AT&T Uverse Modems Found To Have Several Serious Security Vulnerabilities

dustman81 writes: AT&T Uverse modems were found to have several serious vulnerabilities, including a superuser account with hardcoded username/password exposed to the internet via SSH, a HTTP server with little authentication which allows command injection, and an internet exposed service which exposes internal clients to external attacks. Information security consulting and software development firm Nomotion reports the findings in their blog: "It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem's 'cshell' client over SSH. The cshell is a limited menu driven shell which is capable of viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the internet, and even controlling what appears to be a kernel module whose sole purpose seems to be to inject advertisements into the user's unencrypted web traffic. Although no clear evidence was found suggesting that this module is actually being used currently, it is present, and vulnerable. Aside from the most dangerous items listed above, the cshell application is also capable of many other privileged actions. The username for this access is remotessh and the password is 5SaP9I26." The report continues to detail the other vulnerabilities: Default credentials 'caserver' https server NVG599; Command injection 'caserver' https server NVG599; Information disclosure/hardcoded credentials; and Firewall bypass no authentication.

Further reading: FierceTelecom; The Register

Trust Issues

[Fragholio]

And these companies are supposed to be trusted with actually securing the data that we provide them? I often wonder how non-IT people handle these business practices.

Re:Trust Issues

[PolygamousRanchKid]

And these companies are supposed to be trusted with actually securing the data that we provide them?

No, that's incorrect. A big part of their business is providing private data to security services: see Lawful Interception (LI) https://en.wikipedia.org/wiki/... [wikipedia.org]

They are coerced by government agencies to do this. And just about every government passes laws requiring that ISPs and Telcos implement components that allow the security services to "just drop in" whenever they want. Usually, the government agencies are supposed to obtain warrants before tapping and sipping up someone's data, but these days . . . who's checking warrants any more . . . ?

I worked on an ISP platform for a major telco in Europe, and it was interesting to see their LI system. Even the ISP operators themselves are not able to determine who and when the government is tapping. This is done so the "enemies" can't smuggle in mole operators into the ISPs who could alert their friends outside not to talk too loud on the line.

Someone just found one of these hidden features for "special" users in AT&T.

That's all.

They need true bridge mode!!

[Joe_Dragon]

They need true bridge mode!!

Re:

[jmcharry]

Their older DSL modems used to operate purely as a modem if you connected using PPPoE. I don't know whether that is still an option. Of course then you have to provide your own firewall, NAT, and DHCP.

Re:

[starblazer]

Supposedly there's a certificate on the modem which is needed for authentication preventing true bridge mode. I don't know how true it is because I've swapped out modems before for friends and I've never had an issue where a modem hasn't come back online provided the circuit is still active.

Re:

[arth1]

Of course then you have to provide your own firewall, NAT, and DHCP.

You don't have to. Firewall and NAT is generally a good idea, but DHCP is just a convenience - static IPs work well too, and for IPv6, you can also auto-assign IP addresses on the host side without DHCP.

Re:

[aaarrrgggh]

You can put them in bridge mode, but that doesn't change much. They are still capable of "remote management".

War driving made easy.

[Anonymous Coward]

Get an AT&T UVerse coverage map and go a driving in those areas.

Just think of all the kitty porn you can get!

Tera and tera bytes of "I has Cheezburgers!"

I Thought The Whole AT&T Network

[zenlessyank]

was a back door.

comcast business forces you to rent there hardware

[Joe_Dragon]

comcast business (static ip) forces you to rent there hardware.

ATT forces you to rent there hardware.

We need to ban ISP's from forcing you to rent there hardware or force them to just give out an dumb open all e-net handoff.

Re:

[Anonymous Coward]

Instead, they should force you to rent here hardware.

That makes a lot more sense.

Re: comcast business forces you to rent there hard

[mprindle]

The last I checked I could buy my own modem and use it on my Comcast service to avoid the rental fees. They even publish a list of approved modems.

Home
https://mydeviceinfo.xfinity.c... [xfinity.com]
Business
https://business.comcast.com/h... [comcast.com]

Re:

[Dunbal]

They even publish a list of approved modems.

Only way to make the legit approved list is if they also contain officially backdoored hard/firmware?

Re:

[Anonymous Coward]

You can use any modem you want on Comcast and flash it with anything you desire. The list of "approved" modems basically makes it easier for the masses to get one that is "known to work", and removes the "what version of the DOCSIS standard does this one support" research from the process. At the end of the day you get a modem, you tell Comcast its MAC address, and then you're off to the races. Frequently Comcast doesn't even want their old modem back...

Re:

[Joe_Dragon]

If you have static ip with comcast then just must rent.

To bad the comcast cable tv sucks and they have that download cap on there internet.

Re:

[pnutjam]

I have a 1TB cap, which is sufficient with 4 kids using ipads to watch videos such.

Re:

[Spamalope]

He means you must rent if you have a static IP. In my case they added a rental fee after the fact, told me I could buy a device then wouldn't activate it once I'd bought it.

Re:

[Darinbob]

Not true for AT&T. Your modems have to be able to talk to their modems, you can't buy a compatible one at Fry's. I'd buy my own if I could.

Re:

[antdude]

What about AT&T? Not all ISPs will let you. :P

Re:

[pnutjam]

Not with Uverse, their IPtv won't work with your own equipment and there is no bridge mode. The best you an do is DMZ, or there is a router behind router option that puts in the necessary route for another subnet, theoretically, if never worked for me.

