0-Day Vulnerability Exposes Thousands Of AT&T Broadband Customers To Attack

from the whoops-a-daisy dept

AT&T and hardware manufacturer Arris are being accused of leaving millions of broadband subscribers open to attack. A new report by security researcher Joseph Hutchins highlights how five flaws were discovered in Arris routers used by AT&T and numerous other ISPs around the world. Hutchins notes that some of the flaws may have been introduced after they were delivered to AT&T, since ISPs traditionally modify hardware for use on their network post sale. But many of the flaws were courtesy of the all-too-common tendency to ship hardware with hardcoded credentials and SSH enabled by default:

“It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem?s ?cshell? client over SSH. The cshell is a limited menu driven shell which is capable of viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the Internet, and even controlling what appears to be a kernel module whose sole purpose seems to be to inject advertisements into the user?s unencrypted web traffic.”

Nearly 140,000 devices are impacted, and the Arris NVG589 and NVG599 modems are used by AT&T to power its VDSL broadband (formerly U-verse) service. The vulnerabilities not only open up subscribers to attack, but hardcoded credentials are also to thank for the rise in historically massive DDoS attacks as malware targets such devices for use in botnets. In addition to hard-coded credentials (which you’d think any sensible hardware vendor would steer well clear of at this point), Hutchins notes the devices suffer from default https server credentials, command injection vulnerabilities, and a a firewall bypass on port 49152.

AT&T is refusing to comment and Arris tells ThreatPost it’s looking into the flaws. Whichever party is to blame, Hutchins noted that the vulnerability was a result of “pure carelessness” at the companies:

“Regardless of why, when, or even who introduced these vulnerabilities, it is the responsibility of the ISP to ensure that their network and equipment are providing a safe environment for their end users. This, sadly, is not currently the case. The first vulnerability found was caused pure carelessness, if not intentional all together. Furthermore, it is hard to believe that no one is already exploiting this vulnerability at the detriment of innocents.”

At a recent Defcon, hackers demonstrated how they were able to break into around half of thirty different commercially-available residential broadband routers without too much elbow grease. Why does this continue to be such a problem? Security experts like Bruce Schneier have repeatedly noted how the same flimsy security we enjoy mocking in the internet of broken things space is all too present in residential broadband router market, thanks in large part to nobody in the supply chain having the financial incentive to do much about it:

“Typically, these systems are powered by specialized computer chips made by companies such as Broadcom, Qualcomm, and Marvell. These chips are cheap, and the profit margins slim. Aside from price, the way the manufacturers differentiate themselves from each other is by features and bandwidth. They typically put a version of the Linux operating system onto the chips, as well as a bunch of other open-source and proprietary components and drivers. They do as little engineering as possible before shipping, and there?s little incentive to update their ?board support package? until absolutely necessary.

The system manufacturers ? usually original device manufacturers (ODMs) who often don’t get their brand name on the finished product ? choose a chip based on price and features, and then build a router, server, or whatever. They don’t do a lot of engineering, either. The brand-name company on the box may add a user interface and maybe some new features, make sure everything works, and they’re done, too.”

After that, everybody in the cycle is too focused on making money on the next product or chipset to do the legwork required to keep the hardware or software in these devices updated or secure. This is at the heart of IOT dysfunction, but the problem goes notably deeper than just your easily hacked smart thermostat. Fair or not, the onus then gets put in the lap of the broadband ISP — since they field the support calls once a customer gets hacked. But swapping out the hardware or troubleshooting existing gear erodes profit margins as well — at companies that already cut customer support corners to an often comical degree.

As script-kiddie oriented malware kits make attacking these vulnerabilities easier than ever, the problem nobody seems to want to fix is going to only get worse. And while some might incorrectly call it hyperbole, that’s why Schneier and many other security researchers have been warning for years that there’s dumpster fire just over the horizon that could result in a notable loss of human lives. It’s a future everybody in the space can pretty clearly see, but few are willing to spend the money to avoid.

Filed Under: , , , , ,
Companies: at&t

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “0-Day Vulnerability Exposes Thousands Of AT&T Broadband Customers To Attack”

Subscribe: RSS Leave a comment
Ninja (profile) says:

Write malware to brick these routers forcing AT&T to replace them? There was some activity like that recently targeting the devices that were vulnerable to that Mirai software. I’m kind of split about such ‘vigilante’ style but if neither the government nor the companies will take steps to secure the devices and the users can’t really do much about it other than try to avoid companies that do sloppy security then what’s left to do?

Anonymous Coward says:

Buy your own modem and router. $100 to $200 upfront for everything, but it actually pays for itself over time by avoiding equipment rental fees. Not to mention the huge difference in quality. The worst router I’ve ever owned was given to me by comcast. At this point, ISP issued hardware is not only crappy, it’s dangerous.

Anonymous Anonymous Coward (profile) says:

Re: Re: Re:

I don’t know about bridging, but I have two routers. The ISP supplied one connects to the Internet and has WiFi disabled and the firewall turned on. My router, Tomato based and running my VPN, is the only connection to the ISP router, via Ethernet cable. Everything else connects to the Tomato router either via Ethernet cable or a 65 letter based password to a WiFi connection. Some outside devices are unable to connect via WiFi simply because the password field won’t hold 65 characters.

I do not know if there is anything in AT&T’s router that would prevent this arrangement.

Anonymous Coward says:

Re: Re: Re: Re:

They force it because their router (or residential gateway as they call it) is required to authenticate with their servers (via 802.1x) in order for the service to work. Take they RG out, no internet.

Tons of posts on the internet of people just trying to get the thing into a proper bridge mode, let alone bypass around it.

