Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

SURFboard Cable Modems Vulnerable to Remote DoS Exploit

A vulnerability has been discovered in the popular line of Arris (formerly Motorola) SURFboard cable modems. The exploit allows remote attackers to reset the modems, knocking victims offline for up to 30 minutes — it’s a denial of service attack, not one that exposes personal information. The problem could be fixed with a firmware update, but unfortunately, there’s no mechanism that enables users to update their cable modems. Updates must be pushed out by Internet service providers, many of whom update only leased modems, not those owned by customers. If you have one of these modems, talk to your ISP about an update.favicon follow link

 

Comments about SURFboard Cable Modems Vulnerable to Remote DoS Exploit
(Comments are closed.)

John Robinson  An apple icon for a TidBITS Supporter 2016-04-08 19:10
I bought a Motorola Surfboard SB6121 DOCSIS 3.0 Cable Modem in mid 2014. I don't understand if this denial of service attack will hit all Motorola or just Arris Motorola. I understand that the Arris is a 3 in 1, and mine is only a modem. I just don't understand why all modems aren't effected and not this one brand. And maybe I don't have to know, but it would be nice to understand why it is only the Arris.
John G in Orlando  2016-04-09 22:50
It may affect any recent Motorola or Arris cable modems.
The quickest way to check is to see if you can access your cable modem's administration interface.
Type: 192.168.100.1 into a web browser address bar with a computer or device that is connected to your home network.
If you can see the administration interface without having to log in with a user-name and password, then your modem is at risk.
My understanding is that the administration interface can only be accessed from within the network and not from the outside. So for the attack to work a malicious person has to trick a person into using a link that sends the restart or reset single to the cable modem. It takes about 5 to 10 minutes for a cable modem to reset.
It would take an attacker getting a script that launched every 5 minutes to reset the modem to maintain the denial of service attack
John Robinson  An apple icon for a TidBITS Supporter 2016-04-10 14:45
John, I inserted, http://192.168.100.1/index.htm, into the Safari google search and came across a Surfboard Status window. Under Configuration is the RESET button. It works. What I don't understand is how someone can sit outside my firewall and reset MY modem. I can understand if they were controlling my network from some malicious software, but I see no signs of this, nor have I clicked any unknown emailed links to give them access, so how can they command reset the modem, if they aren't in my network? Sorry, I am slow to some things.
Curtis Wilcox  An apple icon for a Friend of TidBITS 2016-04-10 14:50
They trick you into clicking a link that target that points to the particular URL(s) at http://192.168.100.1. I followed the article links and one says an image tag that has the particular URL as its src, even though that's clearly not an image is sufficient to make it work so you don't have to click anything, just visit the bad page.
John Robinson  An apple icon for a TidBITS Supporter 2016-04-10 14:59
Curtis, so simply visiting a previously unvisited website can set-off the reset command implanted in the webpage?
John G in Orlando  2016-04-10 17:32
Basically, a malicious person can hide the reset instruction in HTML code, so when a person loads the web page the reset command is sent to the modem.

For example, a normal bit of HTML code to present a picture would look something like:

An attacker would instead use something like :

which would trick your web browser into going to the modem's administration page and pressing the reset button.
Obviously, "secret_reset_code" is not the actual attack method. I do not want people to accidentally click on the real thing.
The danger here is that the modem reset method can be hidden in any website, and the moment a person's web browser comes across it, the modem well be reset, thus knocking a person offline until the modem finishes resetting.
The attack will only work when a person loads or visits that particular web page with the hidden reset code, and it will run each time the page is loaded.


John G in Orlando  2016-04-10 17:38
Oops, the comment system stripped out my HTML code examples, which is actually a good security practice.

Let me try again without the HTML tags.
HTML to present a picture would normally look like:
img src="funny_cat_photo.jpg"
and an attacker would replace it with something like:
img src=”192.168.100.1/secret_reset_code”
John Robinson  An apple icon for a TidBITS Supporter 2016-04-10 17:59
It's amazing that no one thought of this before. It's really stupid to not lock this interface w a password. Just my two cents.
John G in Orlando  2016-04-10 20:45
I totally agree, the hack itself is not really impressive, it is the lack of care and stupidity of the modem manufacturer that is surprising.
Like the article said, if the modem admin page was protected by a username and password, the attack would not work at all.
Worse, when they do eventually add authentication, they will probably ship it with a default username like "admin" and a password of "password", which is just as bad as not having authentication.
Curtis Wilcox  An apple icon for a Friend of TidBITS 2016-04-10 15:03
You can prevent this attack by configuring your Mac to not allow connections to the modem's ip address.

sudo route add 192.168.100.1 127.0.0.1

This command says data going to the address 192.168.100.1 (the modem's address) should go via 127.0.0.1 as a gateway. But 127.0.0.1, aka localhost, is just your own computer so it doesn't actually go anywhere.

To undo, restart your computer or use this command:

sudo route delete 192.168.100.1

If you want the route added every time the Mac boots, it can be done using a cron job or LaunchDaemon.

A similar command could be used on a highly configurable home router (e.g. one running OpenWRT) to block all traffic to the modem's address instead of expecting each client on your home network to do it.
John Robinson  An apple icon for a TidBITS Supporter 2016-04-10 18:30
Rereading your note, I must re-enter the sudo command after any boot, is that correct?

I have looked at LaunchDaemons and do not feel competent to write one. I will gladly pay for a script, etc., rather than replace the modem. Or simply reapply after each boot.
Curtis Wilcox  An apple icon for a Friend of TidBITS 2016-04-11 06:02
That's right, manually added routes are "forgotten" every time the computer restarts.

Honestly, this vulnerability amounts to nothing more than a prank; you go to a malicious page, your connection goes down for a few minutes, you don't go to that page again. I don't think it's worth installing something just to prevent it.
Josh Centers  An apple icon for a TidBITS Staffer 2016-04-11 09:32
Brilliant solution! You could also add an entry to /etc/hosts. That might be worth an article…
Curtis Wilcox  An apple icon for a Friend of TidBITS 2016-04-11 11:41
An entry in /etc/hosts won't work because that's for matching hostnames to ip addresses but in this case there is no hostname, just the "bare" ip address of the cable modem.

I would hope a firewall program like Little Snitch could have a rule to block outgoing traffic to a specific ip (or subnet) but I'm not familiar with its feature set.
John Robinson  An apple icon for a TidBITS Supporter 2016-04-12 13:59
I'm afraid this is not possible since Little Snitch works close to the Application Layer on your OS X System. It has no influence on deeper network layers and particularly no influence on your local network outside of the Mac. (I queried LS)
Jean Mosher  An apple icon for a TidBITS Supporter 2016-04-11 10:51
I just got off with TWC and they reset my modem
to pretty much match "theirs". I did offer to disconnect mine and bring it to a TWC service center for them to do it and that seemed to work for me.