AT&T U-Verse modems horrendously insecure

A security blogger at NoMotion recently published a fairly damning, and downright scary analysis of the firmware running on AT&Ts U-Verse cable modems, primarily from OEM Arris. The findings were so egregious in their scope and magnitude, that the normal responsible reporting practices were seen to be too soft, and the vulnerabilities and all their gory details went straight to the public domain. The author noted that in this day and age, and with continuing data breaches, widely publicised hacks and identity theft constantly in our faces, a company the size of AT&T has no excuse for leaving their customers completely exposed as they have (whether the culpability lies with AT&T or Arris notwithstanding). 

After the initial publication of these findings, security site Rapid7 did some further research to try and get a better handle on the exposure of these vulnerabilities. They found that the exposed devices seemed to be less universal than first thought, and even existed in geographic pockets. They also suggest that these issues appear to be present on devices from other OEMs and ISPs.

We also observed that these issues may not be limited to just one ISP deploying a particular model of Internet router but perhaps a variety of different devices that is complicated by a history of companies, products, and services being bought, sold, OEM’d and customized.
— Rapid7

Putting this info out there will certainly force there hand, and hopefully bring some accountability. Luckily, the vulnerabilities can be largely and quickly mitigated with some simple steps, which are good practice anyway.

AT&T has your pwnership covered

I'm going to summarise the issues discovered, with some context of impact, but all the details can be found at the link above. 

SSH exposed to the internet 

This one is present on the NVG589 and NVG599 modems. Not only is SSH exposed, but it's configured with a hard coded username and password (which is now public knowledge). The cshell that is opened on connection is limited, but still allows for downloading and flashing the firmware and changing the network configuration. It's also poorly coded and subject to code injection...running as root. Rapid7 found about 8000 exposed devices, with exploit attempts being registered the day after the initial publication.

The implications are simple: Anyone on the internet with your IP address can connect to your modem and get full root access to the box, no questions asked. 

Web service "caserver" running with default credentials

This appears to only be present on the NVG599, but presents a somewhat flaky web server with very simply authentication (now public) . The service is running as root and subject to simple command injection attacks. Rapid7 notes finding about 280,000 devices likely to be exposed to this exploit. Almost exclusively AT&T in the southern US (largely Texas). No significant exploit attempt activity was noted at the time.

This one provides another way of getting root access to the modem, and gives access to an internal 'SDB' database with a wealth of 'fruitful information'. 

 Information disclosure

With the device serial number available through the cshell above, an Arris OUI for the model of the modem (which can be brute forced from a known list), and a hard-coded username/password (now public) an attacker can obtain some useful internal device information. This includes the IP and MAC address of every internal device attached to the router. This one proved difficult for Rapid7 to get a decisive figure on. However, about 874,000 devices, again AT&T focused in the Southern United States, with California making an appearance. A large number of 2Wire DSL modems also appeared in this sample. Notably 2Wire was acquired by Arris a few years ago.

This information plays directly into the next vulnerability, but Rapid7 has not noted any significant exploit attempts as yet. 

Firewall bypass

This one is noted by NoMotion as the most prevalent issue in terms of number of affected devices. They noted it on "every AT&T device so far observed". However, Rapid7 was only able to positively identify about 42,000 devices with this service exposed (out of 8 million candidates).

Basically, there is a listening service on port 49152 that will take a 3 byte prefix (preset and now public), MAC address and port number for any device behind the firewall and allow access to that port. Helpfully, the tcp proxy service will report a failure to respond on the selected port if the MAC address is correct, so once a correct MAC address is found, you can more easily brute force the port number.

Notably, these are largely Frontier Communications customers in Connecticut. In determining why this is different to the other vulnerabilities in terms of location, Rapid7 notes that Frontier acquired AT&Ts broadband business in that state 3 years ago. So those Frontier customers running on AT&T hardware basically have no effective firewall to the internet, if their IP Address is known by an attacker.

Mitigations

The blog post goes on to provide technical steps to mitigate these issues on the modem, all of them can be bypassed or disabled through various means, but the best practice to avoid these issues on any ISP provided router is to set the device to bridge mode and place your own router between it and your internal network.

Adding heterogeneity is good security practice, and you'll generally get better functionality and control over a dedicated router of your own choosing anyway. This could be a Wifi router like a Netgear Orbi, or a dedicated wired router like a Ubiquiti EdgeRouter X that provide a great deal of functionality for a very affordable price. 

Rapid7's results also show that the vulnerabilities are almost exclusively contained within AT&T's network, or devices that came from it. This provides pretty solid evidence as to where the responsibility lies.

We can say with confidence that these vulnerabilities are almost wholly contained in the AT&T U-Verse and associated networks, and not part of the wider Arris ecosystem of hardware. This, in turn, implies that the software was produced or implemented by the ISP, and not natively shipped by the hardware manufacturer.
— Rapid7
SecurityDavid MeadNewsComment