
ARRIS Cable Modem Has a Backdoor in the Backdoor - geococcyxc
https://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html
======
rspeer
> After a thoughtful analysis, the marketing committee advised w00tsec members
> to write a Keygen. In order to write a Keygen, we need a leet ascii art and
> a cool chiptune.

Something old, something new. Of course exploits and chiptunes have always
gone together like bread and butter. But now exploits need marketing
committees too.

~~~
a1k0n
Not a bad chiptune either: [http://www.a1k0n.net/code/jsxm/#Ghidorah_-
_Toilet_story_5.xm](http://www.a1k0n.net/code/jsxm/#Ghidorah_-
_Toilet_story_5.xm)

~~~
throwaway7767
Watched on YouTube, since I didn't have a FastTracker player handy:
[https://www.youtube.com/watch?v=Syc2NnPNnZs](https://www.youtube.com/watch?v=Syc2NnPNnZs)

Listening to that put me in a good mood :)

------
paulannesley
Hah I love this in the arris_backdoor.py output:

    
    
      > Bypassing EULA...
      > EULA served over HTTP
      > MiTMing EULA to include permissive clauses...
      > EULA bypassed using technique [1]

~~~
ericfrederich
Good catch... That is hysterical

------
arca_vorago
You know what really grinds my gears? The fact that on my newish surfboard
modem, when I looked around for a new firmware version, low and behold,
apparently Arris/Motorola refuse to release the firmware to the consumer/owner
of the device, and say that it is the ISP's responsibility to update firmware!

No it's not, it's my hardware! I understand the docsis 3.0 spec says
otherwise, but I disagree with it. So I call my ISP (Suddenlink), and lo and
behold, they say it's not supported and therefore won't update my firmware.

Now I find out it's probably backdoored!

You know, when the NSA and everyone else start talking about cybersecurity, I
don't fucking beleive a word of it anymore, because if they were really
concerned about security, they would be pushing for open source firmware
modems, and would be letting these companies know about the vulns and pushing
them to close them. Instead they sit on the 0-days like a treasure trove of
new weapons.

~~~
bluedino
It's not any different than wireless companies and cell phones - they will use
the reason of not controlling the firmware causing connection issues with
their proprietary networks

~~~
arca_vorago
Which is such a bullshit reason... but you are correct, unfortunately.

------
smcl
It's a tiny bit funny that a cable modem called "arris" has a backdoor:
[http://www.cockneyrhymingslang.co.uk/slang/aris](http://www.cockneyrhymingslang.co.uk/slang/aris)

~~~
contingencies
Haha, we discovered that one playing scrabble last night. What are the
chances?

------
tomschlick
Does this affect their Surboard line? Specifically the SB6141? Its probably
the most popular modem for people who don't wanna rent one from their
provider.

~~~
scott_karana
I know the Surfboards originated from Motorola, so there's a faint hope that
they're okay...

~~~
tomschlick
I bought mine from Target 3 months ago and it still looks like it is running
Motorola firmware even though it has an Arris logo stamped on the front of the
device.

[https://s3.amazonaws.com/tomschlick-
screenshots/BGYfaCbLVEsB...](https://s3.amazonaws.com/tomschlick-
screenshots/BGYfaCbLVEsBh.png)

~~~
Washuu
Yep, they still run Motorola firmware.

I discovered a few months ago Comcast is able to push firmware updates to
customer owned modems without permission. So even if the backdoor is not
present now there is no way to trust it will never be pushed to the devices.

~~~
tomschlick
Thats worrisome. I knew they could ping for info/reboot it but had no idea
they had write access to the device.

~~~
wmf
Cable modems are based on a pre-Carterphone philosophy that the modem is an
extension of the ISP and is completely owned (and 0wned), configured, updated,
etc. by the ISP. They let you buy your own, but that doesn't change the
protocol.

------
drmpeg
I returned my Arris TG862 because you can't really shut off the WiFi. Even
though Comcast assured me that the public hotspot was disabled, I could see
(with my SDR receiver) that it was still transmitting on channel 1.

[http://www.w6rz.net/comcastwifi.png](http://www.w6rz.net/comcastwifi.png)

