
SharknAT&To: Vulnerabilities in AT&T U-verse modems - dankohn1
https://www.nomotion.net/blog/sharknatto/
======
kogepathic
I think at a certain point someone needs to be held criminally liable for
situations such as this one.

A VW engineer is likely going to jail over dieselgate.

We have already seen that such insecure internet connected devices can be
easily and quickly assembled into a botnet. The operators of such a network
can direct the attacks at healthcare institutions, national infrastructure,
and other safety critical systems.

At some point, there has to be stricter consequences for companies than simply
a fine. C-levels won't start paying attention to security until there's the
real possibility that their ass will end up in jail for this kind of
insecurity.

~~~
QUFB
What laws would you propose to eliminate insecure software?

~~~
marcoperaza
Bruce Schneier has speculated about creating mandatory legal liability for
software vendors and service providers. Liability regimes are a major reason
why physical products are so safe.

[https://www.schneier.com/essays/archives/2003/11/liability_c...](https://www.schneier.com/essays/archives/2003/11/liability_changes_ev.html)

~~~
ryandrake
Say goodbye to open source, then, unless he proposes a special carve-out for
it.

~~~
marcoperaza
He has some commentary on this well:
[https://www.schneier.com/blog/archives/2008/07/software_liab...](https://www.schneier.com/blog/archives/2008/07/software_liabil.html)

In summary, there wouldn't be liability for open source developers because
there is no business contract. But if you run a website with open source
software, _you_ of course would still be liable for anything that happens to
your customers' data. So you would probably want to buy that same open source
software from someone (e.g. Red Hat), who would also be liable.

~~~
smsm42
Which means, hosting/supporting open source would quickly become not worth it
for any major company representing a large target for opportunistic lawyers.
When you make millions from a product, you can afford a team of lawyers
setting up contacts just right and fighting liability trolls. When you make
zero profit, you cut the losses. Such law would spell very quick end to any
corporate support of free and open source software, for liability reasons.
There's a reason why all such software is accompanied with "NO WARRANTY"
texts, and enforcing liability will make the corporate world to run from it.
Nobody wants to be sued because they use OpenSSL and there was a vulnerability
there, and that's exactly what would happen with any commercial vendor using
OpenSSL if liability laws would be introduced. It doesn't matter the company
didn't write OpenSSL - as soon as they use it, they are on the hook. IBM was
sued not because they made Linux, but because they used it and had tons of
money. And I do not see any business model that could allow companies to
charge enough to cover such liabilities. Maybe for established powerhouses
like Linux or for corporate foundational projects like Chrome and Darwin, but
not for any lesser projects and surely not for any starting up open source
with unclear revenue potential. It won't kill all open source, but it would
severely hurt the ecosystem and turn it into two worlds - pure hobbyist
geekery which nobody with money would touch, and formally open-source projects
with strict corporate governance that has no ecosystem beyond the founding
corporation.

One of the worst ideas I've heard lately, and I am genuinely baffled how a
person as smart and experienced as Schneier could support it.

~~~
marcoperaza
I'm not sure you're envisioning the same thing I am. You would only be liable
for something that you sell or otherwise make money from. You would be free to
publish software, open source or not, without incurring liability as long as
you don't make money from it. Whoever then uses that software for a commercial
product would be incurring the full liability, and would not be able to turn
around and sue up the chain.

