I don't understand how so many internet connected device's manufacturers don't even think to check if they have an open ports, especially an open SSH port. Or is it that they just don't care? I can't tell anymore.
And until we have liability laws written to hold them accountable for not maintaining the security of their products this will continue to be the case.
A lot of these things are done for "support" reasons.
For example, someone I know works for one of the big cable internet providers. To paraphrase him: What they can do to your modem remotely is terrifying.
I know for one thing, My modem is an Arris SBG6580. For some reason, it seems that I don't have the ability as an individual to update/change/modify my own hardware. This is hardware I purchased outright, instead of leased telcom hardware, yet the only way it will ever be updated/patched is if my ISP pushes an update through (I believe) DOCSIS commands.
Of course, when all the individual companies created different backdoors for support, and now are all purchasing each other, it's likely many of the backdoors get forgotten or ignored.
I managed to root my 589 awhile back pretty easy by just using a crafted http post request. I run my modem in IP passthrough mode (like DMZ), and as far as I can tell, most of the open ports are not there that the article mentions (at least not on the WAN side)
I did something similar to a modem supplied by Cox to enable bridge mode a few years ago. It required going to one of the modem settings pages, using browser tools to uncomment some html in the source of one of the forms, and then just submitting the form.
I'd love to be able to get the certificates out of my Arris router to be able to use my own. I have a 5268AC and want the public IP on my own router instead of theirs. You can come really close to getting it in "bridged mode", but not completely.
> "There’s no way people are not exploiting this in the wild"
Hard to disagree there.
Does it really usually take 2 months for something like this to get disclosed? Seems like anyone bored enough to run a SYN scan on one of these would find the vulnerable services instantly.
13 comments
[ 5.2 ms ] story [ 45.1 ms ] threadThey don't care about their own crap, much less yours.
For example, someone I know works for one of the big cable internet providers. To paraphrase him: What they can do to your modem remotely is terrifying.
I know for one thing, My modem is an Arris SBG6580. For some reason, it seems that I don't have the ability as an individual to update/change/modify my own hardware. This is hardware I purchased outright, instead of leased telcom hardware, yet the only way it will ever be updated/patched is if my ISP pushes an update through (I believe) DOCSIS commands.
Of course, when all the individual companies created different backdoors for support, and now are all purchasing each other, it's likely many of the backdoors get forgotten or ignored.
One use case is for ATT Fiber users to get the 802.1x certificate from the router, and use your own router instead (RouterOS etc.).
I managed to root my 589 awhile back pretty easy by just using a crafted http post request. I run my modem in IP passthrough mode (like DMZ), and as far as I can tell, most of the open ports are not there that the article mentions (at least not on the WAN side)
Hard to disagree there.
Does it really usually take 2 months for something like this to get disclosed? Seems like anyone bored enough to run a SYN scan on one of these would find the vulnerable services instantly.