God forbid you put in you own routes.
The damn routers seem to forget the DMZ and port forwarding settings every 6 months or so, I'm not sure if AT&T was resetting things, or the hardware just sucked.
Just had a client who's router forgot all the port forw

Re:comcast business forces you to rent there hardw

[Billly Gates]

As a good techie /. nerd I always buy my own modems and routers. Comcast as much as I hate them do allow third party approved modems. I bought a Motorola surfboard. It is not Docsys 3.0 and I get concerned texts every now and then but it works fine so no reason to change.

So even with an unapproved older modem it will still work. Maybe I can't download at 200 mb/s but at 100 mb/s it works fine.

Re:comcast business forces you to rent there hardw

[TWX]

COX just broke DOCSIS below 3.0, had to change modems.

I'd really wanted to use a DOCSIS HWIC module for my Cisco router, but COX specifically said that module would not be supported on their network, and then with the 3.0+ requirement, the 2.1-capable unit isn't supported anyway.

Really wish that Google Fiber hadn't stalled. Theres a dark fiber trunk line running through the neighborhood around 200' from my house, and Google was in the habit of buying dark fiber wherever they could.

Re:

[Billly Gates]

They claimed they did and sent me scary texts and emails 6 months ago. My system still works and they left me alone. 2.1 is fully compatible and they won't disconnect your access.

Re:

[TWX]

Service kept dropping out. Didn't have to pay for my modem anyway since we have the home telephone line, so they supplied the model with the VOIP capability.

Arrest the board

[Dog-Cow]

The entire board of directors should be rotting in jail for allowing foreign agents to infiltrate US computer systems. Traitors and incompetent assholes, every single one.

Re:

[arth1]

The entire board of directors should be rotting in jail for allowing foreign agents to infiltrate US computer systems.

I'd rather have foreign agents being able to access my systems than native agents. The foreign agents have far less power to use the data in a way that's harmful to me or my interests.

Giving native agencies access, on the other hand, is deeply scary, for a multitude of reasons, including democracy. It's we the people who are supposed to be their bosses, not feudal lords and kings telling them what to do to whom.

AT&T is a multibillion $ company

[Anonymous Coward]

There's only one explanation for such disgusting, juvenile engineering: Malevolence, not incompetence.

Well fucking Doh!!!

[khz6955]

"AT&T Uverse modems were found to have several serious vulnerabilities, including a superuser account with hardcoded username/password"

Look it, most/all consumer grade equipment has built-in back-doors, by the various security services, get used to it.

Actual test to verify?

[jabberw0k]

Is there an actual test to run to verify whether or not a given device has these vulnerabilities? The listed ports do not seem to be open on the ones I was able to test.

Upload custom firmware.... is an opportunity

[Proudrooster]

The ASUS Merlin project [lostrealm.ca] created custom firmware for ASUS routers, maybe this is a limited opportunity to create custom firmware for the AT&T modems that can increase security and add features.

Pass on the freebie modems...

[__aaclcg7560]

The freebie DSL modems that ATT provided weren't very good. Most would conk out after a year or two. When I started working one day a week from home, I bought a business class modem for $200 and spent several hours understanding the new security features. That one lasted seven years.

Re:

[ls671]

I am sorry but I don't believe you. After all, you need at least an enterprise class modem [slashdot.org] to do the kind of work you do.

Re:

[pnutjam]

I used PfSense on an old computer and got all the enterprise features. later I bought an embedded x86 system.
Unfortunately, Uverse At&T won't let you provide your own router, you can just put yours behind theirs, and it ain't a real pass through either.

Responsible reporting...

[Fly Swatter]

Is not giving out the actual login details, unless the offender has not fixed the problem in many months, not days. Even then it is rather inconsiderate to those that are stuck with the hardware. I have no respect for such 'researchers'.

Re:

[Narcocide]

One problem; ATT U-Verse staff updates the modems remotely, automatically, and without notice or recourse.

Wonder if they pushed equiv onto android phones?

[Ungrounded Lightning]

"It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem's 'cshTell' client over SSH. ... [how to escalate this into full access ...]

The latest update pushed to the modems opened this hole. Hmmm...

AT&T just pushed a couple updates to my Android phone a few weeks back. Like a complete version jump on the Android OS, followed by a tweak update a week or two later.

I wonder if t

They're also slow AF

[jsepeta]

I can't believe AT&T are such cheap bastards that they're still shipping Wi-Fi 802.11g routers to their customers.

So, this is the birthplace of Unix.

[Darkness Of Course]

Funny how ATT never really came to grips with Unix. Beyond licensing and cash intake. They are just as clueless when it comes to user land equipment as anyone else. Even the hacks in China. One does wonder how many of their products have the same user/password combo.

"inject advertisements"? !!!!

[RhettLivingston]

a kernel module whose sole purpose seems to be to inject advertisements into the user's unencrypted web traffic.

Wow. That's a heck of a sleeper statement. I wonder whether Google already knew this?

The ability to inject advertisements into HTTP traffic would be a minor tweak away from replacing advertisements that are already there. This could render the metrics from advertisement giants like Google worthless for HTTP traffic and become a large threat to their business model - even more so perhaps than ad blockers.

I wonder if this is part of what is in Google's thoughts in their push for HTTPS. Perhaps it isn't about

Re:

[Narcocide]

Yea, even better, when you try to look up a hostname and get no DNS response, the router forwards your HTTP request directly to itself. (this causes some very interesting conflicts with Slashdot's annoying auto-refresh redirects)

HAH

[bobmajdakjr]

i had both of these! and they both eventually died lololololol. horray for that.