Bugs in Arris Modems Distributed by AT&T Vulnerable to Trivial Attacks

Trivially exploitable vulnerabilities in several Arris home modems, routers and gateways distributed to consumers and small businesses through AT&T’s U-verse service have been discovered.

Trivially exploitable vulnerabilities have been discovered in several Arris home modems, routers and gateways distributed to consumers and small businesses through AT&T’s U-verse service.

It’s unknown yet whether the firmware vulnerabilities were introduced by the OEM or the ISP since AT&T seems to have access to Arris firmware and can customize code on the devices before they’re sent to customers, researchers at security consultancy Nomotion told Threatpost. The researchers uncovered support interfaces easily accessible over SSH, and hidden services exposing the devices to remote and local attacks.

Nomotion security analyst Joseph Hutchins said his firm elected to publicly disclose the vulnerabilities because of their severity and because of Arris’ history with security issues of this sort. A request for comment from Arris was not returned in time for publication.

An Arris representative told Threatpost the company is verifying the specifics of the Nomotion report.

“Until this is complete, we cannot comment on its details. We can confirm Arris is conducting a full investigation in parallel and will quickly take any required actions to protect the subscribers who use our devices,” Arris said in a statement provided to Threatpost.

“Even as early as February, there was another incident where they had similar security issues and their blatant carelessness has gotten out of hand,” said Nomotion CEO Orlando Padilla. “I think with a little bit of pressure, hopefully they’ll fix things up.”

Nomotion also said in a report published today that ISPs are responsible for ensuring the security of their network and equipment leased or sold to consumers.

The most serious of the five flaws affects the NVG589 and NVG599 modems, firmware update 9.2.2h0d83, which enables SSH by default and also contains hardcoded credentials that afford anyone access to the cshell service on the modem.

Hutchins said cshell is capable of viewing or changing the Wi-Fi SSID or password, modifying network configurations, reflashing firmware from a file served from the internet, or controlling a kernel module that injects ads into unencrypted traffic.

The cshell binary runs as root, meaning that any exploitable command injection or buffer overflow vulnerability will give an attacker root on the device. Nomotion estimates, however, that only 15,000 hosts are vulnerable after a Censys search, a much lower number than the impact posed by some of the other vulnerabilities.

Victimized gateways, meanwhile, can be corralled into a botnet, similar to that used by the Mirai malware to DDoS Dyn and other web-based services last fall. An attacker can also use these bugs to run code on the device to inject ads into traffic, or exploit other vulnerabilities on client devices running on the local network. Hutchins also said that since there’s no certificate pinning, an attacker could force the victim’s browser to accept a certificate from the gateway.

“You have full control of the traffic at that point,” he said.

Nomotion also found default credentials on the NVG599’s caserver HTTPS server running on port 49955, as well as a command injection vulnerability in the same webserver. Hutchins said the server accepts commands that would allow an attacker to upload their own firmware image, and either access or change an internal SDB database configuration. Nomotion estimates from Shodan and Censys searches that around 220,000 devices are vulnerable to this bug alone.

A separate information disclosure vulnerability in a service running on port 61001 would be useful to attackers, but would require them knowing the device serial number in advance in order to make a request.

The final bug affects possibly every AT&T device, all of which have port 49152 open, likely for remote access and support. Nomotion calls it a firewall bypass, and said a predictable three-byte value followed by the MAC address affords an attacker remote access.

“It is believed that the original purpose of this service was to allow AT&T to connect to the AT&T issued DVR devices which reside on the internal LAN. However, it should be painfully obvious by now that there is something terribly wrong with this implementation,” Nomotion wrote in its report. “Added to the severity is the fact that every single AT&T device observed has had this port (49152) open and has responded to probes in the same way.”

Hutchins said the most of the bugs are trivial to exploit.

“There’s no way people are not exploiting this in the wild,” Hutchins said. “It’s so trivial, we just didn’t see any point in going through the process of disclosure to the vendor and the waiting period because we just can’t see anyone not using this in the wild.”

This article was updated on Aug. 31 with a comment from Arris. 

