A security researcher in Brazil has discovered a ‘backdoor within a backdoor’ vulnerability present in Arris cable modems that can potentially grant an attacker the ability to tinker with and rewrite the modem’s firmware.

A security research and vulnerability tester with Brazil’s national TV network Globo has discovered a flaw that affects over half a million cable modems. The modems are manufactured by Arris and contain a ‘vulnerability within a vulnerability,’ according to the searcher.

The flaw was discovered by the vulnerability tester when he discovered an undocumented library present within three Arris cable modems that works as a backdoor to then allow ‘privileged logins’ through the means of a custom password.

According to SCMagazine, the researcher discovered that the search using Shodan – a search engine that looks for all devices attached to it while scanning the internet revealed as many as 600,000 devices affected by the vulnerability. Modem models include:

TG862A

TG860A

DG860A

A concealed administrative shell that controls the cable modem was found to be housing the backdoor. Bernardo Rodrigues, the security researcher who uncovered the vulnerability discovered the backdoor account to remotely enable Telnet and SSH through the HTTP-based administrative interface.

As it turns out, the Arris ‘password of the day’ happens to be a remote backdoor that was discovered in 2009 and still exists to this day. Bernardo also discovered a backdoor within a backdoor due to the type of code used for the authentication check. Remarkably, the backdoor password is simply based on the modem’s serial number. Specifically, the last five numbers of the modem’s serial number.

“You get a full busybox shell when you log on the Telnet/SSH session using these passwords,” Rodrigues said, while adding that Arris requested him not to reveal details about the modem’s password generation algorithm. Not that it would matter, according to Rodrigues.

He stated:

I’m pretty sure bad guys had been exploiting flaws on these devices for some time.

A broader view on firmware is not only beneficial but necessary to discover new vulnerabilities and backdoors, correlating different device families and showing how vulnerabilities reappear across different product.