A Brazilian security researcher preparing to discuss cable modem security at an upcoming conference has discovered a second backdoor inside a number of Arris cable modems.

As Bernardo Rodrigues explains on his blog, some Arris cable modems contain an undocumented library (libarris_password.so) that serves as a backdoor, allowing for privileged logins that uses a different password for each day of the year. This is nothing new as this particular remote backdoor has been known since 2009.

While analyzing this backdoor, Rodrigues said he found some interesting code on the authentication check. It’s here that he found the second backdoor – yes, a backdoor inside a backdoor.

The known backdoor can be used to enable Telnet and SSH remotely via a hidden HTTP administrative interface or via custom SNMP MIBs. The second backdoor is based on the last five digits of the modem’s serial number. Exploiting the second backdoor launches a full BusyBox shell which grants a user / attacker even more capabilities.

At the time Rodrigues wrote the blog post, Shodan searches revealed more than 600,000 affected modems in the wild. Vulnerable cable modem models including TG862A, TG862G and DG860A. And believe it or not, Arris modems have a third backdoor as outlined on the ConsoleCowboys blog.

The security researcher said he went public with the backdoor after reporting it and waiting more than 65 days without a fix.