Two Backdoors on Cable Modems
Tuesday, December 1, 2015 @ 03:12 PM gHale
It appears Arris, a cable modem manufacturer, had two backdoors installed in some of its older hardware products, a researcher said.
Bernardo Rodrigues, a Brazilian security researcher, found this particular issue, affecting old models of cable modems sold by Arris (TG862A, TG862G, DG860A).
The Arris cable modems have a backdoor in their firmware, which, in turn, ends up affected by another backdoor, Rodrigues said in his blog post.
The first backdoor ends up activated via the libarris_password.so library that gets loaded on the modem, allowing privileged account logins using a custom password, different for each day of the year. This backdoor has been around since its discovery in 2009, but it never ended up fixed.
When users or attackers exploit this backdoor, they can access the modem and enable SSH or Telnet ports, which, in turn, help them launch more powerful shell sessions. The user “root” and password “arris” are sufficient to access this shell.
Rodrigues analyzed this backdoor’s code in more depth and found inside it another backdoor (backdoor in the backdoor), which launched a BusyBox shell.
BusyBox is a software package that provides various UNIX utilities inside one single executable file. BusyBox sees use on embedded devices where memory and storage restrictions cannot allow a more powerful Linux OS to run.
Rodrigues found out the password for this hidden BusyBox shell focuses on the device’s serial number. He later created a tool to automatically generate this password.
According to Shodan, over 600,000 of such modems are still easily accessible online. Arris told Rodrigues they planned on issuing a fix, but the researcher published his findings after waiting over 65 days for a patch.