Security Vulnerabilities in AT&T Routers

They’re actually Arris routers, sold or given away by AT&T. There are several security vulnerabilities, some of them very serious. They can be fixed, but because these are routers it takes some skill. We don’t know how many routers are affected, and estimates range from thousands to 138,000.

Among the vulnerabilities are hardcoded credentials, which can allow “root” remote access to an affected device, giving an attacker full control over the router. An attacker can connect to an affected router and log-in with a publicly-disclosed username and password, granting access to the modem’s menu-driven shell. An attacker can view and change the Wi-Fi router name and password, and alter the network’s setup, such as rerouting internet traffic to a malicious server.

The shell also allows the attacker to control a module that’s dedicated to injecting advertisements into unencrypted web traffic, a common tactic used by internet providers and other web companies. Hutchins said that there was “no clear evidence” to suggest the module was running but noted that it was still vulnerable, allowing an attacker to inject their own money-making ad campaigns or malware.

I have written about router vulnerabilities, and why the economics of their production makes them inevitable.

Tags: , , ,

Posted on September 6, 2017 at 6:55 AM28 Comments

Comments

matteo September 6, 2017 7:35 AM

is it legal for any reason to use man in the middle to inject any kind of data in a website?
here on italy no single isp does it; but maybe it’s only because we have third world internet service (data from netindex when it was free for all).

has anyone tryied to contact EFF or set up a lawsuit?
i don’t find acceptable.

i know also some airports does that (seen on twitter) they were adding their logo as watermark down left.

Chain modems for Critically Secure Network September 6, 2017 10:42 AM

First AT&T is huge deep packet eavesdropping partner with the NSA dating back to 2005. They have every subscribers Internet/cable history dating back to the 1980s. They have thousands contracts with law-enforcement agencies, No need for search warrants. Americans are so clueless and lazy to care.
Republicans recently gave them the right to legally snoop, sell personal data and insert advertisements.

Survival of the Fittest
In America no one else cares about you: its everyman for himself. Hackers are expected and long overdue. Never use ANY part or feature of an ISP router Chain your router behind theirs! Never let an AT&T technician into your home/ Do you want 100mbs half-duplex speed?

Solution:
Using a client VPN is NOT good enough as the hackers still have access to devices on your home network. Incidentally standard routers now track and sell your data too.
For example Linksys customers are forced to agree to the very intrusive terms-of-service JUST to configure their just purchased router. Customers must identify themselves by creating an on-line cloud account.

What to Do?
The solution is to use open source software like DD-WRT, a Linux based OS to encrypt with AES 256bit.
Now ALL traffic from your household is encrypted just before it reaches the crap untrusted AT&T modem. The DD-WRT has essential two firewalls to stop corporations and hackers. Now you no why Google is heavily into routers.

I use a Linksys DD-WRT 1200AC dual core CPU modem. The new modem is reprogrammed off-line to a PC connected with an Ethernet cable BEFORE its ever used.
Now the less trusted wireless traffic can be isolated from the hard-wired network. Then the virtual wireless network devices can be isolated from each other.
Done!

Of course if you install MS (windows 10) or Google (Chrome) software they will probe and sell your data just like the hackers.
I also have a wireless remote to instantly power-off the NSA backdoored AT&T modem (during external threats or at night)

neill September 6, 2017 10:45 AM

‘ … or given away by att …’

you get what you pay for, that is the problem.

sad that folks want more and more cheap or free toys, instead of learning to live with less but better products!

albert September 6, 2017 11:55 AM

The latest Pace modem/routers from AT&T allow -anyone- with access to the network to view -all- router information, except the hardcoded default passwords (an oversight, no doubt:)

An access code is required to change anything, but once you’re inside….

. .. . .. — ….

keiner September 6, 2017 12:38 PM

@Chain…

“The solution is to use open source software like DD-WRT, a Linux based OS to encrypt with AES 256bit.
Now ALL traffic from your household is encrypted just before it reaches the crap untrusted AT&T modem.”

Eeehm, on the other side of your modem is your provider. Normally your DNS requests are completely unencrypted, so everybody knows each and every website you visit. As metadata is better than data, your lost even at this early stage.

But using free router/firewall firmware/OS (OPNsense.org on the hardware of your choice) is better than nothing.

Dirk Praet September 6, 2017 1:01 PM

@ keiner, @ Chain thingie

Normally your DNS requests are completely unencrypted, so everybody knows each and every website you visit.

