The security expert David Longenecker reported security vulnerabilities affecting the popular broadband cable SURFboard modems produced by the ARRIS (formerly Motorola). The ARRIS SB6141 model is available for sale for around $70 US, it is able to support over 150 megabit speeds and works with all almost every US Internet provider.
Attackers can exploit the flaws in the ARRIS SURFboard modems to remotely knock out the device for a period of time that could reach 30 minutes, more than 135 million devices are at risk.
The attackers can rebooting the SURFboard modems remotely without authentication due to the presence of cross-site request forgery vulnerability.
“Rebooting one remotely is so easy, it doesn’t even require a password.” states Longenecker in a blog post. “Certain SURFboard modems have an unauthenticated cross site request forgery flaw. The modems have a static IP address that is not consumer-changeable, and the web UI does not require authentication – no username or password is required to access the administration web interface.”
An unauthenticated attacker can access the user interface of the cable modems. A local attacker can access the administration web interface (192.168.100.1) without being authenticated.
“With access to a local network, it is a trivial matter to reboot the modem serving that network, causing a denial of service while the modem reboots. Granted the modem only takes about 3 minutes to reboot, but for those three minutes, Internet access is offline. Additionally, activity sensitive to network outages (long downloads or remote desktop sessions, for example) may abort. 192.168.100.1/reset.htm” added the expert.
This means that a local attacker is able to restart the device, same result is possible to obtain if he uses a social engineering trick to convince the victim into clicking the following link:
This reset of the cable modems is a time-consuming process that can take as long as a half hour and that in some cases could need the support of the internet service provider (ISP) to restore the normal operation.
Longenecker discovered a second flaw, a cross site request forgery (CSRF), in the SURFboard modems that could be abused by attackers to launch the above command without using the device user interface.
“In this case, the intended design is for a user to access the SURFboard administration interface, and then click a link to execute a reboot. The application though does not verify that the command was issued from the administration UI. When an application does not verify that a command was issued from within the application, the possibility of CSRF exists.”
“Did you know that a web browser doesn’t really care whether an “image” file is really an image? Causing a modem to reboot is as simple as including an “image” in any other webpage you might happen to open – which is exactly the approach taken on the RebootMyModem.net proof of concept:
Of course it’s not a real image, but the web browser doesn’t know that until it requests the file from the modem IP address – which of course causes the modem to reboot. Imagine creating an advertisement with that line of code, and submitting it to a widely-used ad network…”
The good news is that the vulnerabilities are easy to patch, the vendor just needs to issue a firmware update that implements an authentication mechanism for the reboot and reset of the cable modems, and implement a mechanism to prevent CSRF attacks.
The bad news is that cable modems could not be upgraded by the end-user, instead the patches have to be distributed by ISP once it is available … and we all know the problems related to patch management processes.
“ARRIS recently addressed the reported GUI access issue with a firmware update. We are in the process of working with our Service Provider customers to make this release available to subscribers. There is no risk of access to any user data, and we are unaware of any exploits. “
“According to the experts of the company, the active population of modems impacted by the issue is less than 10 percent of the initially reported 135M number”
(Security Affairs – Arris cable modems, hacking)