13 comments

[ 5.2 ms ] story [ 45.1 ms ] thread
I don't understand how so many internet connected device's manufacturers don't even think to check if they have an open ports, especially an open SSH port. Or is it that they just don't care? I can't tell anymore.
Try and probe a big ISP switch sometime. They're generally running an ancient unpatched Linux and SSH with known vulnerabilities.

They don't care about their own crap, much less yours.

And until we have liability laws written to hold them accountable for not maintaining the security of their products this will continue to be the case.
(comment deleted)
A lot of these things are done for "support" reasons.

For example, someone I know works for one of the big cable internet providers. To paraphrase him: What they can do to your modem remotely is terrifying.

I know for one thing, My modem is an Arris SBG6580. For some reason, it seems that I don't have the ability as an individual to update/change/modify my own hardware. This is hardware I purchased outright, instead of leased telcom hardware, yet the only way it will ever be updated/patched is if my ISP pushes an update through (I believe) DOCSIS commands.

Of course, when all the individual companies created different backdoors for support, and now are all purchasing each other, it's likely many of the backdoors get forgotten or ignored.

Which is why businesses typically run their own "edge" firewall gear between their own networks and ISP customer-premise equipment.
I wish I didn't have to run thousands of dollars worth of tech just to be in control of MY own hardware that I purchased outright
I'm very interested to get a copy of the said vulnerable firmware to poke around. How can I get one?

One use case is for ATT Fiber users to get the 802.1x certificate from the router, and use your own router instead (RouterOS etc.).

Here you go: http://tinyurl.com/yatdzfsu

I managed to root my 589 awhile back pretty easy by just using a crafted http post request. I run my modem in IP passthrough mode (like DMZ), and as far as I can tell, most of the open ports are not there that the article mentions (at least not on the WAN side)

I did something similar to a modem supplied by Cox to enable bridge mode a few years ago. It required going to one of the modem settings pages, using browser tools to uncomment some html in the source of one of the forms, and then just submitting the form.
I'd love to be able to get the certificates out of my Arris router to be able to use my own. I have a 5268AC and want the public IP on my own router instead of theirs. You can come really close to getting it in "bridged mode", but not completely.
> "There’s no way people are not exploiting this in the wild"

Hard to disagree there.

Does it really usually take 2 months for something like this to get disclosed? Seems like anyone bored enough to run a SYN scan on one of these would find the vulnerable services instantly.