SURFboard Cable Modems Vulnerable to Remote DoS Exploit
A vulnerability has been discovered in the popular line of Arris (formerly Motorola) SURFboard cable modems. The exploit allows remote attackers to reset the modems, knocking victims offline for up to 30 minutes — it’s a denial of service attack, not one that exposes personal information. The problem could be fixed with a firmware update, but unfortunately, there’s no mechanism that enables users to update their cable modems. Updates must be pushed out by Internet service providers, many of whom update only leased modems, not those owned by customers. If you have one of these modems, talk to your ISP about an update.
I bought a Motorola Surfboard SB6121 DOCSIS 3.0 Cable Modem in mid 2014. I don't understand if this denial of service attack will hit all Motorola or just Arris Motorola. I understand that the Arris is a 3 in 1, and mine is only a modem. I just don't understand why all modems aren't effected and not this one brand. And maybe I don't have to know, but it would be nice to understand why it is only the Arris.
It may affect any recent Motorola or Arris cable modems.
The quickest way to check is to see if you can access your cable modem's administration interface.
Type: 192.168.100.1 into a web browser address bar with a computer or device that is connected to your home network.
If you can see the administration interface without having to log in with a user-name and password, then your modem is at risk.
My understanding is that the administration interface can only be accessed from within the network and not from the outside. So for the attack to work a malicious person has to trick a person into using a link that sends the restart or reset single to the cable modem. It takes about 5 to 10 minutes for a cable modem to reset.
It would take an attacker getting a script that launched every 5 minutes to reset the modem to maintain the denial of service attack
John, I inserted, http://192.168.100.1/index.htm, into the Safari google search and came across a Surfboard Status window. Under Configuration is the RESET button. It works. What I don't understand is how someone can sit outside my firewall and reset MY modem. I can understand if they were controlling my network from some malicious software, but I see no signs of this, nor have I clicked any unknown emailed links to give them access, so how can they command reset the modem, if they aren't in my network? Sorry, I am slow to some things.
They trick you into clicking a link that target that points to the particular URL(s) at http://192.168.100.1. I followed the article links and one says an image tag that has the particular URL as its src, even though that's clearly not an image is sufficient to make it work so you don't have to click anything, just visit the bad page.
Curtis, so simply visiting a previously unvisited website can set-off the reset command implanted in the webpage?
Basically, a malicious person can hide the reset instruction in HTML code, so when a person loads the web page the reset command is sent to the modem.
For example, a normal bit of HTML code to present a picture would look something like:
An attacker would instead use something like :
which would trick your web browser into going to the modem's administration page and pressing the reset button.
Obviously, "secret_reset_code" is not the actual attack method. I do not want people to accidentally click on the real thing.
The danger here is that the modem reset method can be hidden in any website, and the moment a person's web browser comes across it, the modem well be reset, thus knocking a person offline until the modem finishes resetting.
The attack will only work when a person loads or visits that particular web page with the hidden reset code, and it will run each time the page is loaded.
Oops, the comment system stripped out my HTML code examples, which is actually a good security practice.
Let me try again without the HTML tags.
HTML to present a picture would normally look like:
img src="funny_cat_photo.jpg"
and an attacker would replace it with something like:
img src=”192.168.100.1/secret_reset_code”
It's amazing that no one thought of this before. It's really stupid to not lock this interface w a password. Just my two cents.
I totally agree, the hack itself is not really impressive, it is the lack of care and stupidity of the modem manufacturer that is surprising.
Like the article said, if the modem admin page was protected by a username and password, the attack would not work at all.
Worse, when they do eventually add authentication, they will probably ship it with a default username like "admin" and a password of "password", which is just as bad as not having authentication.
You can prevent this attack by configuring your Mac to not allow connections to the modem's ip address.
sudo route add 192.168.100.1 127.0.0.1
This command says data going to the address 192.168.100.1 (the modem's address) should go via 127.0.0.1 as a gateway. But 127.0.0.1, aka localhost, is just your own computer so it doesn't actually go anywhere.
To undo, restart your computer or use this command:
sudo route delete 192.168.100.1
If you want the route added every time the Mac boots, it can be done using a cron job or LaunchDaemon.
A similar command could be used on a highly configurable home router (e.g. one running OpenWRT) to block all traffic to the modem's address instead of expecting each client on your home network to do it.
Rereading your note, I must re-enter the sudo command after any boot, is that correct?
I have looked at LaunchDaemons and do not feel competent to write one. I will gladly pay for a script, etc., rather than replace the modem. Or simply reapply after each boot.
That's right, manually added routes are "forgotten" every time the computer restarts.
Honestly, this vulnerability amounts to nothing more than a prank; you go to a malicious page, your connection goes down for a few minutes, you don't go to that page again. I don't think it's worth installing something just to prevent it.
Brilliant solution! You could also add an entry to /etc/hosts. That might be worth an article…
An entry in /etc/hosts won't work because that's for matching hostnames to ip addresses but in this case there is no hostname, just the "bare" ip address of the cable modem.
I would hope a firewall program like Little Snitch could have a rule to block outgoing traffic to a specific ip (or subnet) but I'm not familiar with its feature set.
I'm afraid this is not possible since Little Snitch works close to the Application Layer on your OS X System. It has no influence on deeper network layers and particularly no influence on your local network outside of the Mac. (I queried LS)
I just got off with TWC and they reset my modem
to pretty much match "theirs". I did offer to disconnect mine and bring it to a TWC service center for them to do it and that seemed to work for me.