You can mitigate that with DNSCrypt proxy. It’s also available for routers. OpenWRT has a wiki page on using DNSCrypt on OpenWRT. And since you should assume that any ISP provided router is compromised by definition, it is good practice to put another one you entirely control yourself between the darn thing and your own network.

Chairman Mao September 6, 2017 4:27 PM

Just another example of an orgy of copulating Wolves and Sheepdogs.

Psychopaths can’t help themselves.

If anyone wants a solution, I’ll publish one. Break out your PayPal account info for access.

Dirk Praet September 6, 2017 4:36 PM

@ keiner

In principle, yes

Cr*p. Here’s the right link. I use Unbound in conjunction with DNSCrypt on all my *BSD machines. There are a couple of decent guidelines out there for folks with a minimum of Google Fu.

Sancho_P September 6, 2017 5:20 PM

I think @Bruce’s linked article from 2014 is a cheap (MSM) song for big business and surveillance.

Automated updates? Calling for remote access to my property? A central database at the vendor with my devices and versions?

Also, there are too many bad examples of vicious updates even with dumb peripherals (e.g. HP, FTDI, [1] ), let alone Win and Mac OS, and broken HW/SW, so people are right to be afraid of updates.

Contrary, the capability to have (automated) updates is part of the problem, not the solution (“let’s sell that crap now, we may update it later”).

At the core of the problem there are secrecy and the lack of liability, both cast into law.
Corruption (= monopoly) is the end of capitalism, finally leading to disaster.

No, you don’t have to be a technician (“embedded”) or economist (“market”), morals and common sense would do.

[1] Also see linked article at https://www.schneier.com/blog/archives/2017/09/bioluminescent_.html#c6759790

Chairman Mao September 6, 2017 5:26 PM

@Sancho_P

No, you don’t have to be a technician (“embedded”) or economist (“market”), morals and common sense would do.

Psychopaths don’t have either of those qualities. They are intraspecies predators.

In a word, Criminals. By birth. Incurable.

SnarkSide September 6, 2017 7:48 PM

Maybe it should be illegal to connect a remotely managed device with default login info to the internet. In the physical world we call such things an attractive nuisance and the owner is responsible for mitigation.

VS September 6, 2017 8:54 PM

The problem is that the average customer is not well versed in this matter to demand what the customer needs. Try solving that!

Avoiding DNS Leaks with VPN September 6, 2017 9:07 PM

Ideally, when you’re using a VPN, it’s your VPN’s DNS servers translating these IP addresses into domain names, rather than your original ISP…

Preventing a DNS leak altogether is a little trickier. It helps if you’re subscribed to a VPN with DNS leak protection, like PrivateInternetAccess. To quote PIA directly, “We use our own private DNS servers for your DNS queries while on the VPN. After connecting we set your operating system’s DNS servers to 209.222.18.222 and 209.222.18.218. When using a DNS Leak testing site you should expect to see your DNS requests originate from the IP of the VPN gateway you are connected to.
If you change your DNS servers manually or if for some other reason they are changed this does not necessarily mean your DNS is leaking. Even if you use different DNS servers the queries will still be routed through the VPN connection and will be anonymous. ”

How can you fix this on your DD-WRT router? You can manually enter DNS servers to ensure no DNS leak occurs in your network.

DD-WRT routers has this essential feature to never use your ISP DNS server.

Bottom line: AT&T ISP never sees anything except gibberish. They are an expensive but dumb conduit. Don’t trust ANY ‘smart’ device.

Suggestion: Do an study on the staggering amount of electricity these always-on eavesdropping devices consume. The smart home is an energy pig, yet Silicon Valley projects a bogus green image. Yet no public descussion.
Everything is a lie from these hoodwinking people.

https://www.flashrouters.com/blog/2014/08/01/how-to-prevent-a-dns-leak/

Iggy September 6, 2017 9:52 PM

@Randal, ditto. Problem is, I own an Arris, only because it is the successor to Motorola, which Surfboard modems were (are) dependable work horses that well outlast their software. I, too, will not permit company owned equipment inside my house. They are collecting and monetizing my usage data without compensation far too much as it is.

@Chairman Mao, psychopaths manage to cloak their criminal proclivities such that it forces them to find a society accepted outlet for their evil energies. Such as take up building major corporations, hoard enough cash to indulge their true wishes while paying handsomely to keep it undetected or whitewashed.

@Schneier and All Here, what is your take on the increasing trend in checkpoint Charlie “customer service” at online retailers? The whole “you must verify your account” before they’ll tell me why my order is delayed, though I’ve already given the off-shore power tripping officious martinet the order number and my name, is driving me back to street stores. At least there, if I pay cash, I don’t get interrogated for the free data they want to sell without giving me a cut.

