0-Day Vulnerability Exposes Thousands Of AT&T Broadband Customers To Attack
from the whoops-a-daisy dept
AT&T and hardware manufacturer Arris are being accused of leaving millions of broadband subscribers open to attack. A new report by security researcher Joseph Hutchins highlights how five flaws were discovered in Arris routers used by AT&T and numerous other ISPs around the world. Hutchins notes that some of the flaws may have been introduced after they were delivered to AT&T, since ISPs traditionally modify hardware for use on their network post sale. But many of the flaws were courtesy of the all-too-common tendency to ship hardware with hardcoded credentials and SSH enabled by default:
“It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem?s ?cshell? client over SSH. The cshell is a limited menu driven shell which is capable of viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the Internet, and even controlling what appears to be a kernel module whose sole purpose seems to be to inject advertisements into the user?s unencrypted web traffic.”
Nearly 140,000 devices are impacted, and the Arris NVG589 and NVG599 modems are used by AT&T to power its VDSL broadband (formerly U-verse) service. The vulnerabilities not only open up subscribers to attack, but hardcoded credentials are also to thank for the rise in historically massive DDoS attacks as malware targets such devices for use in botnets. In addition to hard-coded credentials (which you’d think any sensible hardware vendor would steer well clear of at this point), Hutchins notes the devices suffer from default https server credentials, command injection vulnerabilities, and a a firewall bypass on port 49152.
AT&T is refusing to comment and Arris tells ThreatPost it’s looking into the flaws. Whichever party is to blame, Hutchins noted that the vulnerability was a result of “pure carelessness” at the companies:
“Regardless of why, when, or even who introduced these vulnerabilities, it is the responsibility of the ISP to ensure that their network and equipment are providing a safe environment for their end users. This, sadly, is not currently the case. The first vulnerability found was caused pure carelessness, if not intentional all together. Furthermore, it is hard to believe that no one is already exploiting this vulnerability at the detriment of innocents.”
At a recent Defcon, hackers demonstrated how they were able to break into around half of thirty different commercially-available residential broadband routers without too much elbow grease. Why does this continue to be such a problem? Security experts like Bruce Schneier have repeatedly noted how the same flimsy security we enjoy mocking in the internet of broken things space is all too present in residential broadband router market, thanks in large part to nobody in the supply chain having the financial incentive to do much about it:
“Typically, these systems are powered by specialized computer chips made by companies such as Broadcom, Qualcomm, and Marvell. These chips are cheap, and the profit margins slim. Aside from price, the way the manufacturers differentiate themselves from each other is by features and bandwidth. They typically put a version of the Linux operating system onto the chips, as well as a bunch of other open-source and proprietary components and drivers. They do as little engineering as possible before shipping, and there?s little incentive to update their ?board support package? until absolutely necessary.
The system manufacturers ? usually original device manufacturers (ODMs) who often don’t get their brand name on the finished product ? choose a chip based on price and features, and then build a router, server, or whatever. They don’t do a lot of engineering, either. The brand-name company on the box may add a user interface and maybe some new features, make sure everything works, and they’re done, too.”
After that, everybody in the cycle is too focused on making money on the next product or chipset to do the legwork required to keep the hardware or software in these devices updated or secure. This is at the heart of IOT dysfunction, but the problem goes notably deeper than just your easily hacked smart thermostat. Fair or not, the onus then gets put in the lap of the broadband ISP — since they field the support calls once a customer gets hacked. But swapping out the hardware or troubleshooting existing gear erodes profit margins as well — at companies that already cut customer support corners to an often comical degree.
As script-kiddie oriented malware kits make attacking these vulnerabilities easier than ever, the problem nobody seems to want to fix is going to only get worse. And while some might incorrectly call it hyperbole, that’s why Schneier and many other security researchers have been warning for years that there’s dumpster fire just over the horizon that could result in a notable loss of human lives. It’s a future everybody in the space can pretty clearly see, but few are willing to spend the money to avoid.
Filed Under: 0-day, hardcoded password, home broadband, routers, security, vulnerability
Companies: at&t
Comments on “0-Day Vulnerability Exposes Thousands Of AT&T Broadband Customers To Attack”
Write malware to brick these routers forcing AT&T to replace them? There was some activity like that recently targeting the devices that were vulnerable to that Mirai software. I’m kind of split about such ‘vigilante’ style but if neither the government nor the companies will take steps to secure the devices and the users can’t really do much about it other than try to avoid companies that do sloppy security then what’s left to do?
Re: Re:
Good luck with that. AT&T never replaces routers with new ones, unless you’re a new customer. So old customers would be up a creek.
Re: Re: Re:
Not to prop up AT&T unnecessarily, but my router has been replaced every single time I’ve had a service call for the last couple years. Like, 3 calls, 3 newer versions installed.
Now I’m wondering if keeping the older ones wouldn’t have been safer… security thru obscurity as it were.
