135 Million Modems Open to Remote Factory Reset – No Password Required

0

Shockingly there are more than 135 Million modems around the world that are vulnerable to a flaw and can be exploited remotely to knock them offline by cutting off the Internet access.
The vulnerability has been uncovered in Arris SURFboard SB6141, that is one of the most popular and widely-used cable modem, used in Millions of US households.
The Security researcher David Longenecker discovered a loophole that made these modems vulnerable to unauthenticated reboot attacks. He also released his “exploit” after Arris (formerly Motorola) stopped responding to him despite a responsible disclosure.
Interestingly the bug was nothing other but a silly one : No Username and Password Protection.
Arris does not provide any password authentication set up on the modem’s user interface, thus allowing any local attacker to access the administration web interface at 192.168.100.1 without the need to enter a username and password.
This issue allows a local attacker to ‘Restart Cable Modem‘ from the ‘Configuration page’ of the administrative interface at http://192.168.100.1/, as shown. This is nothing but a Denial of Service (DoS) attack.
Bingo! By clicking ‘Restart Cable Modem’ manually will disable victim’s modem for 2 to 3 minutes and every device on that network will lose access to the Internet.
However, three minutes of no Internet connectivity is bearable, but the same administrative panel provides an option to Factory Reset the modem as well i.e. wipe out modem’s configuration and settings.
If an attacker clicks this option, your modem will go offline for 30 minutes as re-configuration process takes as long as an hour to complete. Though, sometimes you need to call your Internet Service Provider (ISP) to reactivate the modem.

How to Perform DOS Attack Remotely?

Further David revealed that an attacker can also reset your modem remotely, as the application doesn’t verify whether the reboot or reset the modem command comes from the UI interface or an external source.
This remote attack is known as a Cross-Site Request Forgery (CSRF) attack that allows an attacker to use social engineering techniques to trick users into clicking on a specially crafted web page or email.
For example: A web page including <img src=”http://malicious_url/”>  tag could call any of the following URLs:
  • http://192.168.100.1/reset.htm (for restart)
  • http://192.168.100.1/cmConfigData.htm?BUTTON_INPUT1=Reset+All+Defaults (for factory reset)
“Did you know that a web browser does not care whether an ‘image’ file is really an image?,” Longenecker explains. “Causing a modem to reboot is as simple as including an ‘image’ in any other web page you might happen to open.”

Are the flaws easy to Patch?

However, these flaws are easily patchable that only requires Arris to create a firmware update such that:
  1. The UI requires authentication (username and password) before allowing someone to reboot or reset the modem.
  2. The UI validates that a request originated from the application and not from an external source.
However, the bad news is that there’s no practical fix for the flaws. Since cable modems are not consumer-upgradable, even if Arris releases a fix, you would need to wait for your ISPs to apply the fix and push the update to you.
Arris has recently addressed the flaws with a firmware update.

The company’s spokesperson, “we are in the process of working with our Service Provider customers to make this release available to subscribers”.

“There is no risk of access to any user data, and we are unaware of any exploits. As a point of reference, the 135 million number is not an accurate representation of the units impacted. This issue affects a subset of the ARRIS SURFboard devices.”

 

Leave a Reply