~~~
userbinator
"transmitting" as in actually sending data, or just the radio left on, set by
default to the lowest channel, and transmitting an otherwise useless carrier
wave?

~~~
drmpeg
Transmitting with a blank SSID apparently. It just adds to the congestion on
2.4 GHz for no reason. For myself, it interferes with my wireless development
activities. See this thread on the Comcast forum where folks are seeing all
sorts of bad behavior.

[http://forums.xfinity.com/t5/Home-Networking-Router-
WiFi/Xfi...](http://forums.xfinity.com/t5/Home-Networking-Router-WiFi/Xfinity-
HotSpot-FAQs/td-p/2307497)

------
nine_k
What kind of access should a cable company have to your cable modem? Should it
at all?

I mean, your ISP does not need any access to your edge router if the ISP gives
you a standard Ethernet socket. How standardized are cable interfaces? What
kind of custom setup may they legitimately need to work in a particular cable
network?

~~~
superuser2
The cable modem is telco infrastructure that happens to be in your house. The
boundary between telco and customer networks (called the "demarc") is between
the cable modem and your router. It's entirely theirs to administrator, same
as the vault down the street.

A comment I posted about this a few years ago:
[https://news.ycombinator.com/item?id=6998650](https://news.ycombinator.com/item?id=6998650)

~~~
jwn
It's not quite that simple. In some cases it's telco infrastructure that's
owned by the customer. In that case I'd say the demarc is like to be somewhere
_inside_ the modem, which is sort of nonsensical.

~~~
superuser2
When you own the modem, you're free to disconnect it from the cable company's
network and do something else with it, but administrative access is still a
condition of service from your ISP as long as you continue to contract with
them for internet access on it.

------
AndyMcConachie
Is this a cable modem or a router? My definition of cable modem doesn't
include an IP address.

These POCs never include enough information for me. For instance, is this
exploitable from the external interface, or only internal?

~~~
PhantomGremlin
_Is this a cable modem or a router?_

Reminds me of the inane SNL sketch, whose catchphrase was: "New Shimmer is
both a floor wax and a dessert topping!"

My Arris (nee Motorola) SB6141 is a bridge and a router. It's actually very
nicely done.

When the modem can't access the cable infrastructure, it turns itself into a
DHCP server and hands out IP addresses in the range 192.168.100.xx. This is
useful for people at home whose configurations are such that their home
networks won't work properly without some sort of DHCP server provided by the
ISP.

Once the modem can talk to the ISP, it turns itself into a bridge. The IP
addresses the modem previously issued were valid for 30 seconds, so there will
shortly be a new DHCPREQUEST which the modem bridges out to the ISP. From then
on, the modem is transparent to IP traffic (but see below).

 _My definition of cable modem doesn 't include an IP address._

This is highly useful. Once the modem has switched to being a bridge, it still
responds to 192.168.100.1. There's all sorts of useful information there. E.g.
DOCSIS status, Channel IDs, received Signal to Noise ratio, transmit Power
Level, etc. There's even a nice (but short) log of the modem's interaction
with the cable infrastructure.

The modem is outside my firewall, so I don't really worry about it much. It's
like anything else on the Internet as far as my home network is concerned.

However, I do currently allow access to 192.168.100.1 (normally I block
outbound RFC 1918 addresses). That is a potential problem should some rogue
program on my network attempt to exploit a modem vulnerability. Maybe I'll
just block all those addresses and only enable them in the firewall when I
want to check the modem status.

~~~
voltagex_
>normally I block outbound RFC 1918 addresses

I'm assuming LAN traffic still works in this case.

>That is a potential problem should some rogue program on my network attempt
to exploit a modem vulnerability. Maybe I'll just block all those addresses
and only enable them in the firewall when I want to check the modem status.

I've been looking at scraping my modem interface for info and then blocking
all but one PC from accessing the admin interface

~~~
uxp
> I'm assuming LAN traffic still works in this case.

Blocking outbound RFC 1918 addresses is a fairly common firewall configuration
to prevent any LAN traffic from leaking out into the internet due to weird or
misconfigured NAT rules, etc. It doesn't prevent that traffic from traversing
the LAN, just if it might try and escape the WAN.