Re: Re: Re:att
Wrong, I have been an ATT Uverse customer for a long time and in the course of those years have had my router replaced when it goes on the blink. No problems, and the service is quick.
Re: Re:
Most gateways, most of the time, are vulnerable (if lacking additional kernel modules of pure evil). Lists are kept at various websites, frequently noting how the code vulnerabilities are simply never patched. And sometimes explain how to run an exploit with almost no additional tools besides a general purpose OS.
Buy your own modem and router. $100 to $200 upfront for everything, but it actually pays for itself over time by avoiding equipment rental fees. Not to mention the huge difference in quality. The worst router I’ve ever owned was given to me by comcast. At this point, ISP issued hardware is not only crappy, it’s dangerous.
Re: Re:
That would be great as well, but AT&T wants people to use their proprietary equipment regardless. Just found out about this awhile back when I was looking into getting another router. I’d have to bridge it to AT&T’s which I’d rather not do.
Re: Re: Re:
That kernal module for injecting advertising into your HTTP connections might have something to do with that.
Re: Re: Re:
I don’t know about bridging, but I have two routers. The ISP supplied one connects to the Internet and has WiFi disabled and the firewall turned on. My router, Tomato based and running my VPN, is the only connection to the ISP router, via Ethernet cable. Everything else connects to the Tomato router either via Ethernet cable or a 65 letter based password to a WiFi connection. Some outside devices are unable to connect via WiFi simply because the password field won’t hold 65 characters.
I do not know if there is anything in AT&T’s router that would prevent this arrangement.
Re: Re: Re:
"Wants" or forces? I don’t normally care what AT&T wants. If they’re forcing it, how?
Re: Re: Re: Re:
They force it because their router (or residential gateway as they call it) is required to authenticate with their servers (via 802.1x) in order for the service to work. Take they RG out, no internet.
Tons of posts on the internet of people just trying to get the thing into a proper bridge mode, let alone bypass around it.
I would absolutely love to through the damn thing in the trash, but doing so would mean I’d have no internet. and at the moment – I’m 400ft too far away to get the cable company to bring anything out.
Vulnerability Exposes Thousands Of AT&T Broadband Customers To Attack
…aside from the usual attacks by AT&T (on your wallet and on your sanity)?
it’s not a vulnerability, it’s a back door, sanctioned and authorized by the CIA/FBI/NSA/etc.
probbably….more than likely?
Re: Re:
More likely is the cheap chinese firmware with no motivation to make secure.
Re: Re:
It’s not a “backdoor” it’s “nerding (not so)harder”.
and i’ll bet that it was nothing to do with AT&T! it was the fault of the customers!
My Pace modem – Pace is now part of Arris – looks identical to the NVG589. I suspect the number of models affected by this will quietly be expanded.
And yet...
…there are still hopelessly ignorant people who think that driverless vehicles can be secured.
Re: And yet...
There’s a difference between “we didn’t give a shit about properly securing this” and “This can’t be secured”.
Re: Re: And yet...
this right here.
can be vs won’t be
Re: And yet...
I feel you…..But let me add my 2 cents. I used to work at the UBER Advanced Technology Group in Pittsburgh, actually operating the self driving cars. They recognized the risk involved. That’s why they hired Charlie Miller, yes, THE Charlie Miller. First off, NO WIFI ANYWHERE, everything is hardwired. Wanna upload new software, gotta go back to the garage and plug into an isolated network. Encryption everywhere. They used fiber optic cables everywhere they could, more so because its faster, but fiber is a little more secure than copper. Also, 2FA on EVERYTHING. Run software, Update software, view logs, even accessing my email, all of it 2FA. They made security part of the culture. I won’t say these cars are impossible to hack, but they made it pretty damn hard.
Re: Re: And yet...
It doesn’t matter who they hired.
Eventually, profit will win out over security. Corners will be cut. Expediency will be chosen. Budgets will be reduced. Compromises will be made.
Each one, by itself, will mean little. But in the aggregate, they will erode the overall security posture. The cautionary words of the security engineers will be overwritten by the balance sheets of the accountants.
It’s not a question of if. It’s only a question of when.
Re: Re: And yet...
“They recognized the risk involved.”
Ah… no, they do not recognize the risk involved.
Recognition requires that certain steps be taken.
It’s like saying that a person “recognized” the risk involved while still climbing a cliff without proper safety gear. Their actions clearly proof that they did not recognized shit. Like most others they just think they can escape fate until it bites enough people in the ass to the point that we get tired of the idiots and start creating laws.
Humans, the key ingredient in all those fuck-ups you read about on the news and in meme’s.
Re: Re: Re: And yet...
Exactly so. IF they recognized the risks involved, and they most certainly don’t, then they would not have the arrogance to attempt something that is quite clearly beyond our collective, current capabilities. Not just a little bit beyond — a reasonable step for smart, diligent people to take — but hopelessly beyond.
Nobody on this planet knows how to secure an autonomous vehicle. Nobody on this planet has even the hint of a rumor of a slim chance of doing so.
