Attackers can authenticate on port 49955 with the username "tech" and an empty password. Backdoor #2Īrris modems come with a built-in web server that runs its internal admin panel. Researchers said they only identified around 15,000 Arris modems featuring this backdoor, meaning ISPs or OEMs most likely blocked external SSH access to most devices. Attackers could use the default "remotessh/5SaP9I26" username and password combo to authenticate on any modem with root access - this means an attacker can do whatever he wants on the device. Modems come with SSH enabled by default and exposed to external connections. Based on Censys and Shodan data, researchers believe there are at least 220,000 of these vulnerable modems connected online.īelow is a summary of all the flaws researchers discovered: Backdoor #1 Both models aren't available through the Arris website and appear to be discontinued products. Researchers said the flaws affect NVG589 and NVG599 modems. In their research, experts looked at an Arris modem installed on the network of AT&T. The vulnerabilities came to light after a review of the Arris firmware carried out by experts from Nomotion Labs.Īccording to Nomotion, the flaws are found in both the standard Arris firmware, but also in the extra code added on top by OEMs. Security researchers have found five gaping holes in the firmware running on Arris modems, three of which are hardcoded backdoor accounts.Īn attacker could use any of these three accounts to access and take over the device with elevated privileges - even root - install new firmware, and ensnare the modem in a larger botnet.
0 kommentar(er)