The currently widespread practice of trusting sensitive user data to open
source code without an audit (either internally or via a third-party, e.g. Red
Hat) is horrifying and incredibly negligent.

~~~
smsm42
> You would only be liable for something that you sell or otherwise make money
> from

If your business includes software in any meaningful function, you are making
money from it. Any competent lawyer would be able to successfully argue that.
Charging money for a license is not the only way, otherwise everybody would
just switch to charging for "consultancy service", which coincidentally
provides free software license, and avoid any liability.

> You would be free to publish software, open source or not, without incurring
> liability as long as you don't make money from it.

You as a private person would be. That's my point - that would be the only way
to do open source, any corporate support of open source projects would imply
full liability, which would be impossible for a product the company gets to
revenue from. It would be much harder for a business to justify supporting an
open source project when liability costs are added to the equation.

> The currently widespread practice of trusting sensitive user data to open
> source code without an audit (either internally or via a third-party, e.g.
> Red Hat) is horrifying

Audits cost money. Tons of money. And they don't guarantee anything - bugs in
OpenSSL have not been discovered for years despite thousands of people using
the code, poring over it and billions depending on it. There's no magic in
"audit" that allows code to be bug-free after it - if there was such a magical
procedure people would already be using it, but there's no indication anybody
has invented "audit" procedure that allows to eliminate all bugs. Existing
flawed procedures are already being used - every company that produces
software that I ever heard about uses them - and they are not enough. So what
would happen is drastically raising the costs (to the point where having a
website would no longer be affordable to an average person) while not
significantly improving security.

~~~
ktRolster
_Audits cost money. Tons of money. And they don 't guarantee anything - bugs
in OpenSSL have not been discovered for years despite thousands of people
using the code, poring over it and billions depending on it._

Any reasonable audit of OpenSSL would have said, "Don't use it."

~~~
smsm42
And instead use... what? Let's say you are creating a company that needs
website to sell stuff. On that website, you need TLS implementation, to
process user data & credit cards. After expensive security audit that consumed
most of what your angel investors can give you, you decide that anything based
on OpenSSL can't be safely used. Now what?

~~~
colejohnson66
Forks of OpenSSL. After Heartbleed, dozens of forks were made. One I think is
really promising is LibreSSL which is managed by the same people who work on
OpenBSD.

~~~
smsm42
So, the premise there is "we couldn't find the bugs by the whole community in
twenty years, but if we split the community into a dozen independent projects
which do not cooperate, surely then we'll find the bugs that eluded us for two
decades". Right.

------
userbinator
It's always annoyed me that ISPs seem to like giving customers these horribly
overcomplex modems as well as other "value-added features" like "inject
advertisements into the user’s unencrypted web traffic" \--- especially since
customers are already paying them for the service.

My vision for an ideal modem is more like a dumb Ethernet to coax/fiber/etc.
adapter, and is otherwise as unobtrusive as possible. Ditto for an ideal ISP:
just sell access to the raw, unfiltered Internet, and nothing else.

~~~
josteink
> My vision for an ideal modem is more like a dumb Ethernet to coax/fiber/etc.
> adapter

You'd like Europe then.

You know where we have competing ISPs and this is the standard.

~~~
hedora
In fairness, comcast (big US ISP) allows you to buy your own cable modem.
However, they are terrible for multiple other reasons that would not fly in
Europe (data caps, lobbying to resell browsing history, opaque pricing
schemes, etc)

~~~
amluto
By which you mean that Comcast will let you buy an approved device to which (I
believe) they fully control by design.

~~~
posguy
Pretty much, Cable Modem Hacking is extremely uncommon and even an owned modem
is out of your control. Look at all the Intel PUMA cable modems with
bufferbloat issues where the cable ISP refuses to update said modem to fix the
software bug causing bufferbloat.

------
sp00ls
Not nearly as large as ATT U-Verse but I found a similar vulnerability in the
modem I was provided from a rural DSL provider a few years ago.

It all started when I called to get the admin credentials so that I could open
a port. They refused, stating that they use the same PW on all of them so they
couldn't provide it to me.

After a day or 2 I found a vulnerability in the WebUI that dumped the password
to my browser. Did a shodan scan and found hundreds of these modems connected
to the internet. What they said was true, that password worked on the 2-3 I
tried just out of curiosity.

I tried reporting my findings to them but they didn't seem to care. So I just
changed the password on the one provided to me and let it be.

Now I live elsewhere and use my own purchased modem/firewall/wap. Can't trust
ISPs to care about your security.

