600,000 Arris Cable Modems Have Double Back Doors


Pub Member / Supporter
Original poster
Dec 3, 2003

A Brazilian security researcher claims that he has uncovered not one, but two backdoors in some Arris cable modems (TG862A, TG862G, DG860A). According to this blog post by Bernardo Rodrigues, the double backdoor impacts around 600,000 Arris cable modems, in use by some of the world's largest ISPs including Comcast, Time Warner Cable, Charter and Cox.

The firmware of these modems shipped with an undocumented "libarris_password.so" library, which acted as a backdoor by allowing privileged account logins with a different custom password for each day of the year.

This ARRIS password of the day is a remote backdoor known since 2009 and still intact. The default seed is MPSJKMDHAI and many ISPs won't bother changing it at all, he notes.

But while analyzing the backdoor library and the restricted shells, Rodrigues says he found a a bit of interesting code on the authentication check that suggested a backdoor within a backdoor, one that is based on the final five digits from the modem’s serial number.

In short, Rodrigues notes that there's multiple backdoors allowing full remote access to ARRIS Cable modems, and an access key that is generated based on the Cable modem's serial number. He says he was asked by Arris not to disclose the password generating algorithm, but doubts that's going to do much to deter or slow down would-be attackers.

"I'm pretty sure bad guys had been exploiting flaws on these devices for some time (just search for ARRIS DNS on Twitter, for example)," said Rodrigues.

tags: hardware · security · privacy · networking

Users Who Are Viewing This Thread (Total: 0, Members: 0, Guests: 0)

Who Read This Thread (Total Members: 1)

Latest posts