AT&T Uverse Modems Found To Have Several Serious Security Vulnerabilities (threatpost.com) 75
dustman81 writes: AT&T Uverse modems were found to have several serious vulnerabilities, including a superuser account with hardcoded username/password exposed to the internet via SSH, a HTTP server with little authentication which allows command injection, and an internet exposed service which exposes internal clients to external attacks. Information security consulting and software development firm Nomotion reports the findings in their blog: "It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem's 'cshell' client over SSH. The cshell is a limited menu driven shell which is capable of viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the internet, and even controlling what appears to be a kernel module whose sole purpose seems to be to inject advertisements into the user's unencrypted web traffic. Although no clear evidence was found suggesting that this module is actually being used currently, it is present, and vulnerable. Aside from the most dangerous items listed above, the cshell application is also capable of many other privileged actions. The username for this access is remotessh and the password is 5SaP9I26." The report continues to detail the other vulnerabilities: Default credentials 'caserver' https server NVG599; Command injection 'caserver' https server NVG599; Information disclosure/hardcoded credentials; and Firewall bypass no authentication.
Further reading: FierceTelecom; The Register
Further reading: FierceTelecom; The Register
Trust Issues (Score:1)
Re:Trust Issues (Score:5, Interesting)
And these companies are supposed to be trusted with actually securing the data that we provide them?
No, that's incorrect. A big part of their business is providing private data to security services: see Lawful Interception (LI) https://en.wikipedia.org/wiki/... [wikipedia.org]
They are coerced by government agencies to do this. And just about every government passes laws requiring that ISPs and Telcos implement components that allow the security services to "just drop in" whenever they want. Usually, the government agencies are supposed to obtain warrants before tapping and sipping up someone's data, but these days . . . who's checking warrants any more . . . ?
I worked on an ISP platform for a major telco in Europe, and it was interesting to see their LI system. Even the ISP operators themselves are not able to determine who and when the government is tapping. This is done so the "enemies" can't smuggle in mole operators into the ISPs who could alert their friends outside not to talk too loud on the line.
Someone just found one of these hidden features for "special" users in AT&T.
That's all.
They need true bridge mode!! (Score:5, Insightful)
They need true bridge mode!!
Re: (Score:3)
Their older DSL modems used to operate purely as a modem if you connected using PPPoE. I don't know whether that is still an option. Of course then you have to provide your own firewall, NAT, and DHCP.
Re: (Score:2)
Re: (Score:2)
Of course then you have to provide your own firewall, NAT, and DHCP.
You don't have to. Firewall and NAT is generally a good idea, but DHCP is just a convenience - static IPs work well too, and for IPv6, you can also auto-assign IP addresses on the host side without DHCP.
Re: (Score:2)
You can put them in bridge mode, but that doesn't change much. They are still capable of "remote management".
War driving made easy. (Score:2, Funny)
Get an AT&T UVerse coverage map and go a driving in those areas.
Just think of all the kitty porn you can get!
Tera and tera bytes of "I has Cheezburgers!"
I Thought The Whole AT&T Network (Score:2)
was a back door.
comcast business forces you to rent there hardware (Score:2)
comcast business (static ip) forces you to rent there hardware.
ATT forces you to rent there hardware.
We need to ban ISP's from forcing you to rent there hardware or force them to just give out an dumb open all e-net handoff.
Re: (Score:2, Funny)
Instead, they should force you to rent here hardware.
That makes a lot more sense.
Re: comcast business forces you to rent there hard (Score:5, Informative)
The last I checked I could buy my own modem and use it on my Comcast service to avoid the rental fees. They even publish a list of approved modems.
Home
https://mydeviceinfo.xfinity.c... [xfinity.com]
Business
https://business.comcast.com/h... [comcast.com]
Re: (Score:2)
They even publish a list of approved modems.
Only way to make the legit approved list is if they also contain officially backdoored hard/firmware?
Re: (Score:1)
You can use any modem you want on Comcast and flash it with anything you desire. The list of "approved" modems basically makes it easier for the masses to get one that is "known to work", and removes the "what version of the DOCSIS standard does this one support" research from the process. At the end of the day you get a modem, you tell Comcast its MAC address, and then you're off to the races. Frequently Comcast doesn't even want their old modem back...
Re: (Score:3)
If you have static ip with comcast then just must rent.
To bad the comcast cable tv sucks and they have that download cap on there internet.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Not true for AT&T. Your modems have to be able to talk to their modems, you can't buy a compatible one at Fry's. I'd buy my own if I could.
Re: (Score:2)
What about AT&T? Not all ISPs will let you. :P
Re: (Score:2)
God forbid you put in you own routes.
