Connect with us

Hi, what are you looking for?


Arris modems and routers contain a major security vulnerability

Arris modems and routers contain a major security vulnerability


Updated at 2:55 PM ET with a comment from Arris.

If you are using an Arris or Motorola broadband modem, router or gateway provided by AT&T, better check the network hardware configuration.

(Image credit: Arris/Motorola NVG599 Typical Wiring Setup. Credit: AT&T)

Texas-based information security company Nomotion has discovered five serious security flaws that can allow hackers to take control of your network, insert advertisements into the websites you view and even directly attack devices on your network. The company calls the flaw “SharknAT & To,” which should conjure up images of flying sharks for thirsty Syfy channel followers.

β€œPrepare to be freaked out,” the Nomotion blog posted on SharknAT and read about it late last week.

At least one of these flaws appears to affect every Arris or Motorola network device that AT&T offers to home and small business users. The most serious flaw affects only the NVG599 and NVG589 VDSL gateways that provide “triple play” phone, Internet and TV access.

(Arris acquired Motorola’s home networking division a few years ago, and several models may bear the brand name of either company. These flaws don’t appear to affect the Surfboard line of cable modems that Arris markets directly to consumers, but we’ve asked for a suggestion for clarification.)

What you have to do now

You can fix all these flaws yourself, although some of them require technical knowledge and software tools. Fortunately, the more prevalent bug is the easiest to fix, and we’ll show you how. For the rest, please refer to the Nomotion blog posts.

Discover  How to change your location with a VPN

Our requests for comment to both Arris and AT&T went unanswered, but Arris told Threatpost tech-news that they are conducting a full investigation and could not comment further.

More: Your router security stinks: Here’s how to fix it

Every Arris network device β€” a modem, router, or gateway device, which combines a modem and a router β€” supplied by AT&T and tested by Nomotion contains a covert firewall bypass on port 49152.

Access was granted by presenting the device’s known MAC address with a three-byte secret code, which the hacker computer could force in a matter of minutes. (Anything that can connect to the Internet has at least one unique MAC address.)

β€œThere is a fatal flaw in this implementation,” Nomotion said in its blog post.

The firewall bypass, which Nomotion refers to as Vulnerability 5, will likely be put to use by AT&T support technicians. It gives the attacker direct access to all devices on a home or small business network.

If you are familiar with IoT vulnerabilities, you will know that many smart home devices have little or no protection against attacks coming from within the local network. The combination of 5 vulnerabilities and known IoT vulnerabilities may lead to attacks on smart TV, thermostat, door locks, refrigerator, etc.

To fix this bug, Nomotion recommends browsing to the IP address on a desktop web browser while connected to the local network. (Warning: Nomotion warns that “if you choose to continue, you do so at your own risk.”)

Discover  Get an extra 20% off this privacy router with built-in VPN protection

On this web page, you will see the network device configuration interface. Select the NAT/Gaming tab, scroll down and click the Custom Services button.

You will see form fields to enter information in. In the Service name field, enter a name of your choice – “Bypass” might be a good name. Enter “49152” in both global port range fields. For Base Host Port, enter “1”. Make sure to switch the protocol to TCP/IP. Then click the “Add” button.

On the next page, make sure that your new service is listed under Services, and select it. Then select any of your existing devices under Required by Device. That should kill the problem with accessing port 49152.

The most severe defect of the five affects the Arris/Motorola Gateways NVG599 and NVG589 running firmware version 9.2.2h0d83. This firmware update added access to SSH (secure shell) with encrypted credentials for admin name “remotessh” and password “5SaP9I26”.

Anyone using these credentials can remotely update the new firmware, change the network name and password, change network settings, or even enter ads. Fortunately, Nomotion said that only about 15,000 devices worldwide appear to be at risk.

“It’s hard to believe that no one really is taking advantage of this vulnerability at the expense of innocent people,” the Nomotion blog said.

If you have one of these two models, and it’s running this firmware (check the admin interface mentioned in the previous bug fix), you have a bit of command line typing to do. Please refer to Vulnerability 1 in the Self Mitigation section of the Nomotion blog post.

Discover  Information Technology Office - Service Desk

Vulnerabilities 2 and 3 affect the web server feature of the NVG599 model. It turns out that anyone can get administrative access by pressing port 49955 with the username “tech” and without a password. Apparently about 220,000 devices have been affected, per Nomotion.

Vulnerability 4 appears to affect all Arris/Motorola home/small business network devices distributed by AT&T, according to Nomotion. The attacker gives the MAC addresses of all the devices on the internal network, as well as the Wi-Fi password, but the attacker needs to know the serial number of the specific router, modem, or gateway being attacked. As such, the risk of exploitation is low.

To fix 2 to 4 vulnerabilities, the user will need to use Burp Suite (Free) or a similar web security tool. You will need the first, second, or third defects to be able to repair the fourth defect. Instructions are provided within the Nomotion blog post for self-relief.

Update: Arris responded to Tom’s Guide’s query with this statement: “We are currently investigating the details of the Nomotion Security Report. Until this is complete, we cannot comment on its details. We can confirm that ARRIS is conducting a full investigation in parallel and will quickly take any actions needed to protect subscribers using our devices.”

Don’t forget to share this post with friends !

Click to comment

Leave a Reply

Your email address will not be published.



AnyConnect certificate-based authentication. Cisco community πŸ‘¨β€πŸ’» The information in this document is based on the following software and hardware versions: ASA 5510 running software...


ITProPortal . Portal πŸ‘¨β€πŸ’» We live in a dynamic moment in terms of technology. Even criminals are becoming more technically savvy and are using...


Top 5 Free AV Packages – πŸ‘Œ Bitdefender Antivirus Free Edition best interface Positives Works on Windows 7 and 8.1 Very easy to use...


Download antivirus for free. Best antivirus protection πŸ‘¨β€πŸ’» Protecting your identity, banking information and privacy Cybercriminals want your credit card details, passwords and other...