I tire of being the livestock. Zuckerberg and Gates would hotly deny being in the human harvesting business. Of course.

Chairman Mao September 6, 2017 10:18 PM

@Iggy

@Chairman Mao, psychopaths manage to cloak their criminal proclivities such that it forces them to find a society accepted outlet for their evil energies. Such as take up building major corporations, hoard enough cash to indulge their true wishes while paying handsomely to keep it undetected or whitewashed.

Real World Examples:
1) Child sex traffickers pose as “Save the Children” (e.g. orphanages, “DACA”, or even your state’s child welfare office.)

2) Psychiatry (e.g. “Silence of the Lambs” and “Hannibal” (Hannibal the Cannibal) Would you like fava beans with your brains?)

3) Cloud computing (e.g. donate your data to us before hackers/burglars take it)

4) Stock market (e.g. put your money into a pump-and-dump cloud computing company stock)

5) Parking Garages (e.g. Ferris Bueller’s Day Off and his friend’s Ferrari)

6) Child Abusers and Pedophiles (These are VERY “CLOAKED” because they operate within “shooting distance” — e.g. politicians and priests, babysitters, or volunteers in the kiddie care at your local church.)

7) etc.

keiner September 7, 2017 1:03 AM

@Avoid DNS leak

You can specify whichever DNS server you want in your router. If your ISP catches all traffic on port 53 (DNS, unecrypted)it can redirect ALL DNS requests to the server of its choice. See your perimeter firewall as a LAN router for the ISPs network. He can fiddle with all unencrypted traffic (e.g. DNS, nowadays) and MITM all encrypted traffic, if they want to.

DNSsec is the solution, DNSsec via encrypted DNS (TLS) the REAL solution.

Don’t trust any opaque (at best) VPN providers, they are honeypots for surveillance…

Blocked Port 53 September 7, 2017 7:46 AM

DD-WRT does not natively support DNSsec.
However I added block port 53:

Administration-→ Commands → Firewall
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -I FORWARD -p tcp –dport 53 -j DROP

https://www.dd-wrt.com/wiki/index.php/Port_Blocking

Notes:
I don’t trust VPN providers – simply from observing who they allow to eavesdrop on their website.

I too do believe many governments secretly fund cheap VPNs.

But unlike Snowden I target to reject Big-Data not the present government. From clearances they (and the Chinese) know EVERYTHING about me. I simply don’t want to be an ignorantly monetized and elect the puppeteers of Silicon Valley for president.
They (Google, Facebook, Microsoft) have already united and convincing feeble minded, addicted, malleable Americans how (ruthlessly) ‘good’ they are. When Big-Data becomes the government (in addition to news sources) all freedoms and liberties will be severely curtailed. They will rate USA citizens just like in China (my smart-phone chimed me 43 times while writing this). Those who resist will be cut-off from living.

ab praeceptis September 7, 2017 9:58 AM

keiner

DNS, ugly problem that, i.a. because it’s not just about sending requests and responses encrypted. It’s also about having signed answers (which is a beast due to the nature/structure of dns) and, of course, about the question who signed and whether that party is authorized to do so.
Another ugly problem is the way dns works practically, namely the issue of authoritative and recursive servers. If one sends an encrypted request to a recursor that system must understand the request, after all. So encrypting that wins you next to nothing; the very party that sells you out today will sell you out again (isp).
Also keep in mind that PK is expensive and would incur major cost to the providers (and btw. open an attack surface). sym. crypto, on the other hand, while still incurring some cost, would be all but mindless practically; to manage keys for each user would be too expensive and require a redesign of critical software and publishing “that’s our sym. key for dns requests” wouldn’t be particularly smart (but, I guess, the way many ISPs would go).
Which would leave us with sending requests to authoritative servers only which in itself opens a barrel of problems and moreover will have major infrastructure parties in riot mode and justifiably so because dns is a major cornerstone of the internet and was designed to be reliable. Gaining security at the expense of reliability though is not an attractive proposition.

Iggy September 7, 2017 10:30 AM

@Chairman Mao, and “Etc” indeed.

Further to my query to anyone with an opinion on the subject, the more I think about it, the less I will bother calling any vendor’s “customer service” 800 # because they are almost always located off-shore and the chances that they are legally on the hook for mismanaging my name and address are nil to less than nil. It would be so them for the vendor to make a deal for a discount with a call center by way of letting them “verify” account info that the vendor doesn’t hand to them but “allows” the call center to demand under pretext–info that is not needed to check the order status when you’ve already given them your name and order #.

Cambion.

The vendor, in this case, Best Buy, can wiggle out from under their craven collusion by putting it again, back on the customer, by letting slip from their straight faced oily lips: “We didn’t give them your name and address, you did.”

Incubus on meth.

keiner September 7, 2017 11:33 AM

@ab prae

Agree, no real solution in sight. But have to have an eye on the problems 😉

@block53

Blocking port 53 helps exactly what? I have that block, too, cause my router does the DNS. But there the problems start…

The Duck of Url September 7, 2017 9:09 PM

“In the physical world we call such things an attractive nuisance and the owner is responsible for mitigation.”

You really think that’s the best fix? EXACTLY THE WAY IT IS NOW, just not enforced.

The ONLY way to fix this is to mandate that default passwords CAN NOT BE USED.
They need a 1-time pad = a router sticker password. Guard it with your device’s life.

Putting out hundreds of thousands of easily compromised devices with essentially ZERO SECURITY by default, which IS what a default password IS, OUGHT TO BE punishable by a per-device fine like anyone peddling faulty defective products would face.

tts September 8, 2017 4:13 PM

From the NSA on securing your Home Network (pdf)
https://www.nsa.gov/resources/everyone/digital-media-center/video-audio/information-assurance/assets/files/best-practices-for-keeping-your-home-network-transcript.pdf

“TITLE: NETWORK RECOMMENDATIONS]
[sub-Title: 1. Home Network Design]
Narrator: The Internet Service Provider, or ISP, may provide a cable modem with routing and wireless capabilities as part of the consumer contract. To maximize the home user’s
administration control over the routing and wireless device, deploy a separate personally-owned routing device that connects to the ISP provided router or cable modem.
[graphic: Typical SOHO Configuration graphic]
Narrator: Figure 1 depicts a typical home network configuration that provides the home user with the network infrastructure to support multiple systems as well as wireless networking and IP telephony services.

[TITLE: NETWORK RECOMMENDATIONS]
[sub-Title: 2. ImplementWPA2 on Wireless Network]
Narrator: The wireless network should be protected using Wi-Fi Protected Access 2, or WPA2, instead of Wired Equivalent Privacy, or WEP. Using current technology, WEP encryption can be broken in minutes if not seconds by an attacker, which afterwards allows the attacker to view all traffic passed on the wireless network. It is important to note that older client systems and access points may not support WPA2 and will require a software or hardware upgrade. When researching for suitable replacement devices, ensure that the device is WPA2-Personal certified.

[TITLE: NETWORK RECOMMENDATIONS]
[sub-Title: 3. Limit Administration to Internal Network]
Narrator: Administration of home networking devices should be from the internal-facing network. When given the option, external remote administration should be disabled for network devices. Disabling remote administration prevents an attacker from changing and possibly compromising the home network.

[TITLE: NETWORK RECOMMENDATIONS]
[sub-Title: 4. Implement an Alternate DNS Provider] Narrator: The Domain Name Servers, or DNS, provided by the ISP typically don’t provide enhanced security services such as the blocking and blacklisting of dangerous and infected web sites. Consider using
either open source or commercial DNS providers to enhance web browsing security.

[TITLE: NETWORK RECOMMENDATIONS]
[sub-Title: 5. Implement Strong Passwords on all Network Devices]
Narrator: In addition to a strong and complex password on the wireless ac
cess point, a strong password needs to be implemented on any network device that can be managed via a web interface. For instance, many network printers on the market today can be managed via a web interface to configure services, determine job status, and enable features such as email alerts and logging.”

Questions- How about:

1) set ipv6 to link local on router
2) use double nat vs. put isp router in bridge or passthrough mode
search passthrough mode for potential problem devic arounds in AT&T Arris routers in https://www.nomotion.net/blog/sharknatto/
3) use Google or OpenDNS DNS servers on the router
4) ignore ISP router overall, leave-as, maybe turn off wi-fi on it or use ISP wi-fi for a guest network.
5) assume the router isn’t going to be flashed with non-oem firmware
6) use DNSCrypt on individual devices on an optional basis https://dnscrypt.org/
7) don’t log anything or log what
8) anything else for small business or home users

Winston Smith September 8, 2017 10:10 PM

“DD-WRT does not natively support DNSsec.”

Shibby Tomato open source router firmware supports DNSsec natively. Easy to implement. Specify manually if you wish, too.

