0-Day Vulnerability Exposes Thousands Of AT&T Broadband Customers To Attack

from the whoops-a-daisy dept

AT&T and hardware manufacturer Arris are being accused of leaving millions of broadband subscribers open to attack. A new report by security researcher Joseph Hutchins highlights how five flaws were discovered in Arris routers used by AT&T and numerous other ISPs around the world. Hutchins notes that some of the flaws may have been introduced after they were delivered to AT&T, since ISPs traditionally modify hardware for use on their network post sale. But many of the flaws were courtesy of the all-too-common tendency to ship hardware with hardcoded credentials and SSH enabled by default:

"It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem’s “cshell” client over SSH. The cshell is a limited menu driven shell which is capable of viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the Internet, and even controlling what appears to be a kernel module whose sole purpose seems to be to inject advertisements into the user’s unencrypted web traffic."

Nearly 140,000 devices are impacted, and the Arris NVG589 and NVG599 modems are used by AT&T to power its VDSL broadband (formerly U-verse) service. The vulnerabilities not only open up subscribers to attack, but hardcoded credentials are also to thank for the rise in historically massive DDoS attacks as malware targets such devices for use in botnets. In addition to hard-coded credentials (which you'd think any sensible hardware vendor would steer well clear of at this point), Hutchins notes the devices suffer from default https server credentials, command injection vulnerabilities, and a a firewall bypass on port 49152.

AT&T is refusing to comment and Arris tells ThreatPost it's looking into the flaws. Whichever party is to blame, Hutchins noted that the vulnerability was a result of "pure carelessness" at the companies:

"Regardless of why, when, or even who introduced these vulnerabilities, it is the responsibility of the ISP to ensure that their network and equipment are providing a safe environment for their end users. This, sadly, is not currently the case. The first vulnerability found was caused pure carelessness, if not intentional all together. Furthermore, it is hard to believe that no one is already exploiting this vulnerability at the detriment of innocents."

At a recent Defcon, hackers demonstrated how they were able to break into around half of thirty different commercially-available residential broadband routers without too much elbow grease. Why does this continue to be such a problem? Security experts like Bruce Schneier have repeatedly noted how the same flimsy security we enjoy mocking in the internet of broken things space is all too present in residential broadband router market, thanks in large part to nobody in the supply chain having the financial incentive to do much about it:

"Typically, these systems are powered by specialized computer chips made by companies such as Broadcom, Qualcomm, and Marvell. These chips are cheap, and the profit margins slim. Aside from price, the way the manufacturers differentiate themselves from each other is by features and bandwidth. They typically put a version of the Linux operating system onto the chips, as well as a bunch of other open-source and proprietary components and drivers. They do as little engineering as possible before shipping, and there’s little incentive to update their “board support package” until absolutely necessary.

The system manufacturers – usually original device manufacturers (ODMs) who often don't get their brand name on the finished product – choose a chip based on price and features, and then build a router, server, or whatever. They don't do a lot of engineering, either. The brand-name company on the box may add a user interface and maybe some new features, make sure everything works, and they're done, too."

After that, everybody in the cycle is too focused on making money on the next product or chipset to do the legwork required to keep the hardware or software in these devices updated or secure. This is at the heart of IOT dysfunction, but the problem goes notably deeper than just your easily hacked smart thermostat. Fair or not, the onus then gets put in the lap of the broadband ISP -- since they field the support calls once a customer gets hacked. But swapping out the hardware or troubleshooting existing gear erodes profit margins as well -- at companies that already cut customer support corners to an often comical degree.

As script-kiddie oriented malware kits make attacking these vulnerabilities easier than ever, the problem nobody seems to want to fix is going to only get worse. And while some might incorrectly call it hyperbole, that's why Schneier and many other security researchers have been warning for years that there's dumpster fire just over the horizon that could result in a notable loss of human lives. It's a future everybody in the space can pretty clearly see, but few are willing to spend the money to avoid.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 0-day, hardcoded password, home broadband, routers, security, vulnerability
Companies: at&t


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ninja (profile), 13 Sep 2017 @ 6:05am

    Write malware to brick these routers forcing AT&T to replace them? There was some activity like that recently targeting the devices that were vulnerable to that Mirai software. I'm kind of split about such 'vigilante' style but if neither the government nor the companies will take steps to secure the devices and the users can't really do much about it other than try to avoid companies that do sloppy security then what's left to do?