Suggested articles


  • Ronkorn on

    So what's the fix?
  • Jennifer on

    I have been contacting AT&T for the last 4 to 5 months I have been through 6 different routers modems and each time that I call I spend in excess of about 3 to 4 hours on the phone with them only for them to tell me repeatedly that"our devices are not hackable and you are safe your information is protected" each time I tell them that this is incorrect and I have proof and video and screenshots of network changes error codes sending me to different browsers other than my protected ones they can get past Lookout installed on my phone they have in fact hacked all of my devices in my home 3 computers which I can't even use any longer my cell phone I've gotten 2 new cell phones and within 2 days of in stalling a brand new modem and getting a brand new phone my systems are hacked. I have repeatedly asked to speak to corporate for upper level technical support to explain to them the issue and show them the evidence I've had Hijacks on my logs which trace back to att! You think they are trying to fivure out the issue by hijacking their own networks!!??? Which i habe a photo of... I've had unknown devices that I have researched Mac adresses showing the Mac adresses are humax routers and Linux routers even cisco router and they absolutely want to hear nothing about it even though I have digital proof of all of it this has absolutely taken over my life for the last 5 to 6 months within the last 4 to 5 months I finally realized what was going on and started researching it heavily taking photographs of logs devices researching night and day taking me away from my job, my family but isn't protecting all of our personal information protecting your family yet I still have to support my family and AT&T has made that incredibly difficult and the lack of care or concern for our privacy to completely deny and deny is not only unethical it's completely negligent they've been giving the information because I was on the phone again for another 3 hours with att representative and I told them about the homeland security report issued 2015 with specific cve numbers to arrow modems to the vendors of these cable modems which had the vulnerabilities except for when I called and and ask them for the CVE numbers of my last 6 modems they told me they didn't even know what a cve number was. so I said well you should call Aries who supplies all of your modems and ask them about this security report concerning vulnerabilities which he did. I told them you probably won't call me back because nobody ever does but to my surprise he actually did contact me back within about an hour and a 1/2 and verified that arris had told him after he explained in detail my situation and my ongoing attempts to try to remedy with AT&T Aires verified that yes in fact those 2 modems the NVG589 and NVG599 were the most vulnerable modems to be hacked by remote and that indeed that was what was going on in my situation however that was all I got from AT&T I was told that I should contact arris myself and tried to remedy the matter???? you think that sense AT&T is the one who has been installing these modems into my home over and over that they would want to take some kind of action when their own representative was told that yes in fact your modems that you're putting in people's homes are being hacked this was on approximately August 3rd 2017 Not only that but there's been other security reports issued recently on September 30th and August 30th from companies outside of AT&T and arris who have detailed the vulnerabilities in these 2 systems. I will supply the links at the bottom of this and isn't it funny that in my specific area over 4 months ago they disconnected my DVR capabilities to my direct tv to the Internet and we have not been able to get any on demand Services we pay for each month and every time I call in to ask when my DVR is gonna be restored they tell me that there is no fix for it and that will give you a $30 credit even though you haven't been able to use your DVR services you pay for for the last at least 4 months!! I could go on and on with more evidence but I will save that for my attorney I have had it!!!!
  • Paul M on

    Is there a firmware update coming soon for the modem/router to fix this vulnerability?
  • Darren on

    As of 3-Oct-2017, my Arris NVG599 has 9.2.2h0d88 Not sure when this was applied, or IF it addresses any vulnerabilities.
  • Jennifer on

    The newest research that I have discovered on this issue is that one of the biggest vunerability is that the modems that they're using do not offer an option for an administrative password so anybody who gets into/onto the network can get into your network settings. Most all modems allow you to install an administrative password in which case you have to get past that first prior to being able to get into network setrings. These particular modems do not have that availability another threat is that they're actually being able to get in through the ports all of the modems have the same port I don't believe a firmware update is going to solve the problem. The hacking on all my devices has gotten so bad that they've hacked my 3rd new phone (I actually believe the problem is related to both Verizon and AT&T there is some link) now somehow they've been able to access remotely most all my devices. I believe by radio signals/airgap all of my other devices when I go onto Google chrome and it states locked secure site with verified certificates some websites Verizon wireless being one of them are popping up Chinese symbols all over the icons and any time I get my phone anywhere close to my computer or ultrasound machine at work or my radio when they're completely off I have a light that's blinking with every syllable that I'm saying.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.