Millions of Cable Modems Vulnerable to Easy Attack

[UPDATED 2:50 pm ET with comment from Arris.]

Sometimes even critically acclaimed products ship with annoying flaws, and such is the case with one of the most popular cable modems out there. Thanks to an apparent lack of security on the Arris SURFboard SB6141 modem, which until recently was also sold by Motorola, 135 million units out in the wild are vulnerable to a simple attack that could cut off internet access until you call your cable company to restore it.

Photo Credit: Jeremy Lips/Tom's GuidePhoto Credit: Jeremy Lips/Tom's Guide

Once an attacker — which could be your neighbor's kid has accessed the modem's hard-coded administrative interface at http://192.168.100.1/, he or she can click the Restart Cable Modem button on the Configuration page to disable it for 2 to 3 minutes.

To be really cruel, the attacker could instead click the Reset All Defaults option, which restores the modem back to factory settings and wipes out any specialized firmware installed by the internet service provider (ISP). After that, the device's owner would need to call the ISP's technical-support line to get a fix. 

Blogger David Longenecker broke this news last Friday (April 1), and while he contacted Arris before they published the news, the company apparently has yet to push out a fix. We've contacted Arris for comment and will update this story when the company responds.

MORE: Your Router's Security Stinks: Here's How to Fix It

The SB6141 model is vulnerable because there is no username or password required to access its administrative controls from the local network. All someone has to do its open the private IP address http://192.168.100.1 in any web browser, and a detailed set of options appears. Because that IP address is hard-coded into each of these 135 million units, it's easy for pranksters or hackers to cause trouble once they hop onto the Wi-Fi networks at cafes, restaurants, hotels or their friends' houses.

There's another way attackers could shut down the SB6141, and it doesn't require local network access. Instead, it involves tricking a local network user to click a malicious link.

For example, an email could contain a link that it claims to offer pirated TV shows or software, but instead directs users to the address http://192.168.100.1[/]reset.htm. Clicking that link would reset the router, taking the user offline for hours while he or she tries to get help from an ISP customer-support representative.

The SB6141 SURFboard modem is a Tom's Guide Top Pick, although, of course, we didn't know about this vulnerability at the time. We're not the only site to lavish praise on this modem, as it's also The WireCutter's top pick. This particular model is compatible with most of the major cable-company ISPs in the United States, and, as such, is bought by many customers who don't want to pay monthly modem-rental fees.

Arris probably could create a firmware update that requires a username and password for a reboot or reset, but getting that patch to users might  prove difficult. Cable-modem firmware updates usually must be pushed down by an ISP to send down an update, and we're not sure how many cable ISPs would be willing to do so for customer-owned devices.

UPDATE: "We are in the process of working with our Service Provider customers to make this release available to subscribers," read an Arris statement that was provided to Tom's Guide via email. "There is no risk of access to any user data and we are unaware of any exploits.

"As a point of reference, the 135 million number is not an accurate representation of the units impacted," the statement said. "This issue affects a subset of the ARRIS SURFboard devices."

Upon further discussion, an Arris representative told us that despite the implication on the product page for the SB6141 that 135 million units of that specific model had been distributed, that figure instead represented the total number of all Arris product units sold over the past 15 years.

The number of modems affected by this particular issue was said to be less than 10 percent of the 135 million figure, which has been removed from the SB6141 product page.

Create a new thread in the Off-Topic / General Discussion forum about this subject
This thread is closed for comments
3 comments
    Your comment
  • tisha
    Really!?! And here I am calling tech support and they say no its your comcast line. So I was about to pay comcast to come out and troubleshoot. Just to be on the safe side I went and changed my router just in case and bought a brand new one which I now hate. Thanks Arris.
    0
  • tisha
    And my internet still doesn't work.
    0
  • Christopher1
    Arris should really be hammered for this. No username and password on a device is just moronic in this day and age.
    0