Arris / Arris-variant DSL/Fiber router critical vulnerability exposure
derekabdine.comI read this and _instantly_ wonder if it's viable for certificate extraction to bypass the god-awful NAT system in AT&T's equipment, a-la pfatt: https://github.com/MonkWho/pfatt
Edit: Ah yes, this is covered in the section "Obtaining the certificate via reboot & exploitation"
Sadly my hardware appears to be patched.
You can downgrade the firmware and extract the certs: https://www.dupuis.xyz/bgw210-700-root-and-certs/
However, AT&T added another layer of authentication in mid-2021 that precludes the use of third-party hardware. I don't think that part has been cracked yet.
You don't need the 802.1x certificate, it's never actually been needed: https://www.dslreports.com/forum/r33442912-AT-T-Fiber-Bye-by...
That's a very interesting thread. Looks like things haven't been figured out to the point of prescriptive directions, but thank you very much for bringing it to my attention. Will keep my eyes on it.
>It is possible to recover the WiFi access code and SSID, remote administration password, SIP credentials (if VoIP is supported), ISP CWMP/TR-069 endpoint URLs and their username and password as well as other sensitive information, although some parts may require more complicated techniques or computing resources that may not be available to all attackers. Network-based unauthenticated exploitation is most severe if the router’s web services (such as the administration portal) are exposed to the Internet, though it can also be exploited on the LAN.
I just a few weeks ago got another Arris S33 modem for a client using cable, it's fairly well regarded. While this vulnerability doesn't list those, to me this further highlights how it can be valuable to separate out networking components vs all-in-one. The modem is purely a modem and talks only to the ISP. The router is a SuperMicro system running OPNsense, which then goes out to TP-Link Omada (or UniFi at another older site) gear for switching and WiFi. There is a network control VLAN as well as admin VLAN accessible only via WireGuard, which is the only way to get to the modem's admin page from the LAN. Controllers are self-hosted with network control VLANs at multiple sites again routed via WG to the controller.
While there are other advantages as well in terms of being able to replace parts piecemeal for less, better coverage etc, it's also nice in terms of vulns in one thing doesn't necessarily mean everything else instantly collapses, and it's easier to have multiple layers. The router is still a chokepoint, but full opensource and standard hardware at least mean a lot of extra eyes and tools can be applied to it and one is never at some vendor's mercy for firmware updates. Modem compromise wouldn't affect the LAN beyond potentially messing with WAN access which would be noticeable fairly quickly. Default LAN users can't easily touch any of the infrastructure either. All while being transparently usable with internet of shit stuff that people want to utilize. Full zero-trust or a virtual overlay network might be better yet but starts to run into the same legacy issues that hound so much of the industry particularly for non-tech SoHo/SMB. While it's unfortunate how riddled with issues a lot of ISP devices have tended to be, it's pretty nice what reasonably priced powerful options exist for anyone with networking now across a huge range of skill levels. It could be much better still but it's not nothing.
Arris DOCSIS modems probably still have a lot of Motorola DNA in them since Arris's 2012 acquisition of Motorola Home.
I have a box somewhere with near-identical Motorola/Arris surfboards other than the logo and color.
I just dug an old sb6141 out of a parts bin and hit it with the POCs. Got 400s despite it running an http server of some sort, so not sure how broadly this affects the modem lines. Would definitely be nice to have more comprehensive info on what is affected.
>Arris DOCSIS modems probably still have a lot of Motorola DNA in them since Arris's 2012 acquisition of Motorola Home.
I would assume so, but cable modems are such an obvious major target that I'd be very surprised if they didn't check as well so the absence is notable. There may be some divergence due to them not being AIO devices, or requirements from the cable companies over the last decade. Or of course it could be that's still not public disclosure, but that'd be a bit surprising too since I'd expect any attackers to immediately go check every single other Arris product right away on seeing this.
At any rate though while it's something I'll now be keeping an eye on I'm still satisfied that the modems are fairly well walled off too. It's a wild world out there, and incidents like this are nice to point to when management asks if it's worth the bit of extra trouble to have even some minimal separation. Just the performance benefits of having WAPs ideally positioned for wireless vs dictated by where the WAN link comes in is of course helpful as well, there are some real performance and coverage deliverables that everyone can feel in day to day usage that comes from separating out functionality as well. But efforts to go after network infrastructure itself are certainly ongoing too, it's a good compromise target both directly and in terms of pivoting to everything else. From a public good standpoint, router botnets are also a real hassle to the rest of the planet since they're used for a range of other bad activities.
Since you've operated both, whats your opinion on the Ubiquiti vs the TP-Link Omada and why did you switch?