~~~
voltagex_
Ah right, that's done by my ISP at the first hop.

------
nickjj
A few years ago people on my ISP were ranting and raving about getting an
Arris cable modem because it was one of the newer DOCSIS 3 modems.

I wonder if the TM822 model is classified as "ARRIS SOHO-grade" because that's
what the article mentions as having the backdoor.

~~~
noobermin
I have WOW internet, and their provided modem was an Arris modem. It was a
piece of garbage, so I bought a Netgear modem, sent the Arris back, and got
$10 savings on my internet bill (for renting the crap modem). I'm even happier
about that choice now. And yes, my new modem is DOCSIS 3.

~~~
nickjj
Was it the same model?

The TM822 has been pretty good to me. It maxes out at my ISP's reported speeds
(30/5), no packet loss, low single digit latency and since it's hooked up to a
UPS it hasn't been power cycled or rebooted in almost a year.

~~~
noobermin
Darn, it's been more than half a year, so I don't remember the model name. It
just recall it was Arris and the webpage manager thing had similar graphics
and look to the one in the article (although they probably all have that).

Nonetheless, regardless if it is the same model as they tested, this
demonstrates that I really shouldn't trust anything from Arris now.

------
MertsA
At least it appears to be based on the serial number. Only using the last 5 is
still pretty bad though but plenty of cable modems treat the serial number as
privileged information. It's already a password essentially for SNMP access
provided that your ISP hasn't blocked access to it.

~~~
esseye
It is exactly as privileged as going to the website
[http://192.168.100.1](http://192.168.100.1) and clicking HW/FW versions,
which proudly displays the complete serial for you. There is no authentication
of any sort and it is not encrypted at any point.

------
ErikRogneby
Wasn't there a project a while back where someone was building a open source
modem/router from the ground up? A kick starter or something?

~~~
imglorp
Since you need a DOCSIS modem box and a router, I would suggest people put a
router box you fully control behind your ISP's DOCSIS brick, and just assume
the latter is compromised continuously.

I use pfsense on a usb stick in a little box with 2 ethernets.

~~~
Igglyboo
What is a DOCSIS modem and why can't an open source one be built? Also, how
does putting your router behind your DOCSIS modem help?

Genuinely curious, don't know much about networking.

~~~
Spooky23
The cable companies need to be able to push firmware and settings to maintain
the network and avoid abuse. So they have certification standards and you need
to pay to play.

For example, with DOCSIS 2 modems, you could spoof the MAC address and make
some config changes and get anonymous internet access at the highest service
tier.

~~~
plonh
Why does cable company need special powers that my DSL provider does not need?

~~~
Spooky23
It's a completely shared infrastructure from the demarc in your home to the
local cable node. It's not very secure and pretty trivial to abuse. Remember
this was an infrastructure originally implemented to distribute TV signal.

Because of that TV heritage and the way they grew (on a town by town franchise
basis), cable networks were usually a patchwork of really shitty networks up
until fairly recently. My (limited) understanding is that on relatively modern
cable systems, there is fiber connectivity to the local nodes, and then coax
from that device to the homes in the area.

DSL is a switched network of sorts, and provisioning happens on the switch in
the CO. Ditto for fiber.

------
peterwwillis
Seems like this only affects the LAN interface. Since most people aren't
trying to break into your computer just to break into your cable modem, this
shouldn't be considered a high priority exploit.

Malware changing the DNS server on your router's DHCP server could be bad for
you. But even though malware on your desktop attacking your network is bad,
what's worse is _there 's malware on your desktop_.

~~~
rogerbinns
Just because you can't of a useful use by the bad guys, doesn't mean they
can't :-) It is also quite possible the bad guys have figured out how to
exploit this using regular Javascript - ie you don't need malware in your LAN,
just Javascript in a browser.

~~~
peterwwillis
Assuming you could exploit the browser's JS to submit such a request (I
thought I remembered seeing a security feature of modern browsers to prevent
this?) and assuming the web interface requires no authentication, you would
only be able to enable WAN HTTP access. The telnet and ssh still appear to be
LAN-only. And you still need the serial number to generate a password (does
the web interface even show that?). I don't see a viable drive-by attack
vector other than malware.

 _edit_ It does look like telnet can be accessed via WAN, which is pretty bad.