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 13 Sep 2017 @ 6:57am

    Buy your own modem and router. $100 to $200 upfront for everything, but it actually pays for itself over time by avoiding equipment rental fees. Not to mention the huge difference in quality. The worst router I've ever owned was given to me by comcast. At this point, ISP issued hardware is not only crappy, it's dangerous.

    link to this | view in thread ]

  3. icon
    ThaumaTechnician (profile), 13 Sep 2017 @ 6:58am

    Vulnerability Exposes Thousands Of AT&T Broadband Customers To Attack

    ...aside from the usual attacks by AT&T (on your wallet and on your sanity)?

    link to this | view in thread ]

  4. icon
    Ryunosuke (profile), 13 Sep 2017 @ 7:16am

    it's not a vulnerability, it's a back door, sanctioned and authorized by the CIA/FBI/NSA/etc.

    probbably....more than likely?

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 13 Sep 2017 @ 7:21am

    Re:

    More likely is the cheap chinese firmware with no motivation to make secure.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 13 Sep 2017 @ 7:32am

    and i'll bet that it was nothing to do with AT&T! it was the fault of the customers!

    link to this | view in thread ]

  7. icon
    Roger Strong (profile), 13 Sep 2017 @ 7:43am

    My Pace modem - Pace is now part of Arris - looks identical to the NVG589. I suspect the number of models affected by this will quietly be expanded.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 13 Sep 2017 @ 7:47am

    And yet...

    ...there are still hopelessly ignorant people who think that driverless vehicles can be secured.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 13 Sep 2017 @ 7:52am

    VDSL?

    HA HA, I don't know if it's still true but you used to be able to get a pretty decent VDSL modem on ebay for about 20 buck since they suck for line length was gonna offer 17 meg service to highrises with them with a friend of mine back in 2003-4 since the equipment was dirt cheap and we found a decent way to back haul on the cheap to.. didn't happen for various reasons but U-verse it like the 100+ a month service? we where looking at around 40 and there was debate over we should offer at around 20, geez even new modems back then where only in 100 ish dollar range what a joke

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 13 Sep 2017 @ 8:04am

    Re: And yet...

    There's a difference between "we didn't give a shit about properly securing this" and "This can't be secured".

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 13 Sep 2017 @ 8:16am

    blah blah blah

    Look, here is how this is going to go down.

    As a consumer we will not accept responsibility for knowingly buying products from businesses that are complicit in the theft of my privacy. We will instead beg a lying thieving politician to carry that burden for us and then blame them when something goes wrong.

    We totally expect a bunch of people we don't know to put our interests ahead of their own.

    Cause this has been working so far!

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 13 Sep 2017 @ 8:19am

    Re: And yet...

    I feel you.....But let me add my 2 cents. I used to work at the UBER Advanced Technology Group in Pittsburgh, actually operating the self driving cars. They recognized the risk involved. That's why they hired Charlie Miller, yes, THE Charlie Miller. First off, NO WIFI ANYWHERE, everything is hardwired. Wanna upload new software, gotta go back to the garage and plug into an isolated network. Encryption everywhere. They used fiber optic cables everywhere they could, more so because its faster, but fiber is a little more secure than copper. Also, 2FA on EVERYTHING. Run software, Update software, view logs, even accessing my email, all of it 2FA. They made security part of the culture. I won't say these cars are impossible to hack, but they made it pretty damn hard.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 13 Sep 2017 @ 8:26am

    Re: Re: And yet...

    It doesn't matter who they hired.

    Eventually, profit will win out over security. Corners will be cut. Expediency will be chosen. Budgets will be reduced. Compromises will be made.

    Each one, by itself, will mean little. But in the aggregate, they will erode the overall security posture. The cautionary words of the security engineers will be overwritten by the balance sheets of the accountants.

    It's not a question of if. It's only a question of when.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 13 Sep 2017 @ 8:29am

    Re: Re: And yet...

    this right here.

    can be vs won't be

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 13 Sep 2017 @ 8:34am

    Re: Re: And yet...

    "They recognized the risk involved."

    Ah... no, they do not recognize the risk involved.

    Recognition requires that certain steps be taken.

    It's like saying that a person "recognized" the risk involved while still climbing a cliff without proper safety gear. Their actions clearly proof that they did not recognized shit. Like most others they just think they can escape fate until it bites enough people in the ass to the point that we get tired of the idiots and start creating laws.