Re: Re: And yet...
A hardwired car is never going to be popular. If they’re using GPS, that’s wireless, and the civilian version is not secure.
Re: Re: Re: And yet...
And even if it IS hardwired: that means almost nothing in terms of security. Hack the systems it connects to and download the payload into the cars — with an activation time set in the future — and the effect is exactly the same as if the payload was delivered in real time via a wireless connection.
The price for this hubris is going to be paid in blood. Mark my words. People are going to die, in significant numbers, as a result of the widespread deployment of this technology that NOBODY has the slightest idea how to secure.
VDSL?
HA HA, I don’t know if it’s still true but you used to be able to get a pretty decent VDSL modem on ebay for about 20 buck since they suck for line length was gonna offer 17 meg service to highrises with them with a friend of mine back in 2003-4 since the equipment was dirt cheap and we found a decent way to back haul on the cheap to.. didn’t happen for various reasons but U-verse it like the 100+ a month service? we where looking at around 40 and there was debate over we should offer at around 20, geez even new modems back then where only in 100 ish dollar range what a joke
Re: VDSL?
Lots of areas can’t even get VDSL, just ADSL. Those are $25-$40 new, and even VDSL is ~$70 new.
blah blah blah
Look, here is how this is going to go down.
As a consumer we will not accept responsibility for knowingly buying products from businesses that are complicit in the theft of my privacy. We will instead beg a lying thieving politician to carry that burden for us and then blame them when something goes wrong.
We totally expect a bunch of people we don’t know to put our interests ahead of their own.
Cause this has been working so far!
Re: blah blah blah
Name me a big corporation that isn’t invading their customers privacy, especially on in the ISP and telecoms sector?
Re: Re: blah blah blah
exactly, now name me a company you are refusing to do business with over it.
as with the Equifax breach, you were forced without any choice to participate in an invasion of your privacy just to participate in the economy.
unless you are living completely off grid.
Re: Re: Re: blah blah blah
If you’re living completely off grid, you won’t be reading this article or your comments.
Re: Re: Re:2 blah blah blah
Patience. There have recent stories about compromising air-gapped computers. About malware and adware using ultrasound to communicate between phones, desktop computers and Amazon Echo type devices.
I’m still raising the funds to vacuum-gap my home.
Re: Re: Re:3 blah blah blah
vacuum-gap, RF shields, thermal-breaks…
Just flat out hermetically sealed is what you will need to have to get at least some form of privacy from radical new tech, and that does not count how to take your home of the utility grid when it is practically ILLEGAL to be self sufficient.
SSH exposed to the internet by default? WTF?
I can understand having an SSH server on the thing. And even lazily enabling it by default on the LAN side (that’d never fly in a business product, but is not totally outlandish for a consumer product.)
But exposing SSH to the Internet by default with hard-coded credentials? How was that ever going to end well? It’s all well and good to have SSH and TFTP enabled on the WAN side, but those servers need to Turn the *bleep!* Off before the actual Internet access comes online.
A diagnostic mode that will do all this after performing some action on the user-side (web GUI button, holding down the reset button on the box, whatever) is not exactly ironclad security (vulnerable to social engineering), but would be a reasonable pragmatic way for the provider to remote into the unit, but enabling all this by default was moronic in the extreme.
Re: SSH exposed to the internet by default? WTF?
With Linux tools, it is is easy to use conditional compilation to only enable debugging tools in a debugging build. So this sort of thing is either lazy programming to save a few seconds, or deliberate to allow the ISP to control the routers they pretend to sell to customers. The add injection module makes the latter the most likely reason.
Security Economics Of The Internet Of Things
Bruce Schneier has a good essay on why this mess is the way it is. The problem is that the makers and distributors of these devices have no economic incentive to keep them secure, and their users/buyers don’t know (and don’t care) about the issue.
When you have a market failure on this scale, then it is time for Government regulation.
avoid ISP hardware
I tried to make the case for avoiding all hardware from an ISP here
https://www.routersecurity.org/ISProuters.php
The vulnerable Arris devices, in this case, are gateways (combination modem and router and telephony), not simple modems.
Re: avoid ISP hardware
What good would that do? The devices you can buy are often insecure too.
If you can't avoid ISP hardware, mitigate the risk
I, like many other people are limited not only in ISP choice, but in the choice of gateways / endpoints / modems supported by the ISP.
While I would prefer to go cable, the network in my area isn’t stable enough for my work – I have to be online nearly 24-7.
Thus, I’m stuck with AT&T, who won’t support 3rd-party hardware and are now dealing with these issues.
As such, one of the only options to increase your own security is to deploy a small firewall / router (I chose the EdgeRouter X from Ubiquiti) and a whole-house mesh Wi-Fi system that fit my needs.
Now, even though the gateway provided by AT&T is still vulnerable, and is potentially open for abuse by large botnets, at least my home network is locked down and unreachable except via VPN.