~~~
jlgaddis
Unfortunately, on Uverse you are required to use the ATT-provided CPE (due to
802.1X authentication).

~~~
Spivak
Nah, all you have to do is redirect 802.1X traffic to their device and you can
use whatever device you want.

I have my EdgeRouter performing this function currently.

~~~
wil421
How much bandwidth do you lose? I have AT&T fiber and I want as close to 1Gb
as I can. Someone else else I saw online did something similar with an
EdgeRouter and he lost a ton of speed.

~~~
Spivak
So there are two ways to add your own equipment. I don't know what method the
person you're talking about used.

The first you can put the modem in 'DMZ Plus' mode which is the closest you'll
get to a bridge mode. This is where you'll lose bandwidth but it's easier to
set up.

The second, which I recommend, is to connect your router to the ONT directly,
and use their modem as a client on your network. You have to set up some rules
to hook up the 802.1X traffic but otherwise the att modem is no longer in the
picture. _I_ haven't lost any bandwidth and I can't imagine that att's
provided cheapo box would be faster than an EdgeRouter.

~~~
chrissnell
The DMZ Plus mode doesn't really kill much bandwidth. I get pretty close to 1
Gbit through it. Maybe 960-980 Mbit. Good enough for me. The real problem with
the DMZ Plus mode is that it basically sets up a NAT to your router and the
state table of the modem is somewhat limited. I've never had any problems but
supposedly it might choke if you have tons of open connections.

~~~
wil421
DMZ plus mode is now where near bringing your own hardware and plugging it
into the ONT. Everything still has to go through the AT&T gateway.

Comcast will let you bring your own modem and plug it into the coaxial. I've
heard google fiber will let your bring your own stuff.

DMZ plus is much different than setting up an EdgeRouter to forward the
authentication to the gateway. You are in much more control of your network if
you don't use DMZ plus.

------
matt_wulfeck
Here[1] is a 802.1x proxy you can use to hide your incredibly vulnerable
residential gateway behind a firewall of your choosing. It allows the eap
packets to pass through.

I honestly knew this was going to be a problem when I first port-scanned my
residential gateway and saw exposed who-knows-what ports, but for symmetrical
1Gb internet for $79.99 a month what can you do?

[1]
[https://github.com/ShadwDrgn/eap_proxy/blob/master/eap_proxy...](https://github.com/ShadwDrgn/eap_proxy/blob/master/eap_proxy.py)

~~~
nmjohn
I had the exact same thought after port scanning my own uverse gigapower
connection - so seeing real exploits actually be found on it is not surprising
in the slightest to me.

Though instead of going with the 802.1x proxy approach, it's also possible to
spoof the mac address of the RG with your router and swap it in place after
802.1x authentication has occurred. (You have to swap without the link to the
ONT going down however, the easiest way to do so being a switch with VLAN
support. You put the RG and ONT on one vlan, and then once the connection is
up, you swap your router in place of the RG.)

Then you can unplug the RG and put it in your closet (until you have a power
outage and have to do it again, which is the main drawback to this approach.
However since AT&T provides a UPS for the ONT, if you have a UPS for your
router you should be good there too.)

------
saagarjha
> a kernel module whose sole purpose seems to be to inject advertisements into
> the user’s unencrypted web traffic

Ugh…why is this even a thing? Like who thought it would be okay to add this
"feature" to a modem, let alone at the kernel level where it would be
difficult to disable and easier to be compromised?

------
js2
I have AT&T Gigapower with a Pace 5268AC, so not one of the modems discussed
here.

I don't use its wifi and I have it configured for pass-thru mode. When I got
service early this year, I briefly investigated bypassing it entirely. It
turns out you need the modem to periodically respond to authentication packets
from the AT&T network. But with some ingenuity, you can hang the router off an
extra port on your own router and use it only for authentication purposes:

[http://www.dslreports.com/forum/r29903721-AT-T-
Residential-G...](http://www.dslreports.com/forum/r29903721-AT-T-Residential-
Gateway-Bypass-True-bridge-mode~start=480)

I eventually decided not to do this because it's somewhat brittle and I didn't
otherwise have any issues with the Pace. It's performance is fine.