    Humans, the key ingredient in all those fuck-ups you read about on the news and in meme's.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 13 Sep 2017 @ 8:35am

    Re: blah blah blah

    Name me a big corporation that isn't invading their customers privacy, especially on in the ISP and telecoms sector?

    link to this | view in thread ]

  17. icon
    SirWired (profile), 13 Sep 2017 @ 8:36am

    SSH exposed to the internet by default? WTF?

    I can understand having an SSH server on the thing. And even lazily enabling it by default on the LAN side (that'd never fly in a business product, but is not totally outlandish for a consumer product.)

    But exposing SSH to the Internet by default with hard-coded credentials? How was that ever going to end well? It's all well and good to have SSH and TFTP enabled on the WAN side, but those servers need to Turn the *bleep!* Off before the actual Internet access comes online.

    A diagnostic mode that will do all this after performing some action on the user-side (web GUI button, holding down the reset button on the box, whatever) is not exactly ironclad security (vulnerable to social engineering), but would be a reasonable pragmatic way for the provider to remote into the unit, but enabling all this by default was moronic in the extreme.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 13 Sep 2017 @ 8:37am

    Re: Re: blah blah blah

    exactly, now name me a company you are refusing to do business with over it.

    as with the Equifax breach, you were forced without any choice to participate in an invasion of your privacy just to participate in the economy.

    unless you are living completely off grid.

    link to this | view in thread ]

  19. identicon
    E., 13 Sep 2017 @ 8:42am

    Re:

    Good luck with that. AT&T never replaces routers with new ones, unless you're a new customer. So old customers would be up a creek.

    link to this | view in thread ]

  20. identicon
    E., 13 Sep 2017 @ 8:50am

    Re:

    That would be great as well, but AT&T wants people to use their proprietary equipment regardless. Just found out about this awhile back when I was looking into getting another router. I'd have to bridge it to AT&T's which I'd rather not do.

    link to this | view in thread ]

  21. icon
    Ben (profile), 13 Sep 2017 @ 8:56am

    Re: Re: Re: blah blah blah

    If you're living completely off grid, you won't be reading this article or your comments.

    link to this | view in thread ]

  22. icon
    Chris-Mouse (profile), 13 Sep 2017 @ 9:02am

    Re: Re:

    That kernal module for injecting advertising into your HTTP connections might have something to do with that.

    link to this | view in thread ]

  23. icon
    Roger Strong (profile), 13 Sep 2017 @ 9:08am

    Re: Re: Re: Re: blah blah blah

    Patience. There have recent stories about compromising air-gapped computers. About malware and adware using ultrasound to communicate between phones, desktop computers and Amazon Echo type devices.

    I'm still raising the funds to vacuum-gap my home.

    link to this | view in thread ]

  24. icon
    Anonymous Anonymous Coward (profile), 13 Sep 2017 @ 9:13am

    Re: Re:

    I don't know about bridging, but I have two routers. The ISP supplied one connects to the Internet and has WiFi disabled and the firewall turned on. My router, Tomato based and running my VPN, is the only connection to the ISP router, via Ethernet cable. Everything else connects to the Tomato router either via Ethernet cable or a 65 letter based password to a WiFi connection. Some outside devices are unable to connect via WiFi simply because the password field won't hold 65 characters.

    I do not know if there is anything in AT&T's router that would prevent this arrangement.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 13 Sep 2017 @ 9:38am

    Re: SSH exposed to the internet by default? WTF?

    With Linux tools, it is is easy to use conditional compilation to only enable debugging tools in a debugging build. So this sort of thing is either lazy programming to save a few seconds, or deliberate to allow the ISP to control the routers they pretend to sell to customers. The add injection module makes the latter the most likely reason.

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 13 Sep 2017 @ 9:58am

    Re: Re: Re: And yet...

    Exactly so. IF they recognized the risks involved, and they most certainly don't, then they would not have the arrogance to attempt something that is quite clearly beyond our collective, current capabilities. Not just a little bit beyond -- a reasonable step for smart, diligent people to take -- but hopelessly beyond.

    Nobody on this planet knows how to secure an autonomous vehicle. Nobody on this planet has even the hint of a rumor of a slim chance of doing so.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 13 Sep 2017 @ 10:10am

    Re: Re:

    AT&T wants people to use their proprietary equipment regardless

    "Wants" or forces? I don't normally care what AT&T wants. If they're forcing it, how?

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 13 Sep 2017 @ 10:12am

    Re: Re: Re: Re: Re: blah blah blah

    vacuum-gap, RF shields, thermal-breaks...

