In a scathing post on its blog, information security consulting and software development firm Nomotion blasted both modem vendor Arris and U-verse operator AT&T as opening “gaping security holes” in potentially hundreds of thousands of customer devices.
“It is uncertain whether these gaping security holes were introduced by Arris (the OEM) or if these problems were added after delivery to the ISP (AT&T U-verse). From examining the firmware, it seems apparent that AT&T engineers have the authority and ability to add and customize code running on these devices, which they then provide to the consumer (as they should),” wrote Nomotion's Joseph Hutchins on the firm’s blog.
As noted by The Register, the vulnerabilities discovered by Nomotion could affect up to 140,000 of Arris’ NVG589 and NVG599 modems.
“Some of the problems discussed here affect most AT&T U-verse modems regardless of the OEM, while others seem to be OEM specific. So it is not easy to tell who is responsible for this situation. It could be either, or more likely, it could be both,” Hutchins wrote. “Regardless of why, when, or even who introduced these vulnerabilities, it is the responsibility of the ISP to ensure that their network and equipment are providing a safe environment for their end users. This, sadly, is not currently the case.”
Arris told Kaspersky Labs’ Threatpost that the company is looking into the situation. “Until this is complete, we cannot comment on its details. We can confirm Arris is conducting a full investigation in parallel and will quickly take any required actions to protect the subscribers who use our devices.”
Representatives from AT&T did not immediately respond to questions from FierceTelecom about the situation. AT&T is the nation’s third-largest internet service provider with roughly 14 million customers.
In its detailed post on the security vulnerabilities of the Arris modems for AT&T’s U-verse, Nomotion reported that software on the devices would allow remote hackers to access the devices over SSH.
“There’s no way people are not exploiting this in the wild,” Hutchins told Threatpost. “It’s so trivial, we just didn’t see any point in going through the process of disclosure to the vendor and the waiting period because we just can’t see anyone not using this in the wild.”
This isn’t the first report of modems open to hacking. A Brazilian security analyst in 2015 documented multiple backdoors allowing remote access to Arris cable modems. Also in 2015, Carnegie Mellon University researchers revealed that DSL routers from Asus, Digicom, Philippine Long Distance Telephone (PLDT) and ZTE could be affected by a security vulnerability. And Arris in 2016 said it would address a separate vulnerability in its SurfBoard 6141 DOCSIS 3.0 modems with a firmware update. Also in 2016, a report pointed out how a number of Netgear router models had been affected by a new vulnerability that could allow hackers to overtake the devices.
Moreover, internet service providers like AT&T have also suffered various cyberattacks and intrusions. For example, last year internet provider Dyn suffered a noteworthy distributed denial of service cyberattack.