~~~
rogerbinns
There is a same origin policy and CORS. Sometimes cross site stuff is supposed
to work (JSONP). In some cases the request is made to the non-origin site, and
the response is then blocked based on returned headers. That however doesn't
stop the request's side effects. A few years ago there were a round of hacks
against many home routers doing this, exploiting vulnerabilities in their web
admin interfaces. I stand by my first sentence in my first comment.

~~~
amjo324
Yes, this class of web vulnerability is called Cross-Site Request Forgery or
CSRF ([https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_%...](https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_%28CSRF%29)). The Same Origin Policy (SOP) prevents one
domain from receiving the HTTP responses for requests it sends to other
domains. As you suggest however, the request itself can sometimes be enough to
cause adverse side effects on the target server (that may be beneficial to an
attacker).

It continues to be a common security issue among web applications and is why
all sensitive actions should be protected with unique anti-CSRF tokens (most
good development frameworks provide support for this).

If you need to relax SOP restrictions between sites you control, the modern
and recommended way is via Cross Origin Resource Sharing or CORS
([https://developer.mozilla.org/en-
US/docs/Web/HTTP/Access_con...](https://developer.mozilla.org/en-
US/docs/Web/HTTP/Access_control_CORS)).

------
thefastlane
from a security standpoint, any recommendations for cable modem hardware
and/or firmware?

~~~
anExcitedBeast
Don't trust them. Add a system you control between the device and your
internal network. If you're just worried about your traffic privacy and not
just internal resources, establish an end-to-end encrypted tunnel from that
jump system to a network or VPN provider you trust.

Edit: excuse me, I misread your question. I thought you were asking for best
practice. I don't have have a specific hardware recommendation (because I
don't trust them :) )

------
ck2
Can't most ISPs replace the firmware on demand on most Docsis 3.0 modems ?

This means they could manipulate it at any time.

~~~
moftz
Encrypt everything between your computer and the server you're connecting to,
ideally use a VPN. The ISP already owns the lines anyway, 0wning the modem
doesn't really make much more of a difference. The reasoning behind being able
to push new firmware to a modem from the ISP is automatic configuration and to
stop abuse on the network although I'd rather configure things myself.

------
iamthepieman
I have an Arris modem. Is there a way to mitigate this risk short of buying a
new modem?

~~~
throwaway2048
no, as the nature of it forces it to be on your network edge.

~~~
mhurron
Wouldn't putting the Arris modem in bridging mode mitigate it? It should no
longer be accessible via an outside IP at that point.

~~~
throwaway2048
it almost certainly still has an externally accessible ip at that point for
management purposes. (bridge 2 interfaces, add a virtual interface to the
bridge)

~~~
mhurron
I don't believe management from the CableCo is done over IP and the other
management end requires being plugged into the LAN port.

~~~
throwaway2048
as the article states, scans found wan acessible modem uis

~~~
mhurron
Yes, but by default a modem from your ISP is acting as a NAT device routing to
a private IP space. By default, it has an externally available IP address and
will answer on that or those addresses.

Many can, however, be configured as a bridge, which turns the device into just
a converter between physical mediums. You now need another device to route and
act as your gateway. In that setup you shouldn't be able to find it with an IP
connection scan, because it doesn't have one.

~~~
simoncion
> Yes, but by default a modem from your ISP is acting as a NAT device routing
> to a private IP space.

Not in my experience. The default modem provided by both Comcast and Knology
(who is -I guess- now WOW!) is (or was, in the case of Knology) a bridge
device that requires you to provide your own router. You have to ask for a
modem that's also a router to get something that's not a bridge.

That doesn't mean that the modem doesn't have an IP address, mind. AIUI, on
Comcast's network the _modem_ gets an IPv6 address so that they can do network
management stuff to it.

------
maximilianburke
I'n surprised this hasn't yet been branded the "ARRIS-Hole".

