600,000 Arris Cable Modems Have Double Back Doors

A Brazilian security researcher claims that he has uncovered not one, but two backdoors in some Arris cable modems (TG862A, TG862G, DG860A). According to this blog post by Bernardo Rodrigues, the double backdoor impacts around 600,000 Arris cable modems, in use by some of the world's largest ISPs including Comcast, Time Warner Cable, Charter and Cox.

The firmware of these modems shipped with an undocumented "libarris_password.so" library, which acted as a backdoor by allowing privileged account logins with a different custom password for each day of the year.

This ARRIS password of the day is a remote backdoor known since 2009 and still intact. The default seed is MPSJKMDHAI and many ISPs won't bother changing it at all, he notes (Comcast tells us they don't use the default, so Comcast users shouldn't be at risk).

But while analyzing the backdoor library and the restricted shells, Rodrigues says he found a a bit of interesting code on the authentication check that suggested a backdoor within a backdoor, one that is based on the final five digits from the modem’s serial number.

In short, Rodrigues notes that there's multiple backdoors allowing full remote access to ARRIS Cable modems, and an access key that is generated based on the Cable modem's serial number. He says he was asked by Arris not to disclose the password generating algorithm, but doubts that's going to do much to deter or slow down would-be attackers.

"I'm pretty sure bad guys had been exploiting flaws on these devices for some time (just search for ARRIS DNS on Twitter, for example)," said Rodrigues.

quote: We are aware of the recently reported password vulnerability. The risk related to this vulnerability is low, and we are unaware of any exploit related to it. However, we take these issues very seriously and review them with the highest priority. Our team has been working around the clock on modem updates that address this reported vulnerability."

: Arris released this statement on the matter: