More than 135 million modems are said to be vulnerable to a flaw that can leave users cut off from the internet -- just by someone clicking on a trick link.
The vulnerability, found in a modem used in millions of US households, can allow an attacker with access to the network to remotely reset the device, which wipes out the internet provider's settings and causing a denial-of-service attack. Every person and device on the network will permanently lose access to the internet until the modem owner contacts their internet provider.
The problem lies with how a widely-used modem, the Arris Surfboard SB6141, handles authentication and cross-site requests. Arris (formerly Motorola) said that it has sold more than 135 million of the Surfboard SB6141 modems, but an Arris spokesperson disputed that the figure was "not an accurate representation" of the units impacted and that only a "subset" of Surfboard devices were affected. Millions of Comcast, Time Warner Cable, and Charter customers (and more) were shipped one of these modems when they first subscribed.
The flaw is so easy to exploit that anyone on an affected network can be tricked into clicking on a specially crafted web page or email. Security researcher David Longenecker, who found the flaws and posted the write-up on the Full Disclosure list earlier this week, released the "exploit" link after Arris stopped responding to emails he sent as part of the responsible disclosure process.
In fact, the flaw goes back at least eight years earlier prior to Arris' acquisition of Motorola's networking unit, according to a CERT vulnerability note dated April 2008. There's no practical fix for the flaw, according to Longenecker. "The simplest solution would be a firmware update such that the web [user interface] requires a username and password before allowing disruptive actions such as rebooting or resetting the modem, and that validates that a request originated from the application and not from an external source," he said.
Arris said that it recently addressed the access issue with a firmware update. "We are in the process of working with our Service Provider customers to make this release available to subscribers," said the spokesperson. "There is no risk of access to any user data and we are unaware of any exploits." "We take product performance very seriously. We work actively with security organizations and our service provider customers to quickly resolve any potential vulnerabilities to protect the subscribers who use our devices," the spokesperson added.
110 Reykjavik, Iceland