Researcher Claims AT&T Modems Have Nasty 0-Day Vulnerability

A security research firm claims they have discovered that most AT&T U-verse modems have security flaws allowing attackers to remotely access the modem and devices on your network -- bypassing any firewall settings configured on the modem. Some of these flaws appear to have been accidentally introduced by AT&T, notes security consulting and software development firm Nomotion, which slams both Arris and AT&T for their failure to close “gaping security holes” impacting potentially hundreds of thousands of users.

The firm's full blog post offers significantly more detail.

“It is uncertain whether these gaping security holes were introduced by Arris (the OEM) or if these problems were added after delivery to the ISP (AT&T U-verse). From examining the firmware, it seems apparent that AT&T engineers have the authority and ability to add and customize code running on these devices, which they then provide to the consumer (as they should),” wrote Nomotion's Joseph Hutchins.

Hard-coded credentials and SSH turned on by default allows a remote attacker to access the modem's cshell service, from there giving them access to most device configuration systems. Technically-saavy users can hack their modem to mitigate the flaws, but doing so requires making unauthorized configuration changes to the device AT&T probably won't approve of.

“Some of the problems discussed here affect most AT&T U-verse modems regardless of the OEM, while others seem to be OEM specific. So it is not easy to tell who is responsible for this situation. It could be either, or more likely, it could be both,” Hutchins wrote. “Regardless of why, when, or even who introduced these vulnerabilities, it is the responsibility of the ISP to ensure that their network and equipment are providing a safe environment for their end users. This, sadly, is not currently the case.”

AT&T has yet to comment on the report. Arris told Kaspersky Labs' Threat Post that “until this is complete, we cannot comment on its details. We can confirm Arris is conducting a full investigation in parallel and will quickly take any required actions to protect the subscribers who use our devices.”