Change log: http://tomato.groov.pl/?page_id=78

I’d also recommend pfSense or its equivalent: https://www.pfsense.org/

Agreed that no one should trust the ISP or their hardware. These corps are ‘on the take’ with the new “data analytics” business model. Public doesn’t care = more of the same for the foreseeable future.

tts September 10, 2017 2:10 PM

@Sancho_P wrote

“Automated updates? Calling for remote access to my property? A central database at the vendor with my devices and versions?

Also, there are too many bad examples of vicious updates even with dumb peripherals (e.g. HP, FTDI, [1] ), let alone Win and Mac OS, and broken HW/SW, so people are right to be afraid of updates.”

One reason I have used Apple Routers is that they have periodic security updates. I tend not to have automatic updates for the routers turned on, but usually update the router firmware manually when there is a a Apple security update announcement. In addition, the Apple Routers have been relatively hassle free (for example, periodically unplugging them and the ISP routers for 30 seconds, or more).

Does anybody know for a fact that Apple security updates have been interdicted, forged, etc., or if governments have forced malware Apple security updates upon Apple customers (through NSLs, secret laws, etc.) in the U.S. or other countries?

Regardless the TP-Link AC1750 or Archer C7 router may have gotten good reviews and I think Clive Robinson may have mentioned TP-Link previously and in regard to litigation with the FCC involving open firmware.
https://www.newegg.com/Product/Product.aspx?Item=N82E16833704177
https://www.nytimes.com/interactive/2015/10/07/technology/personaltech/wirecutter-best-routers.html
https://arstechnica.com/information-technology/2016/08/fcc-forces-tp-link-to-support-open-source-firmware-on-routers/
https://www.pcmag.com/review/352074/tp-link-archer-c7-ac1750-wireless-dual-band-gigabit-router

Finally, mesh wifi has gotten a lot of buzz. Does anyone have thoughts regarding pros and cons or things to consider regarding things like eero or “mesh” wifi or opensource alternatives in general for a single building up to shared community wifi for up to a fifty acre residential community in the U.S.
https://finance.yahoo.com/news/david-pogue-eero-google-wifi-luma-netgear-orbi-linksys-velop-plume-amplifi-hd-214811424.html
https://arstechnica.com/gadgets/2016/12/review-comparing-google-wifi-to-other-mesh-networking-heavyweights/
https://en.wikipedia.org/wiki/Mesh_networking
https://en.wikipedia.org/wiki/Wireless_mesh_network

Chris December 29, 2019 8:47 AM

Not exactly related to this AT&T router problem perse, but since i just learned a couple of new badwords due to mDNS and AVAHI in Linux, I happened to have it in fresh memory, since at least some AT&T routers forwards .local zone in their DNS forwarders, why would they do that ? is another story ? perhaps just a bug

http://wiki.networksecuritytoolkit.org/index.php/NST_Avahi_(mDNS)_FAQ

/Who let this AVAHI nonsense in in the firstplace is beyond me allthough
i get it that people have better things to do than learn networking ?
but in linux? why? and totally impossible toget rid of since this gordian
knot is twined to everything it almost seems as if everything needs AVAHI all of a sudden, like meh, really annoyed abt it infact

…enouff said

Clive Robinson December 29, 2019 4:21 PM

@ Chris,

Who let this AVAHI nonsense in in the firstplace is beyond me

Apple is the root cause… AVAHIA is designed to be compatible with their “Bonjour” “Service Discovery Protocol”[1] which was designed to make any Mac plug and play into other networks. So you could have your home network configured one way and the office network another. Plug your laptop in or connect your smart device and it automatically configures all sorts of services such as network printing, storage and other service resources etc.

Like all Service Discovery Protocols it has some security implications, thus some would rather not have it on their network at all. It’s a while since I looked at it and in effect said “not on my doorstop” because I could see it was going to be way more work and trouble than I had need of to get any benifit (YMMV especially if you are an education facility or large distributed corporate).

However Debian and other Linux systems built upon it now have AVAHIA built in as standard and Red Hat appears to be doing the same. As you note disabling and removing AVAHIA can be quite a bit of non obvious work. And unless you are “nomadic in the work place” where there are lots of sepetate networks it is probably not a lot of point setting it up in the first place (though some obviously think it’s “sliced bread” and “a better mousetrap” combined).

[1] If you want to know more look-up DNS Service Discovery (DNS-SD RFC 6763) over Multicast DNS (mDNS RFC 6762).

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.