September 11, 2017 | By Joel Odom
According to security research performed by consulting firm Nomotion, modems and routers manufactured by Arris and distributed by AT&T to its U-Verse customers appear to be riddled with serious security vulnerabilities. The flaws, including a firewall bypass and hard-coded credentials (that allow superuser access) allow an attacker to gain complete control over the modem. This leaves the network behind the modem open to attack and the traffic traversing the modem open to inspection and modification. It is unclear whether these flaws were introduced by Arris or by AT&T, but an Arris statement says that the company "is conducting a full investigation in parallel and will quickly take any required actions to protect the subscribers who use [their] devices."
IISP Analyst Joel Odom: "There are many security lessons that we could draw from this story, including some juicy technical tidbits that interest me, yet among the various security lessons that I could comment on, I think the most important thing to learn is a lesson on trust.
The best security systems are systems that are designed with minimal trust. Security professionals expect failures and plan systems to be resilient in the face of failure. Though AT&T was clearly negligent in delivering these weak devices to their customers, a well-designed network would not rely on a single product for security. Security professionals who have commented on this story, including myself, point out that we have layered defenses against attackers. Instead of trusting only my modem for my network security, I have a custom firewall and router behind the modem. I assume no trust between the devices that use my network. I strive to keep each computer or networked thing secure through best practices, and I back up my most important data because I can't trust that my computer won’t someday be compromised, despite layers of defenses.
As news unfolds of the massive Equifax data breach that spilled the personal data of hundreds of millions of consumers, it is interesting to note that Equifax claims to be "a trusted, industry-leading credit reporting agency" and AT&T calls itself "a trusted security partner." We expect this kind of general puffery from companies wanting to sell themselves, but security professionals don't think of trust as binary. Security professionals think in terms of degrees of trust. How much do I trust AT&T to provide a secure modem? How much do I trust my router and firewall to provide the security services that I expect? How much do I trust that my PC has no vulnerabilities that would allow an attacker to take control of my digital life? I assume as little trust as practical for individual systems, companies or products. I don’t even trust my own software not to have security bugs. From this mistrust arises trust, since my layered defenses and recovery mechanisms can provide for assurance and recovery, despite some points of failure."
For further reading
- Nomotion: https://www.nomotion.net/blog/sharknatto/
- Threat Post: https://threatpost.com/bugs-in-arris-modems-distributed-by-att-vulnerable-to-trivial-attacks/127753/