0-Day Vulnerability Exposes Thousands Of AT&T Broadband Customers To Attack
from the whoops-a-daisy dept
AT&T and hardware manufacturer Arris are being accused of leaving millions of broadband subscribers open to attack. A new report by security researcher Joseph Hutchins highlights how five flaws were discovered in Arris routers used by AT&T and numerous other ISPs around the world. Hutchins notes that some of the flaws may have been introduced after they were delivered to AT&T, since ISPs traditionally modify hardware for use on their network post sale. But many of the flaws were courtesy of the all-too-common tendency to ship hardware with hardcoded credentials and SSH enabled by default:
"It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem’s “cshell” client over SSH. The cshell is a limited menu driven shell which is capable of viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the Internet, and even controlling what appears to be a kernel module whose sole purpose seems to be to inject advertisements into the user’s unencrypted web traffic."
Nearly 140,000 devices are impacted, and the Arris NVG589 and NVG599 modems are used by AT&T to power its VDSL broadband (formerly U-verse) service. The vulnerabilities not only open up subscribers to attack, but hardcoded credentials are also to thank for the rise in historically massive DDoS attacks as malware targets such devices for use in botnets. In addition to hard-coded credentials (which you'd think any sensible hardware vendor would steer well clear of at this point), Hutchins notes the devices suffer from default https server credentials, command injection vulnerabilities, and a a firewall bypass on port 49152.
AT&T is refusing to comment and Arris tells ThreatPost it's looking into the flaws. Whichever party is to blame, Hutchins noted that the vulnerability was a result of "pure carelessness" at the companies:
"Regardless of why, when, or even who introduced these vulnerabilities, it is the responsibility of the ISP to ensure that their network and equipment are providing a safe environment for their end users. This, sadly, is not currently the case. The first vulnerability found was caused pure carelessness, if not intentional all together. Furthermore, it is hard to believe that no one is already exploiting this vulnerability at the detriment of innocents."
At a recent Defcon, hackers demonstrated how they were able to break into around half of thirty different commercially-available residential broadband routers without too much elbow grease. Why does this continue to be such a problem? Security experts like Bruce Schneier have repeatedly noted how the same flimsy security we enjoy mocking in the internet of broken things space is all too present in residential broadband router market, thanks in large part to nobody in the supply chain having the financial incentive to do much about it:
"Typically, these systems are powered by specialized computer chips made by companies such as Broadcom, Qualcomm, and Marvell. These chips are cheap, and the profit margins slim. Aside from price, the way the manufacturers differentiate themselves from each other is by features and bandwidth. They typically put a version of the Linux operating system onto the chips, as well as a bunch of other open-source and proprietary components and drivers. They do as little engineering as possible before shipping, and there’s little incentive to update their “board support package” until absolutely necessary.
The system manufacturers – usually original device manufacturers (ODMs) who often don't get their brand name on the finished product – choose a chip based on price and features, and then build a router, server, or whatever. They don't do a lot of engineering, either. The brand-name company on the box may add a user interface and maybe some new features, make sure everything works, and they're done, too."
After that, everybody in the cycle is too focused on making money on the next product or chipset to do the legwork required to keep the hardware or software in these devices updated or secure. This is at the heart of IOT dysfunction, but the problem goes notably deeper than just your easily hacked smart thermostat. Fair or not, the onus then gets put in the lap of the broadband ISP -- since they field the support calls once a customer gets hacked. But swapping out the hardware or troubleshooting existing gear erodes profit margins as well -- at companies that already cut customer support corners to an often comical degree.
As script-kiddie oriented malware kits make attacking these vulnerabilities easier than ever, the problem nobody seems to want to fix is going to only get worse. And while some might incorrectly call it hyperbole, that's why Schneier and many other security researchers have been warning for years that there's dumpster fire just over the horizon that could result in a notable loss of human lives. It's a future everybody in the space can pretty clearly see, but few are willing to spend the money to avoid.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 0-day, hardcoded password, home broadband, routers, security, vulnerability
Companies: at&t
Reader Comments
The First Word
“Vulnerability Exposes Thousands Of AT&T Broadband Customers To Attack
...aside from the usual attacks by AT&T (on your wallet and on your sanity)?Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Now I'm wondering if keeping the older ones wouldn't have been safer... security thru obscurity as it were.
[ link to this | view in chronology ]
Re: Re:att
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
I do not know if there is anything in AT&T's router that would prevent this arrangement.
[ link to this | view in chronology ]
Re: Re:
"Wants" or forces? I don't normally care what AT&T wants. If they're forcing it, how?
[ link to this | view in chronology ]
Re: Re: Re:
Tons of posts on the internet of people just trying to get the thing into a proper bridge mode, let alone bypass around it.
I would absolutely love to through the damn thing in the trash, but doing so would mean I'd have no internet. and at the moment - I'm 400ft too far away to get the cable company to bring anything out.
