Cable modems sold by two manufacturers expose a wide variety of sensitive information over SNMP, including usernames and passwords, WEP keys and SSIDs. Researchers who discovered the vulnerabilities say they’re trivially exploitable and plan to release Metasploit modules for them later this month.

The broadband modems, manufactured by Netmaster and ARRIS, leak the sensitive information through the exposure of the SNMP community string. That string is a kind of password that is sent in cleartext by clients as a form of authentication. It’s a part of the original SNMP standard, and a pair of security researchers discovered that the ARRIS Touchstone and Netmaster Wireless Cable Modem use the community string and expose the sensitive information.

“By default this device was found exposing critical information via SNMP public community string. According to Shodan over 50,000 of these devices are exposing SNMP to the internet,” Tod Beardsley of Rapid& wrote in a post explaining the flaws, which were discovered by Deral Heiland and Matthew Kienow.

The same issue applies to both the ARRIS and Netmaster cable modems, and the researchers found that they expose the password, SSID, WPA pre-shared key, WEP keys and, in the case of Netmaster, the username. The two researchers who discovered the vulnerabilities plan to discuss the problems at the DerbyCon conference in late September and release a Metasploit module to exploit them, as well.

The effect of the vulnerability is that a remote, unauthenticated attacker would be able to retrieve the exposed information and presumably gain access to the affected device. The CERT/CC has issued an advisory about the issue in the ARRIS modems.

Categories: Vulnerabilities, Web Security

Comments (3)

  1. Roland
    1

    I would like to know what Xfinity, who deploys this same modem is doing to correct this. Thousands, if not millions of subscribers at stake.

  2. tillithz
    2

    Ha, you just getting around to this in Sept. 2014? You busted the case wide open some 8 years or more later. This has been common knowledge for lot longer and lot more then the two devices you explain above.

  3. thedude
    3

    Everyone and their mother know about this.
    Everyone in the industry know this stuff but ISPs don’t want to pay to have secure devices.
    You can bet every hackers/criminals/spooks under the sun have exploited internet devices right and left for decades.

    Also take a look at the latest DSL debacle in Brazil, a country also known as “hacker/terrorist/pedo paradise”…
    The level of insecurity in Brazil is insane (much much worse than what was reported by Fabio Assolini).

Comments are closed.