I would absolutely love to through the damn thing in the trash, but doing so would mean I’d have no internet. and at the moment – I’m 400ft too far away to get the cable company to bring anything out.

Anonymous Coward says:

Re: And yet...

I feel you…..But let me add my 2 cents. I used to work at the UBER Advanced Technology Group in Pittsburgh, actually operating the self driving cars. They recognized the risk involved. That’s why they hired Charlie Miller, yes, THE Charlie Miller. First off, NO WIFI ANYWHERE, everything is hardwired. Wanna upload new software, gotta go back to the garage and plug into an isolated network. Encryption everywhere. They used fiber optic cables everywhere they could, more so because its faster, but fiber is a little more secure than copper. Also, 2FA on EVERYTHING. Run software, Update software, view logs, even accessing my email, all of it 2FA. They made security part of the culture. I won’t say these cars are impossible to hack, but they made it pretty damn hard.

Anonymous Coward says:

Re: Re: And yet...

It doesn’t matter who they hired.

Eventually, profit will win out over security. Corners will be cut. Expediency will be chosen. Budgets will be reduced. Compromises will be made.

Each one, by itself, will mean little. But in the aggregate, they will erode the overall security posture. The cautionary words of the security engineers will be overwritten by the balance sheets of the accountants.

It’s not a question of if. It’s only a question of when.

Anonymous Coward says:

Re: Re: And yet...

“They recognized the risk involved.”

Ah… no, they do not recognize the risk involved.

Recognition requires that certain steps be taken.

It’s like saying that a person “recognized” the risk involved while still climbing a cliff without proper safety gear. Their actions clearly proof that they did not recognized shit. Like most others they just think they can escape fate until it bites enough people in the ass to the point that we get tired of the idiots and start creating laws.

Humans, the key ingredient in all those fuck-ups you read about on the news and in meme’s.

Anonymous Coward says:

Re: Re: Re: And yet...

Exactly so. IF they recognized the risks involved, and they most certainly don’t, then they would not have the arrogance to attempt something that is quite clearly beyond our collective, current capabilities. Not just a little bit beyond — a reasonable step for smart, diligent people to take — but hopelessly beyond.

Nobody on this planet knows how to secure an autonomous vehicle. Nobody on this planet has even the hint of a rumor of a slim chance of doing so.

Anonymous Coward says:

Re: Re: Re: And yet...

And even if it IS hardwired: that means almost nothing in terms of security. Hack the systems it connects to and download the payload into the cars — with an activation time set in the future — and the effect is exactly the same as if the payload was delivered in real time via a wireless connection.

The price for this hubris is going to be paid in blood. Mark my words. People are going to die, in significant numbers, as a result of the widespread deployment of this technology that NOBODY has the slightest idea how to secure.

Anonymous Coward says:


HA HA, I don’t know if it’s still true but you used to be able to get a pretty decent VDSL modem on ebay for about 20 buck since they suck for line length was gonna offer 17 meg service to highrises with them with a friend of mine back in 2003-4 since the equipment was dirt cheap and we found a decent way to back haul on the cheap to.. didn’t happen for various reasons but U-verse it like the 100+ a month service? we where looking at around 40 and there was debate over we should offer at around 20, geez even new modems back then where only in 100 ish dollar range what a joke

Anonymous Coward says:

blah blah blah

Look, here is how this is going to go down.

As a consumer we will not accept responsibility for knowingly buying products from businesses that are complicit in the theft of my privacy. We will instead beg a lying thieving politician to carry that burden for us and then blame them when something goes wrong.

We totally expect a bunch of people we don’t know to put our interests ahead of their own.

Cause this has been working so far!

SirWired (profile) says:

SSH exposed to the internet by default? WTF?

I can understand having an SSH server on the thing. And even lazily enabling it by default on the LAN side (that’d never fly in a business product, but is not totally outlandish for a consumer product.)

But exposing SSH to the Internet by default with hard-coded credentials? How was that ever going to end well? It’s all well and good to have SSH and TFTP enabled on the WAN side, but those servers need to Turn the *bleep!* Off before the actual Internet access comes online.

A diagnostic mode that will do all this after performing some action on the user-side (web GUI button, holding down the reset button on the box, whatever) is not exactly ironclad security (vulnerable to social engineering), but would be a reasonable pragmatic way for the provider to remote into the unit, but enabling all this by default was moronic in the extreme.

Anonymous Coward says:

Re: SSH exposed to the internet by default? WTF?

With Linux tools, it is is easy to use conditional compilation to only enable debugging tools in a debugging build. So this sort of thing is either lazy programming to save a few seconds, or deliberate to allow the ISP to control the routers they pretend to sell to customers. The add injection module makes the latter the most likely reason.

Lawrence D’Oliveiro says:

Security Economics Of The Internet Of Things

Bruce Schneier has a good essay on why this mess is the way it is. The problem is that the makers and distributors of these devices have no economic incentive to keep them secure, and their users/buyers don’t know (and don’t care) about the issue.

When you have a market failure on this scale, then it is time for Government regulation.

Andy Capp (profile) says:

If you can't avoid ISP hardware, mitigate the risk

I, like many other people are limited not only in ISP choice, but in the choice of gateways / endpoints / modems supported by the ISP.

While I would prefer to go cable, the network in my area isn’t stable enough for my work – I have to be online nearly 24-7.

Thus, I’m stuck with AT&T, who won’t support 3rd-party hardware and are now dealing with these issues.

As such, one of the only options to increase your own security is to deploy a small firewall / router (I chose the EdgeRouter X from Ubiquiti) and a whole-house mesh Wi-Fi system that fit my needs.

Now, even though the gateway provided by AT&T is still vulnerable, and is potentially open for abuse by large botnets, at least my home network is locked down and unreachable except via VPN.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...