The damn routers seem to forget the DMZ and port forwarding settings every 6 months or so, I'm not sure if AT&T was resetting things, or the hardware just sucked.
Just had a client who's router forgot all the port forw
Re:comcast business forces you to rent there hardw (Score:5, Interesting)
As a good techie /. nerd I always buy my own modems and routers. Comcast as much as I hate them do allow third party approved modems. I bought a Motorola surfboard. It is not Docsys 3.0 and I get concerned texts every now and then but it works fine so no reason to change.
So even with an unapproved older modem it will still work. Maybe I can't download at 200 mb/s but at 100 mb/s it works fine.
Re:comcast business forces you to rent there hardw (Score:5, Interesting)
COX just broke DOCSIS below 3.0, had to change modems.
I'd really wanted to use a DOCSIS HWIC module for my Cisco router, but COX specifically said that module would not be supported on their network, and then with the 3.0+ requirement, the 2.1-capable unit isn't supported anyway.
Really wish that Google Fiber hadn't stalled. Theres a dark fiber trunk line running through the neighborhood around 200' from my house, and Google was in the habit of buying dark fiber wherever they could.
Re: (Score:3)
They claimed they did and sent me scary texts and emails 6 months ago. My system still works and they left me alone. 2.1 is fully compatible and they won't disconnect your access.
Re: (Score:2)
Service kept dropping out. Didn't have to pay for my modem anyway since we have the home telephone line, so they supplied the model with the VOIP capability.
Arrest the board (Score:2)
The entire board of directors should be rotting in jail for allowing foreign agents to infiltrate US computer systems. Traitors and incompetent assholes, every single one.
Re: (Score:3)
The entire board of directors should be rotting in jail for allowing foreign agents to infiltrate US computer systems.
I'd rather have foreign agents being able to access my systems than native agents. The foreign agents have far less power to use the data in a way that's harmful to me or my interests.
Giving native agencies access, on the other hand, is deeply scary, for a multitude of reasons, including democracy. It's we the people who are supposed to be their bosses, not feudal lords and kings telling them what to do to whom.
AT&T is a multibillion $ company (Score:1)
There's only one explanation for such disgusting, juvenile engineering: Malevolence, not incompetence.
Well fucking Doh!!! (Score:1)
Look it, most/all consumer grade equipment has built-in back-doors, by the various security services, get used to it.
Actual test to verify? (Score:5, Interesting)
Upload custom firmware.... is an opportunity (Score:2)
The ASUS Merlin project [lostrealm.ca] created custom firmware for ASUS routers, maybe this is a limited opportunity to create custom firmware for the AT&T modems that can increase security and add features.
Pass on the freebie modems... (Score:2)
Re: (Score:2)
I am sorry but I don't believe you. After all, you need at least an enterprise class modem [slashdot.org] to do the kind of work you do.
Re: (Score:2)
Unfortunately, Uverse At&T won't let you provide your own router, you can just put yours behind theirs, and it ain't a real pass through either.
Responsible reporting... (Score:2)
Is not giving out the actual login details, unless the offender has not fixed the problem in many months, not days. Even then it is rather inconsiderate to those that are stuck with the hardware. I have no respect for such 'researchers'.
Re: (Score:1)
One problem; ATT U-Verse staff updates the modems remotely, automatically, and without notice or recourse.
Wonder if they pushed equiv onto android phones? (Score:2)
"It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem's 'cshTell' client over SSH. ... [how to escalate this into full access ...]
The latest update pushed to the modems opened this hole. Hmmm...
AT&T just pushed a couple updates to my Android phone a few weeks back. Like a complete version jump on the Android OS, followed by a tweak update a week or two later.
I wonder if t
They're also slow AF (Score:2)
I can't believe AT&T are such cheap bastards that they're still shipping Wi-Fi 802.11g routers to their customers.
So, this is the birthplace of Unix. (Score:1)
"inject advertisements"? !!!! (Score:2)
a kernel module whose sole purpose seems to be to inject advertisements into the user's unencrypted web traffic.
Wow. That's a heck of a sleeper statement. I wonder whether Google already knew this?
The ability to inject advertisements into HTTP traffic would be a minor tweak away from replacing advertisements that are already there. This could render the metrics from advertisement giants like Google worthless for HTTP traffic and become a large threat to their business model - even more so perhaps than ad blockers.
I wonder if this is part of what is in Google's thoughts in their push for HTTPS. Perhaps it isn't about
Re: (Score:1)
Yea, even better, when you try to look up a hostname and get no DNS response, the router forwards your HTTP request directly to itself. (this causes some very interesting conflicts with Slashdot's annoying auto-refresh redirects)
HAH (Score:1)