold badge

    IoT developers. You are *all* in the sofware business.

    Some of you know this. Others of you ignore it.

    But when enough customers realize their data is being pimped out by your devices you're toast.

  7. kotaKat

    Except this is exceptionally easy to patch both doors:

    1: Change the SSH password in the modem provisioning config (it should be an option). You've just closed the door, but if you want to be safer...

    2: Change the default Password of the Day seed used for configuration. This is another setting that can be provisioned -- Time Warner sure as hell does it because I can't log in with my backdoor tech credentials anymore with the default Arris PWoD seed.

    1. Crazy Operations Guy

      Easy, but won't happen anytime soon. All ISPs will do is to block both modems if its cloned, then wait until the real customer calls in to complain (In which case, they'll dispatch a tech and charge the customer a replacement fee for the new modem and an additional fee for the tech to come out to troubleshoot despite the ISP knowing exactly what was wrong).

      They have no incentive to stop malware from spreading across their networks, in fact they tend to profit from it (more traffic means the customer is more likely to go over their data cap, and can thus charge them far more).

      I've attached an SDR to a coax-tap that sits right in front of my modem and pushing it through some software to decode the signal so I can pipe the packets to tcpdump and record them (with filters to strip out my own packets, of course). So far, I've not seen a single patch come down from my ISP even though the modem's firmware is wildly out of date (the sticker on the flash chip shows that the software version was released in late 2013 and the modem continually reports that software version when the CMTS requests modem info).

  8. x 7 Silver badge

    so this one could bite you in the arris

  9. Leedos

    This has the potential for stealing cable internet.

    With root access to the cable modem, it may be possible to clone another modem on you cable network by changing the MAC address and config files. Also possible to change your speed to highest available or change from residential to business level service or set the modem to use a VoIP profile to prioritize your traffic. I have the sense that's what hackers are getting in and locker others out. It sounds like a digital land grab.

  10. Gene Cash Silver badge

    El Reg review

    Soooo, how about El Reg discussing some small network stuff, like cable modems and 4-port switches/firewalls. Probably not much to review, but maybe a list with pros/cons.

    I'm getting rid of the ISP provided crap I'm renting, but looking on NewEgg doesn't really tell me anything about the kit, other than some of the spotty reviews.

    1. Down not across

      Re: El Reg review

      Soooo, how about El Reg discussing some small network stuff, like cable modems and 4-port switches/firewalls. Probably not much to review, but maybe a list with pros/cons.

      SNB is not too bad for quick comparison between products. I've found it handy on few occasions to narrow down the shortlist.

  11. hayzoos

    "Internet-of-things botnets are becoming a thing: manufacturers have to start building secure and reliable products, ISPs need to start shipping updated devices and firmware, and the final user has to keep his home devices patched and secured," Rodrigues says.

    My ISP does not allow me to keep my cable modem updated, nor change any configuration parameters. So my ISP must do this, even though I own the device.

    I better not be charged for their screw-up and lack of patching.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019