Arris Cable Modem Hack

  1. How To Hack Arris Cable Modem For Free Internet
  2. Arris Cable Modem Hack

Yandere simulator macos. Security researcher David Longenecker explains that the SB6141 model Arris (formerly Motorola) SURFboard modem, one of the most popular cable modems in the world with up to 13.5 million currently in production, is vulnerable to unauthenticated reboot attacks due to two flaws. Attackers can exploit the flaws in the ARRIS SURFboard cable modems to remotely knock out the device, more than 135 million device open to attacks. The security expert David Longenecker reported security vulnerabilities affecting the popular broadband cable SURFboard modems produced by the ARRIS (formerly Motorola).

Arris

The Best Cable Modem Cable Modem Modems Cable Internet. Since the high speed internet is really a cable channel it doesn t require crazy power so you just have to power the modem and the computer. How to hack arris cable modem for free internet. 0 cable modem offers the highest speeds available in the surfboard modem.

A couple of months ago, some friends invited me to give a talk at NullByte Security Conference. I started to study about some (embedded device) junk hacking hot topics and decided to talk about cable modem security. Braden Thomas keynoted at Infiltrate 2015 discussing about Practical Attacks on DOCSIS so, yeah, cable modem hacking is still mainstream.

On November 21st I was at Salvador speaking on 'Hacking cable modems: The Later Years'. It's not a talk about theft of service and getting free Internet access. I'll focus on the security of the cable modems, the technology used to manage them, how the data is protected and how the ISPs upgrade the firmwares. Spoiler Alert: everything's really really bad.

Securing cable modems is more difficult than other embedded devices because, on most cases, you can’t choose your own device/firmware and software updates are almost entirely controlled by your ISP.
While researching on the subject, I found a previously undisclosed backdoor on ARRIS cable modems, affecting many of their devices including TG862A, TG862G, DG860A. As of this writing, Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts and the vendor did not state whether it's going to fix it yet.
ARRIS Backdoors
ARRIS SOHO-grade cable modems contain an undocumented library (libarris_password.so) that acts as a backdoor, allowing privileged logins using a custom password.
The following files load the backdoor library on ARRIS TG862A Firmware TS0705125D_031115_MODEL_862_GW (released on 2015): Download el capitan without app store.

/usr/sbin/arris_init
/usr/sbin/dimclient
/usr/sbin/docsis_mac_manager
/usr/sbin/ggncs
/usr/sbin/gw_api
/usr/sbin/mini_cli
/usr/sbin/pacm_snmp_agent
/usr/sbin/snmp_agent_cm
/usr/www/cgi-bin/adv_pwd_cgi
/usr/www/cgi-bin/tech_support_cgi

CableHow


ARRIS password of the dayis a remote backdoor known since 2009. It uses a DES encoded seed (set by the ISP using the arrisCmDoc30AccessClientSeed MIB) to generate a daily backdoor password. The default seed is MPSJKMDHAI and guess what - many ISPs won't bother changing it at all.
The backdoor account can be used to enable Telnet and SSH remotely via the hidden HTTP Administrative interface 'http://192.168.100.1/cgi-bin/tech_support_cgi' or via custom SNMP MIBs.

The default password for the SSH user 'root' is 'arris'. When you access the telnet session or authenticate over SSH, the system spawns the 'mini_cli' shell asking for the backdoor password.

When you log using the password of the day, you are redirected to a restricted technician shell ('/usr/sbin/cli')

Restricted shells are ;restricted

Arris cable modem hack

How To Hack Arris Cable Modem For Free Internet

In order to understand how the backdoor works, I built an Puma5 toolchain (ARMEB)and cross compiled some useful tools like strace, tcpdump and gdbserver. I hosted them on my Github, get them here:
- https://github.com/bmaia/cross-utils/tree/master/armeb
While analyzing the backdoor library and the restricted shells, I found an interesting code on the authentication check:


Yes, they put a backdoor in the backdoor (Joel from Dlinkis sure to be envy). The undocumented backdoor password is based on the last five digits from the modem's serial number. You get a full busybox shell when you log on the Telnet/SSH session using these passwords.
The vendor asked not to disclose details about the password generation algorithm. I'm really relieved knowing that those awful guys from Metasploitwon't be able to reverse this in a timely manner.

Vulnerability, Disclosure and Marketing

Of course, we need a logo so the media can report about this with fancy graphs as well as vendors could distribute customized t-shits at Blackhat.
What I like most about lcamtufis how visionary he is. While people were still writing dumb fuzzers, hewrote AFLperformed a detailed Technical analysis of Qualys' GHOST. Based on his analysis, I hired a couple of marketing specialists to find out the best way to disclose the ARRIS backdoor.
What do we have here?
- Multiple backdoors allowing full remote access to ARRIS Cable modems
- An access key that is generated based on the Cable modem's serial number
After a thoughtful analysis, the marketing committee advised w00tsec members to write a Keygen. In order to write a Keygen, we need a leet ascii art and a cool chiptune. The chosen font wasROYAFNT1.TDF, from the legendary artist Roy/SACand the chiptune is Toilet Story 5, by Ghidorah.

Arris Cable Modem Hack

Read more on w00tsec blog.