[ link to this | view in chronology ]
Vulnerability Exposes Thousands Of AT&T Broadband Customers To Attack
[ link to this | view in chronology ]
probbably....more than likely?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And yet...
[ link to this | view in chronology ]
Re: And yet...
[ link to this | view in chronology ]
Re: Re: And yet...
can be vs won't be
[ link to this | view in chronology ]
Re: And yet...
[ link to this | view in chronology ]
Re: Re: And yet...
Eventually, profit will win out over security. Corners will be cut. Expediency will be chosen. Budgets will be reduced. Compromises will be made.
Each one, by itself, will mean little. But in the aggregate, they will erode the overall security posture. The cautionary words of the security engineers will be overwritten by the balance sheets of the accountants.
It's not a question of if. It's only a question of when.
[ link to this | view in chronology ]
Re: Re: And yet...
Ah... no, they do not recognize the risk involved.
Recognition requires that certain steps be taken.
It's like saying that a person "recognized" the risk involved while still climbing a cliff without proper safety gear. Their actions clearly proof that they did not recognized shit. Like most others they just think they can escape fate until it bites enough people in the ass to the point that we get tired of the idiots and start creating laws.
Humans, the key ingredient in all those fuck-ups you read about on the news and in meme's.
[ link to this | view in chronology ]
Re: Re: Re: And yet...
Nobody on this planet knows how to secure an autonomous vehicle. Nobody on this planet has even the hint of a rumor of a slim chance of doing so.
[ link to this | view in chronology ]
Re: Re: And yet...
[ link to this | view in chronology ]
Re: Re: Re: And yet...
The price for this hubris is going to be paid in blood. Mark my words. People are going to die, in significant numbers, as a result of the widespread deployment of this technology that NOBODY has the slightest idea how to secure.
[ link to this | view in chronology ]
VDSL?
[ link to this | view in chronology ]
Re: VDSL?
[ link to this | view in chronology ]
blah blah blah
As a consumer we will not accept responsibility for knowingly buying products from businesses that are complicit in the theft of my privacy. We will instead beg a lying thieving politician to carry that burden for us and then blame them when something goes wrong.
We totally expect a bunch of people we don't know to put our interests ahead of their own.
Cause this has been working so far!
[ link to this | view in chronology ]
Re: blah blah blah
[ link to this | view in chronology ]
Re: Re: blah blah blah
as with the Equifax breach, you were forced without any choice to participate in an invasion of your privacy just to participate in the economy.
unless you are living completely off grid.
[ link to this | view in chronology ]
Re: Re: Re: blah blah blah
[ link to this | view in chronology ]
Re: Re: Re: Re: blah blah blah
I'm still raising the funds to vacuum-gap my home.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: blah blah blah
Just flat out hermetically sealed is what you will need to have to get at least some form of privacy from radical new tech, and that does not count how to take your home of the utility grid when it is practically ILLEGAL to be self sufficient.
[ link to this | view in chronology ]
SSH exposed to the internet by default? WTF?
But exposing SSH to the Internet by default with hard-coded credentials? How was that ever going to end well? It's all well and good to have SSH and TFTP enabled on the WAN side, but those servers need to Turn the *bleep!* Off before the actual Internet access comes online.
A diagnostic mode that will do all this after performing some action on the user-side (web GUI button, holding down the reset button on the box, whatever) is not exactly ironclad security (vulnerable to social engineering), but would be a reasonable pragmatic way for the provider to remote into the unit, but enabling all this by default was moronic in the extreme.
[ link to this | view in chronology ]
Re: SSH exposed to the internet by default? WTF?
[ link to this | view in chronology ]
Security Economics Of The Internet Of Things
Bruce Schneier has a good essay on why this mess is the way it is. The problem is that the makers and distributors of these devices have no economic incentive to keep them secure, and their users/buyers don’t know (and don’t care) about the issue.
When you have a market failure on this scale, then it is time for Government regulation.
[ link to this | view in chronology ]
avoid ISP hardware
https://www.routersecurity.org/ISProuters.php
The vulnerable Arris devices, in this case, are gateways (combination modem and router and telephony), not simple modems.
[ link to this | view in chronology ]
Re: avoid ISP hardware
[ link to this | view in chronology ]
If you can't avoid ISP hardware, mitigate the risk
While I would prefer to go cable, the network in my area isn't stable enough for my work - I have to be online nearly 24-7.
Thus, I'm stuck with AT&T, who won't support 3rd-party hardware and are now dealing with these issues.
As such, one of the only options to increase your own security is to deploy a small firewall / router (I chose the EdgeRouter X from Ubiquiti) and a whole-house mesh Wi-Fi system that fit my needs.
Now, even though the gateway provided by AT&T is still vulnerable, and is potentially open for abuse by large botnets, at least my home network is locked down and unreachable except via VPN.
[ link to this | view in chronology ]