In many homes, the router is the gateway to the wide and wild world of the internet. It’s that little gadget you connect your devices to for internet access. It is an essential component in our internet-connected households and businesses.
But much like our computers and other smart appliances, your humble router is vulnerable to security threats, attacks and vulnerabilities too. Checking them for flaws is vital in keeping your connected home safe.
For millions of AT&T U-verse subscribers, unfortunately, that time is now.
Five critical security flaws were discovered on Arris modems/routers commonly used by AT&T U-verse customers. The models involved are the Arris NVG589 and NVG599 with the latest 9.2.2 firmware installed.
In a blog post detailing the security flaws, Joseph Hutchins wrote that it is uncertain whether these flaws were introduced by the manufacturer itself or were inadvertently added later by AT&T.
How so? He said that internet providers like AT&T have the authority to customize the software for the routers they issue before delivering them to the consumer. The custom code is usually used for remote assistance such as customer support and device diagnostics.
But still, according to Hutchins, regardless of how the vulnerabilities were introduced, “it is the responsibility of the ISP to ensure that their network and equipment are providing a safe environment for their end users.”
Exposed superuser account
One vulnerability, in particular, is described as a result of “pure carelessness, if not intentional altogether.”
It was discovered that the latest firmware update for Arris models NVG589 and NVG599 enabled SSH but likewise publicly exposed the hardcoded username/password combination for a superuser account. An attacker can then use these credentials to remotely connect to the router then change network settings and even reroute all internet traffic through a malicious server.
Hutchins said that while this is the least common vulnerability that was discovered, it is still “quite unacceptable” since it puts people at “unnecessary risk of theft & fraud.” He also said that “[it] is hard to believe that no one is already exploiting this vulnerability.”
Case injection flaw
A more critical vulnerability is a “case injection” flaw on the NVG599 modem. This basically allows an attacker to insert advertisements or even malware into unencrypted web traffic. Based on data collected, there are around 220,000 routers currently exposed publicly to this flaw right now.
Brute force attack based on MAC address
The most widespread flaw that is affecting the highest number of routers is a firewall bypass that an attacker can use to brute force a port on the device by simply getting its MAC address. This flaw can then open an unauthorized connection between the attacker and the target device. According to Hutchins, with this flaw, if someone knows your public IP address, “you are in immediate danger of intrusion.”
The number of affected routers is still unclear but Hutchins warned that the firewall bypass flaw affects all Arris-built AT&T U-verse routers and this puts millions of customers at risk.
More security flaws
Another vulnerability is an information disclosure flaw, which can supply an attacker with important details about the router. However, according to Hutchins, it requires the knowledge of the router’s exact serial number so it’s not critical right now.
Another flaw involves a secure server of undetermined uses running on port 49955 of the affected routers. This server apparently uses default credentials for basic authorization (username “tech” with a blank password field), which leaves it highly vulnerable to unauthorized access.
Steps for self-mitigation
Thankfully, Hutchins provided “self-mitigation” steps on how to fix these five flaws right now. Some of the instructions are lengthy and detailed so I suggest you read the whole blog post here for the complete steps.
The most straightforward fix is for the widespread firewall bypass flaw, which anyone with basic router administration skills can do. If you’re an AT&T U-verse subscriber with the affected Arris routers, I suggest that you do the fix as soon as possible.
An Arris spokesperson is reportedly confirming that the company is now conducting a full investigation and will “quickly take any required actions to protect the subscribers” who use their devices.
If any of these flaws are proven to be as critical as they are described, then we can expect firmware updates for the Arris NVG589 and NVG599 routers soon so please check for updates as often as you can.