But, given this disclosure, I'm going to revisit my decison. First, it seems
like it's just a matter of time before the Pace has a similar security issue.
Second, that kernel module for injecting HTTP advertisements. Just the idea of
it bothers me.

~~~
js2
Update: I've moved the 5268AC behind my EdgeRouter Lite. I wasn't happy with
any of the 802.1x proxies other folks wrote and/or they weren't working for me
and/or I just wanted to write it in Python, so I wrote my own:

[https://github.com/jaysoffian/eap_proxy](https://github.com/jaysoffian/eap_proxy)

------
hedora
What really ticks me off about this is that for FTTN access around here, you
_have_ to use their crappy routers. This is true even if you go through a
third party like sonic.net.

Worse, their routers seem to do something to defeat attempts at two-level NAT
setups.

I thought one of the network neutrality principles said you couldn't
discriminate against compatible network hardware. Too bad Pai is in now.

~~~
mikeash
This is one reason why I really like FiOS. I get ethernet straight into the
house. Sometimes you get coax instead, but you can use a MoCA adapter to
convert it to ethernet. _And_ their provided modem is actually pretty decent!
I had planned to bypass it when I signed up for the service, but after using
it for a bit I decided to just keep it in place.

------
matt_wulfeck
Can someone please use this to lift the EAP certificate so that any individual
can authenticate _themselves_ with AT&T instead of having to put the gateway
in the very entrance to the home network?

------
chrissnell
I have AT&T U-verse (Gigabit fiber product) at home and I believe that I an
not vulnerable to public Internet attacks because I've configured my modem in
pass-through mode. The AT&T pass-through is pretty weak and is really only a
1:1 NAT, not a bridge, but as far as I can tell, the modem does not answer to
the Internet when configured in this mode.

------
fluxsauce
This is a shocking and overly broad title.

I have Sonic Fusion, which includes a Pace 5268AC modem which is provided by
AT&T U-verse and I cannot replicate the issue.

The title should be "Some AT&T U-verse modems..."

~~~
jsoo1
i have the 5268AC modem and i just did a quick nmap -PU . open ports from that
are 80, 8443, and 49152

~~~
relaxitup
80,8443 not open on the external IP are they? Hopefully only internal unless
you're OK with that.

------
ronnier
1\. SSH exposed to The Internet; superuser account with hardcoded
username/password.

2\. Default credentials “caserver” https server NVG599

3\. Command Injection “caserver” https server NVG599

4\. Information disclosure/hardcoded credentials

5\. Firewall bypass no authentication

------
fishywang
So since Sonic was highly reviewed and hyped here (San Jose), I checked them
out/tried to switch to them. For my address the only option from them was the
one on AT&T's IP network. For that service, I must use the modem they (AT&T)
give me. There's modem renting fee, and there's router feature that I cannot
turn off. That's the dealbreaker for me so I stopped trying. I'm glad that I
didn't go that route, and I hope Sonic could do better here.

~~~
brianpan
Sonic uses AT&T's networks but provides their own service on those networks.
The modem is not an AT&T modem and it's not the one in the article.

~~~
fishywang
But still, there's router feature on that modem that I cannot turn off, so I
cannot bring my own router (unless I want to do double-NAT), and there are
still highly likely some hardcoded remote access password.

------
JL2010
I can't seem to find any information on how or if this was disclosed to AT&T.
Does anyone know how the blogger proceeded here?

~~~
rwbhn
Comments at the bottom indicate it was not pre-disclosed.

------
chx
This is why, if I can, get bridge mode on the ISP provided device and put in
an OpenWRT router. I am still on 802.11n but who cares, most of my devices are
not 802.11ac either.

I want to know what runs on my router, damnit! It's my biggest vulnerability
if done wrong and one of the more important security features of the home
network if done right.

------
FiveSquared
Well I have AT&T and the hack it worked for me! Words could not express the
feelings of terror that I have right now.