I've done something similar with a Mikrotik CRS-309 as a router and some Ubiquiti U6 Meshes. The fiber ISP here leaves it to the owner to buy their own hardware to connect to a Icotera in bridge mode. I believe it allows the ISP to reduce their operating costs since theres no need to support a complex all in one router / switch / AP. Anything beyond the bridge is the users responsibility.
>Since you've operated both, whats your opinion on the Ubiquiti vs the TP-Link Omada and why did you switch?
Not sure if you'll see this but I'll give it a shot, and I haven't entirely switched yet, I've just been starting the process. You can do a quick search for "xoa unifi" here and switch to comments to see a bunch of history, but in short I was a huge fan of Ubiquiti and while never huge did end up installing a few hundred pieces of their gear across a number of sites. But due to a very bad leadership the company has become a dumpster fire of development which became impossible to ignore maybe 3-4 years ago, and since then the trajectory has continued relentlessly with the kind of sickening momentum that we've all seen so often before and is yet so hard to stop. The old forums are dead and community has degraded in turn, there's a lot of textbook bikeshedding, changing around the UI and constantly churning shiny graphs and more hardware while all sorts of bugs and basic reliability issues fester. Really basic critical features left sitting for years. There is no sort of feature or issue tracker. I don't want to repeat everything because it's been such a saga and depressing waste of potential, but the writing has been on the wall for UniFi for a good long while (their PtP/PtMP gear is still viable in many situations though serious issues have cropped up there too in some lines). On the other hand, with a sort of grim irony one of the core promises of UniFi has been proved by this very situation: by enabling full self-hosting and fairly decent isolation and decoupling of functionality, even the company behind it descending hasn't torched things and allowed a more graceful off ramp. I was able to switch all my routing/gateway functionality to OPNsense, giving another few years for the far less problematic switching/wifi. The gear could all be run with a management VLAN routed to the controller via WireGuard tunnels which meant not having to have anything exposed to the general web or even regular LAN users, significantly reducing my concerns about its insecurity. So while I'm sorry it actually became necessary, I definitely feel vindicated about being concerned about subscriptions or cloud lock-in. If this same thing was happening with that it'd be a lot worse.
TP-Link Omada is effectively a UniFi clone and I mean that in the relatively nice sense. They also offer a centralized controller that you can selfhost. I think it's clear who they're gunning after a bit. And it is in many respects rougher being relatively new. The physical design of the hardware is a lot worse which does indeed matter. The product lines are confusing despite having far less old junk. It doesn't have certain cool useful niche hardware. Their build system clearly needs work, Linux release of a given version sometimes randomly lags awhile behind the Windows version for no clear reason. Etc. Even so, the trajectory is very much better. They've made more improvements and added more important functionality in a year then Ubiquiti has in 4. The networks are more reliable and less quirky so far. TP-Link just this year added PPSK capability, which is super useful for networks with a lot of BYOD including all the massive numbers of electronics that don't support WPA-Enterprise or even those that do but have miserable onboarding without some paid solution. People hacked together a proof of concept on UniFi of that over 3 years ago, which Ubiquiti then never bothered with since.
Again, I haven't "switched" entirely yet, except in terms of 100% of routing moving to OPNsense from USGs over the last few years which I've been very happy with. I did one small scale Omada replacement and was satisfied, and just finished a much larger replacement which I'm going to kick the tires on for a while before ripping out the rest of my UniFi gear and moving on for good. So I'm not at the point of strongly recommending it to anyone yet. And it's worth noting too that we're on the very of seeing WiFi 7 kit start to roll out and that is an unusually big deal, since it'll probably be the place where we're really going to see 6 GHz uptake (6E ended up being a bit of a placeholder there). We may never see another big new chunk of spectrum like that released again. So there is good reason to see how that transition is handled over the next 6-9 months anyway.
But with all those caveats I'm still much more bullish on Omada now in the "self-hosted centrally controlled no-dependency switching/wifi network stack" category and happy there is even direct competition for UniFi at all. The concept is solid and the potential was huge, the execution has just been abysmal for a while though is all :(. I'd love if they changed course still but at this point I don't think that can happen unless the company goes through some major challenges. If you don't actually care about avoiding cloud dependencies, more control, or larger scaling/running herd and the like though there are other good options to look like Aruba Instant-On or even various mesh choices, Amazon's Eero offers surprisingly strong performance for the price for example. Lots of stuff is at least better then what most ISPs offer :).
> Not sure if you'll see this but I'll give it a shot
Thank you :)
The Wikipedia page on Ubiquiti also paints a bleak picture of the company; GPL violations, vulnerabilities, etc. I admit I brought 2 U6 Meshes on account of them passing the wife acceptance test, and so far they've been good (Some minor "Multicast Enhancement" issues aside). I haven't been interested in their router / gateway offerings since I think there's better out there with a better bang for buck. But its promising hearing about TP-Links efforts and I'll certainly give them another look if I need more Wi-Fi gear.
