The simple and easily exploitable vulnerability has been uncovered in one of the most popular and widely-used cable modem, the Arris SURFboard SB6141, used in Millions of US households.
Security researcher David Longenecker discovered a loophole that made these modems vulnerable to unauthenticated reboot attacks. He also released his "exploit" after Arris (formerly Motorola) stopped responding to him despite a responsible disclosure.
The Bug is quite silly: No Username and Password Protection.
Arris does not provide any password authentication set up on the modem's user interface, thus allowing any local attacker to access the administration web interface at 192.168.100.1 without the need to enter a username and password.
This issue allows a local attacker to 'Restart Cable Modem' from the 'Configuration page' of the administrative interface at https://192.168.100.1/, as shown. This is nothing but a Denial of Service (DoS) attack.
Bingo! By clicking 'Restart Cable Modem' manually will disable victim's modem for 2 to 3 minutes and every device on that network will lose access to the Internet.
However, three minutes of no Internet connectivity is bearable, but the same administrative panel provides an option to Factory Reset the modem as well i.e. wipe out modem's configuration and settings.
If an attacker clicks this option, your modem will go offline for 30 minutes as re-configuration process takes as long as an hour to complete. Though, sometimes you need to call your Internet Service Provider (ISP) to reactivate the modem.
How to Perform DOS Attack Remotely?
David revealed that an attacker can also reset your modem remotely, as the application doesn't verify whether the reboot or reset the modem command comes from the UI interface or an external source.
This remote attack is known as a Cross-Site Request Forgery (CSRF) attack that allows an attacker to use social engineering techniques to trick users into clicking on a specially crafted web page or email.
For example: A web page including <img src="https://malicious_url/"> tag could call any of the following URLs:
- https://192.168.100.1/reset.htm (for restart)
- https://192.168.100.1/cmConfigData.htm?BUTTON_INPUT1=Reset+All+Defaults (for factory reset)
"Did you know that a web browser does not care whether an 'image' file is really an image?," Longenecker explains. "Causing a modem to reboot is as simple as including an 'image' in any other web page you might happen to open."
"Of course, it is not a real image, but the web browser does not know that until it requests the file from the modem IP address – which of course causes the modem to reboot."
Are the flaws easy to Patch?
However, these flaws are easily patchable that only requires Arris to create a firmware update such that:
- The UI requires authentication (username and password) before allowing someone to reboot or reset the modem.
- The UI validates that a request originated from the application and not from an external source.
However, the bad news is that there's no practical fix for the flaws. Since cable modems are not consumer-upgradable, even if Arris releases a fix, you would need to wait for your ISPs to apply the fix and push the update to you.
Arris has recently addressed the flaws with a firmware update.
"We are in the process of working with our Service Provider customers to make this release available to subscribers," said the company's spokesperson.
"There is no risk of access to any user data, and we are unaware of any exploits. As a point of reference, the 135 million number is not an accurate representation of the units impacted. This issue affects a subset of the ARRIS SURFboard devices."