These defects seem to have been inadvertently introduced by AT&T, notes safety consulting and software development firm Nomotion, which slams both Arris and AT&T for their collapse to close “gaping security holes” changing probably hundreds of thousands of users.
The firm’s full blog post offers significantly further detail.
“It is unknown whether these gaping security holes were added by Arris (the OEM) or if these obstacles were added after delivery to the ISP (AT&T U-verse). From checking the firmware, it seems clear that AT&T technicians have the authority and capability to add and customize code working on these devices, which they then present to the consumer as they should,” wrote Nomotion’s Joseph Hutchins.
Hard-coded credentials and SSH set on by default allows a remote intruder to access the modem’s shell service, from there providing them access to most device configuration operations. Technically-savvy users can hack their modem to decrease the flaws, but doing so entails making illegal configuration settings to the device AT&T probably won’t approve of.
“Some of the obstacles discussed here concern most AT&T U-verse modems despite the OEM, while others appear to be OEM specific. So it is not clear to tell who is accountable for this situation. It could be neither, or more likely, it could be both,” Hutchins wrote. “Regardless of why, when, or even who added these vulnerabilities, it is the ability of the ISP to ensure that their network and equipment are providing a safe atmosphere for their end users. This, sadly, is not currently the case.”
AT&T has yet to talk about the report. Arris told Kaspersky Labs’ Threat Post that “until this is finished, we cannot conclude on its details. We can verify Arris is conducting a full investigation in parallel and will immediately take any needed actions to protect the supporters who use our devices.”