How do companies like Arris keep getting work?
I have an ISP supplied Arris Cable Modem (luckily not vulnerable) and it is dreadful. The UI is shonky, looking at the HTML & CSS underlying it is enough to make you weep, outdated JS libraries, and - seemingly - no software updates.
I could just about understand if it was stable and gave good WiFi - but the ISP's forums are full of people complaining about it.
All I can assume is that Arris is £1 cheaper than the next model, and the ISP have decided that dealing with customer complaints is cheaper than a higher CapEx.
For Frontier / Ziply users using an NVG448 - it's also affected.
This modem is the last released DSL modem that Ziply seems to be supporting :c
I wish Ziply would officially support more modern DSL modems like the hardware that is in the C4000BG, that modem is able to make marginal DSL circuits perform so much better.
Test Typedream comment
Pardon me for ignoring the implied "please ignore", but I'm very curious what "typedream" refers to? The only references I can find online are to a website builder platform, but the name sounds like it could represent a client app or maybe even a keyboard?
Hey there,
Yes please ignore the comment!
Also, yes, it's a website builder! this comment was to test a notification tool that I'm using right now to notify whenever a new mention of "Typedream" shows up on HackerNews!
Routers should not contain http servers, nor any other connection-oriented server that can accept. Just stop doing this.
how are the users going to manage the router without it? they just need to do it securely and better ways to auto update.
By inverting the direction of control, such that the network device initiates connections to canonical addresses to receive their initial configurations.
By canonical addresses are you referring to dns that can be spoofed or IP addresses that can be rerouted?
A nice idea in theory, I'd love to manage networks devices using some open standard. However, I can already see what would happen if this were to become reality:
"You wish to configure your router? For your safety, you can only configure our VaporWare™ SecuRouter with our dedicated Windows 11 or phone app. Do note that any ad or tracking blockers might interfere with our super privacy preserving app (trust us, really!).
only Android, iOS, and Windows 11 are supported. App does not work without Internet connectivity. Android devices require Google Play services. Jailbreak and root access will trigger our SecuRouter Secure Data Protection mechanism and disable access from your IP address. Privacy agreements and terms and conditions apply. Product may not be sold in areas covered by the GDPR."
In fact, I've had to deal with routers that required me to log in through the ISP website rather than locally because of "security".
You can make up whatever fallacious slippery slope arguments you care to invent, but such routers already exist and they are the best, most secure routers you can buy.
Those routers you can get now are only for dumb residential nonces, and routers for anything heavier duty then that all have at least a console connection available, even if they have a cloud management component.
May I ask what are those routers?
He's probably talking about Nest, Eero, AirPort (RIP), etc.
Yeah... https://support.google.com/googlenest/answer/11257354?hl=en
I understand that it's already insecure but seriously?
Name another 7-year-old home wifi access point that still gets manufacturer software updates. The contemporaneous Asus RT-N66U stopped getting new releases years ago and in all likelihood contains a bunch of vestigial vulnerabilities. OnHub got scores of software updates over its life and the only time they had a CVE it was patched and pushed to all hardware globally in less than 24 hours. I don't see how this model of control is not clearly superior.
A Cisco 8200 would probably be what he wants.
A serial port? Or perhaps these days, a USB one.
Bluetooth and a smartphone. I am being facetious. Please for the love of God do not start doing this!
Monolithic network appliances, computers, endpoints, etc are fundamentally designed without a security-first posture.
There's nothing conceptually wrong with a modem that also contains a NAT firewall/router/switch/(WAP). But in practice, even examining the hardware architecture of a consumer-grade router reveals fundamental design flaws in terms of the monolithic nature of the hardware architecture. Thus, using separate appliances for modem, router, switch, etc., that are physically separated, is still a good idea.
Of course, once you pick apart the shortcomings of a global TCP/IP network itself, it's clear that a single pipe connected directly to the internet is also a horrible idea, security-wise. I have been asking myself of late: "Self, if we were to design the internet from scratch and from security-first principles, how would it look?" Doing so requires detaching entirely from the existing mess we've created. Actually building a new security-first internet with backwards-compatibility would be an enormous increase in complexity, and would put into question the viability of the security of trillions in investment into entrenched global-scale infrastructure. Thus, any attmepts to solve this problen -- essentially boiling the ocean(s) -- is likely to remain (literally) a (multi-)pipe dream.
However, I am hopeful that new initiatives to build out 'hyperscale' and 'edge' clouds will present a genuine opportunity to realize the dream of a secure internet, secure networking, secure devices.
>from scratch
You do realize that this is already a red flag, right? In 99% cases the decision to start from scratch when you already have something well established is a mistake.
SOP: Build "from scratch" as a superset on the existing legacy.