Several ARRIS SURFboard broadband cable modem models suffer from cross-site request forgery (CSRF) vulnerability that allows an attacker to reboot them without authentication.
The issue was discovered in ARRIS (formerly Motorola) SURFboard 6141 broadband cable modems running under firmware released by Time Warner Cable. The modem’s LAN-side web interface, which can be accessed by typing a fixed IP address, does not require authentication and is susceptible to the CSRF flaw through which the modem can be rebooted with a single click.
SURFboard 6141 is one of the most popular ARRIS modems to date, but the exact number of sold devices isn’t know at the moment. While the modem’s product page said last week that the company distributed 135 million units, the mention has since been removed.
However, with other models affected as well, including SURFboard 5100 and 6121, millions of units could indeed be affected. The SURFboard 5100 model was discovered to include the same vulnerability eight years ago, when they were sold under Motorola’s brand, while the issue with SURFboard 6121 devices was reported last year.
The main issue with the newer model is the fact that diagnostic data is accessible by simply browsing to 192.168.100.1 from the local network, with no login required. The UI includes other functions as well, including one to reset the modem to factory settings, and another to reboot it, an operation that takes around 3 minutes to complete, David Longenecker, the researcher who discovered the bugs, says.
Basically, anyone that can connect to the local network can access the UI and reboot the modem. The big issue is that the modem can also be reset to factory settings from the same interface, a process that could take more than 30 minutes to complete, and which might even require the user to call the ISP to initiate reactivation.
In addition to these issues, these modems are plagued by said CSRF flaw, which can be exploited to reboot them when the user clicks a link. The problem is that the application does not verify whether the reboot command was issued from the administration UI, a flaw that goes hand in hand with the lack of authentication.
The researcher even came up with a proof of concept website, http://RebootMyModem.net, where users can “test” their modems. One thing they should keep in mind when accessing the site, however, is that it might reboot the device and deny them access to the Internet for around three minutes.
What should also be noted is that all these issues affect the consumer-oriented, LAN-side administrative interface, and not the ISP-oriented, WAN-side one. The researcher managed to demonstrate all flaws on a SURFboard 6141 modem running firmware SB_KOMODO-1.0.6.14-SCM01-NOSH, deployed to Time Warner Cable customers, but other models and other ISPs may have the same design flaw.
The issue can be supposedly resolved via a firmware update that would add username and password requirement to the UI when performing reboot requests or other disruptive actions such as resetting the device. Furthermore, it would also need to validate that requests are originating from within the application and not from external sources.
While this seems simple enough in theory, there’s a catch, as cable modems are not always consumer-upgradable. What this means is that ARRIS needs to provide the ISP with the update, which in turn applies the firmware and configuration to these modems, even if they are consumer-owned devices.
The researcher says he contacted ARRIS to report the issue in January, but that the company only informed him that the email was forwarded to the security team, without offering any additional updates or details on their plans on the matter. However, after the public disclosure, ARRIS reportedly said that it was working with ISPs to push a firmware update to users.