~~~
wu_tang_chris
> Words could not express the feelings of terror that I have right now.

have you tried the word "hyperbolic" ?

~~~
yjftsjthsd-h
I disagree; it is totally reasonable to be terrified when the device at the
heart of your network has a internet-facing root exploit that you can't patch.

------
doctorshady
This wouldn't be the first time I've heard of some AT&T-specific
vulnerabilities on a router: [https://www.soldierx.com/bbs/201704/voip-router-
hacking](https://www.soldierx.com/bbs/201704/voip-router-hacking)

------
relaxitup
Has anyone with this modem in the wild actually confirmed this update was
pushed to them and if so is ssh listening on their public IP? So far in the
article comments (haven't looked thru HN comments yet), those having this
modem have verified that ssh is not listening.

------
caryhartline
Another way around this is to just request a modern modem. I recognize that
modem as an older model and, especially if it is having hardware problems, you
can just call up AT&T and ask for their newer model (not sure if it is still
the newest) 5268ACFXN.

~~~
monochromatic
You sure the new model isn't similarly vulnerable?

------
ryanmarsh
I just installed a Ubiquity Unifi Security Gateway and AP behind my Uverse
modem and turned everything off including the radios. Thank God. I'm sure I
could still be MITM so running all traffic to a VPN now.

------
dqv
I am _not_ joking when I ask this question: will this open me up to potential
CFAA charges if I run the commands to check if I'm vulnerable and run the
self-mitigation commands?

------
mlosapio
This is terrifying

------
feelin_googley
In a world where users should have control over their own computers, it is the
customer who should have SSH access, not AT&T. But as you all know, most times
the customer does not own the modem. One well-known workaround is for the
customer to use their own modem or to use their own router as a gateway to the
modem. But does this really give the user more contorl over the modem/router?

These user-owned modems/routers usually do not encourage SSH access by the
user, if they even provide it. Instead they promote a "web interface".
_Indirect control_ of the settings. Better than SSH? That is for you to
decide.

The "market" seems to love the "web interface". But this often the easiest
vector for successful attacks. Less control, and less safety. Is the tradeoff
still worth it? That is for you to decide.

[https://threatpost.com/vulnerability-disclosed-in-ubquiti-
ne...](https://threatpost.com/vulnerability-disclosed-in-ubquiti-networks-
admin-interface/124392/)

[https://www.sec-
consult.com/fxdata/seccons/prod/temedia/advi...](https://www.sec-
consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170316-0_Ubiquiti_Networks_authenticated_command_injection_v10.txt)

[http://www.securityweek.com/worm-infects-many-ubiquiti-
devic...](http://www.securityweek.com/worm-infects-many-ubiquiti-devices-old-
vulnerability)

Relying on "Keep up to date with patches" or "Enable updates" as a strategy to
improve the safety of a product that was _unsafe to begin with_ is a bit of
cognitive dissonance given that its safety was deemed "good enough" for the
renter/purchaser at the time of rental/purchase. To achieve a safer product
requires not only manufacturers to set new priorities but also consumers as
well.

How important is that "web interface"? More important than safety? And why not
configure using SSH instead? Whatever the reasons, tradeoffs have
consequencesre: safety.

------
CodeWriter23
I applaud Hutchins' choice to use Full disclosure instead. Let that be a
lesson to all Big Corps, there are White Hats out there who won't be bullied
by your "Responsbile disclosure" propaganda. The writing is on the walls, Big
Corps, take responsibility and secure your gear by design or be pilloried.

~~~
ocdtrekkie
At the end of the day, it's pretty unlikely AT&T will suffer any significant
losses for this, but there's a decent chance some consumers will.

~~~
CodeWriter23
Every codependent has some excuse for enabling their abuser.