------
Neolo
Hi. I own Arris TG862G, TWC pushed their firmware on it, it seems much older
than discussed here.

Firmware Name: TS070563C_032913_MODEL_862_GW_TW_SIP_PC20 Firmware Build Time:
Fri Mar 29 2013

I got a permanent password to advanced page/technician. But I don't have URL
[http://192.168.100.1/cgi-bin/tech_support_cgi](http://192.168.100.1/cgi-
bin/tech_support_cgi), it's 404 and as a result I don't know how to enable
SSH. Can anyone help with this old firmware?

~~~
df_cryptostorm
I also have a TG862G, but from Xfinity (a Comcast company). The default admin
page is @ [http://192.168.100.1/](http://192.168.100.1/) &
[http://10.0.0.1/](http://10.0.0.1/), but neither of them have a /cgi-
bin/tech_support_cgi.

However, I discovered this page:
[http://10.0.0.1/wireless_network_configuration-1.php](http://10.0.0.1/wireless_network_configuration-1.php)
(probably also exists on 192.168.100.1) which looks like a secret wifi config
page that has more advanced options than the normal wifi config page @
[http://10.0.0.1/wireless_network_configuration.php](http://10.0.0.1/wireless_network_configuration.php)
(I found the wireless_network_configuration-1.php file by viewing the source
of a few pages on 10.0.0.1, it was hiding in some HTML comments).

On the normal wifi config page, you can only edit the settings for your
"Private" wifi hotspot, but on this -1.php page you can also edit the two
"Public" hotspots: "xfinitywifi", and one that (on mine) looked like:
"XHS-A6B18523". Since you can edit these two "Public" ones, you can also
viewed the stored WPA key for XHS ("xfinitywifi" has no key).

Once I grabbed the XHS-* key and connected to it, I received a 172.16.12.100
IP (a subnet I've never seen on the other access point). On this one the
gateway IP was 172.16.12.1. Nmap shows these ports on that gw IP: 443 = NET-DK
1.0 (ssl) 5001 = Arris/1.0 UPnP/1.0 miniupnpd/1.0 (Status: 501 Not
Implemented) 8080 = (SIP end point; Status: 501 Not Implemented) and same as
the above for ports 8081 & 8888 & 5540.

All of those SIP ports were just HTTP servers that looked exactly like the
customer version you see on [http://10.0.0.1/](http://10.0.0.1/) , except that
my admin pass didn't work on it (tried the defaults too, plus some guesses).

When I went to [https://172.16.12.1/](https://172.16.12.1/) it redirected me
to /cgi-bin/status_cgi, which contains a link to /cgi-bin/tech_support (which
redirects to /cgi-bin/adv_pwd_cgi).

So maybe you could try all of that to see if your TG862G works the same :-)

P.S. I tried the password of the day thing but the seed must be different on
this one, and the SNMP thing doesn't exist on any of these webservers.

~~~
Neolo
Thank you for reply, but I don't have xfinity firmware anymore, cause TWC
wiped it out and wrote their own. It seems I don't have
wireless_network_configuration.php pages anywhere and it doesn't broadcast wi-
fi at all (I actually can't enable it, there is bug or something, it just
shuts down), so I can't try that subnet either. This is frustrating, cause I
do have a password to /cgi-bin/adv_pwd_cgi but I can't find the SSH/Telnet
options to enable.

------
ars
When I try [http://192.168.100.1/cgi-
bin/tech_support_cgi](http://192.168.100.1/cgi-bin/tech_support_cgi) on an
Arris modem it says:

    
    
       NET-DK/1.0 Error: 401 Unauthorized

~~~
merlincorey
Yes, that's demonstrated in the video. You have to login on another page
before that page will work.

~~~
jesalg
That login page doesn't exist on mine: [http://192.168.100.1/cgi-
bin/adv_pwd_cgi](http://192.168.100.1/cgi-bin/adv_pwd_cgi)

    
    
      NET-DK/1.0 Error: 404 Not Found

------
Demoneeri
Can they access the mainframe?

------
annacollins
That's really great.

------
reviseddamage
yo dawg...