    Just flat out hermetically sealed is what you will need to have to get at least some form of privacy from radical new tech, and that does not count how to take your home of the utility grid when it is practically ILLEGAL to be self sufficient.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 13 Sep 2017 @ 10:14am

    Re: Re: And yet...

    A hardwired car is never going to be popular. If they're using GPS, that's wireless, and the civilian version is not secure.

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 13 Sep 2017 @ 10:20am

    Re: VDSL?

    Lots of areas can't even get VDSL, just ADSL. Those are $25-$40 new, and even VDSL is ~$70 new.

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 13 Sep 2017 @ 11:52am

    Re: Re:

    Not to prop up AT&T unnecessarily, but my router has been replaced every single time I've had a service call for the last couple years. Like, 3 calls, 3 newer versions installed.

    Now I'm wondering if keeping the older ones wouldn't have been safer... security thru obscurity as it were.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 13 Sep 2017 @ 1:36pm

    Re:

    It's not a "backdoor" it's "nerding (not so)harder".

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 13 Sep 2017 @ 3:15pm

    Re: Re: Re: And yet...

    And even if it IS hardwired: that means almost nothing in terms of security. Hack the systems it connects to and download the payload into the cars -- with an activation time set in the future -- and the effect is exactly the same as if the payload was delivered in real time via a wireless connection.

    The price for this hubris is going to be paid in blood. Mark my words. People are going to die, in significant numbers, as a result of the widespread deployment of this technology that NOBODY has the slightest idea how to secure.

    link to this | view in thread ]

  34. identicon
    Lawrence D’Oliveiro, 13 Sep 2017 @ 3:56pm

    Security Economics Of The Internet Of Things

    Bruce Schneier has a good essay on why this mess is the way it is. The problem is that the makers and distributors of these devices have no economic incentive to keep them secure, and their users/buyers don’t know (and don’t care) about the issue.

    When you have a market failure on this scale, then it is time for Government regulation.

    link to this | view in thread ]

  35. identicon
    Michael Horowitz, 13 Sep 2017 @ 7:40pm

    avoid ISP hardware

    I tried to make the case for avoiding all hardware from an ISP here

    https://www.routersecurity.org/ISProuters.php

    The vulnerable Arris devices, in this case, are gateways (combination modem and router and telephony), not simple modems.

    link to this | view in thread ]

  36. identicon
    Lawrence D’Oliveiro, 13 Sep 2017 @ 7:52pm

    Re: avoid ISP hardware

    What good would that do? The devices you can buy are often insecure too.

    link to this | view in thread ]

  37. icon
    orbitalinsertion (profile), 13 Sep 2017 @ 8:18pm

    Re:

    Most gateways, most of the time, are vulnerable (if lacking additional kernel modules of pure evil). Lists are kept at various websites, frequently noting how the code vulnerabilities are simply never patched. And sometimes explain how to run an exploit with almost no additional tools besides a general purpose OS.

    link to this | view in thread ]

  38. icon
    Andy Capp (profile), 14 Sep 2017 @ 9:01am

    If you can't avoid ISP hardware, mitigate the risk

    I, like many other people are limited not only in ISP choice, but in the choice of gateways / endpoints / modems supported by the ISP.

    While I would prefer to go cable, the network in my area isn't stable enough for my work - I have to be online nearly 24-7.

    Thus, I'm stuck with AT&T, who won't support 3rd-party hardware and are now dealing with these issues.

    As such, one of the only options to increase your own security is to deploy a small firewall / router (I chose the EdgeRouter X from Ubiquiti) and a whole-house mesh Wi-Fi system that fit my needs.

    Now, even though the gateway provided by AT&T is still vulnerable, and is potentially open for abuse by large botnets, at least my home network is locked down and unreachable except via VPN.

    link to this | view in thread ]

  39. identicon
    patrick, 14 Sep 2017 @ 3:19pm

    Re: Re:att

    Wrong, I have been an ATT Uverse customer for a long time and in the course of those years have had my router replaced when it goes on the blink. No problems, and the service is quick.

    link to this | view in thread ]

  40. identicon
    Anonymous Coward, 14 Sep 2017 @ 6:31pm

    Re: Re: Re:

    They force it because their router (or residential gateway as they call it) is required to authenticate with their servers (via 802.1x) in order for the service to work. Take they RG out, no internet.

    Tons of posts on the internet of people just trying to get the thing into a proper bridge mode, let alone bypass around it.

    I would absolutely love to through the damn thing in the trash, but doing so would mean I'd have no internet. and at the moment - I'm 400ft too far away to get the cable company to bring anything out.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.