Arris Modems and Routers Have Major Security Flaw

Updated 2:55 pm ET with comment from Arris.

If you use an Arris or Motorola broadband modem, router or gateway provided by AT&T, better check your network device's configuration.

An Arris/Motorola NVG599's typical wiring setup. Credit: AT&T

(Image credit: An Arris/Motorola NVG599's typical wiring setup. Credit: AT&T)

Texas-based information-security firm Nomotion has found five serious security flaws that could let hackers take over your network, inject ads into the websites you view and even directly attack devices on your network. The firm is calling the flaws "SharknAT&To", which should conjure up images of flying sharks to avid watchers of the Syfy cable channel.

"Prepare to be horrified," a Nomotion blog posting on SharknAT&To late last week read.

At least one of these flaw seems to affect every Arris or Motorola network device that AT&T gives out to home and small-business users. The most serious flaw affects only the NVG599 and NVG589 VDSL-based gateways that supply "triple play" phone, internet and TV access.

(Arris took over Motorola's home-networking division a few years ago, and many models may bear either company's brand name. These flaws don't seem to affect the Surfboard line of cable modems that Arris markets directly to consumers, but we've asked Nomotion for clarification.) 

What You Need to Do Now

You can fix all these flaws yourself, although some require technical know-how and software tools. Fortunately, the most widespread flaw is the easiest to fix, and we'll show you how. For the rest, please refer to Nomotion's blog posting.

Our requests for comment to both Arris and AT&T were not immediately replied to, but Arris told the Threatpost tech-news blog that it was conducting a full investigation and could not comment further.

MORE: Your Router's Security Stinks: Here's How to Fix It

Every Arris network device — modem, router or gateway device, which combines a modem and router — provided by AT&T that Nomotion tested had a secret firewall bypass on port 49152.

Access was granted by prefacing the device's known MAC address  with a secret three-byte code, which a hacker's computer could brute-force in a matter of minutes. (Anything that can connect to the internet has at least one unique MAC address.)

"There is something terribly wrong with this implementation," said Nomotion in its blog post.

The firewall bypass, which Nomotion refers to as Vulnerability 5, was likely put there for the use of AT&T support technicians. It gives an attacker direct access to all the devices on a home or small-business network.

If you're familiar with the security deficiences of the Internet of Things, you'll know that many smart-home devices have little or no protection against attacks coming from within the local network. Combining Vulnerability 5 with known IoT vulnerabilities could lead to attacks on your smart TV, thermostat, door locks, refrigerator, etc.

To fix this flaw, Nomotion recommends browsing to IP address on a desktop web browser while connected to the local network. (Caveat: Nomotion warns that "if you choose to proceed, you are doing so at your own risk and liability.")

At that web page, you'll see the network device's configuration interface. Select the NAT/Gaming tab, then scroll down and click the Custom Services button.

You'll see form fields in which to enter information. In the Service Name field, enter a name of your choice — "Bypass Block" might be a good one. Enter "49152" into both Global Port Range fields. For Base Host Port, enter "1". Make sure the Protocol is toggled to TCP/IP. Then click the Add button.

On the next page, make sure your new service is listed under Services, and select it. Then select any one of your existing devices under Needed by Device. That should kill the Port 49152 access problem.

The most serious flaw of the five affects the Arris/Motorola NVG599 and NVG589 gateways running firmware version 9.2.2h0d83. That firmware update added SSH (secure shell) access with hardcoded credentials of admin name "remotessh" and password "5SaP9I26".

Anyone using those credentials can remotely flash new firmware, change the network name and password, change the network settings or even inject ads. Fortunately, Nomotion said only about 15,000 devices worldwide seemed to be vulnerable.

"It is hard to believe that no one is already exploiting this vulnerability at the detriment of innocents," said Nomotion's blog post.

If you've got one of those two models, and it's running that firmware (check in the admin interface mentioned in the previous flaw's fix), then you've got a little command-line typing to do. Please refer to Vulnerability 1 in the Self-Mitigation section in Nomotion's blog post.

Vulnerabilities 2 and 3 affect the web-server feature on the NVG599 model. It turns out anyone can get administrative access by hitting port 49955 with the username "tech" and no password. About 220,000 devices seem to be affected, per Nomotion.

Vulnerability 4 seems to affect all Arris/Motorola home/small-business network devices distributed by AT&T, according to Nomotion. It gives the attacker the MAC addresses of all devices on the internal network, plus the Wi-Fi password, but the attacker needs to know the serial number of the specific router, modem or gateway being attacked. As such, the threat of exploitation is low.

To fix Vulnerabilities 2 through 4, the user will need to use Burp Suite (it's free) or a similar web-security tool. You'll need to the first, second or third flaws to be able to fix the fourth one. Instructions are provided under Self-Mitigation on Nomotion's blog post.

UPDATE: Arris responded to Tom's Guide's query with this statement: "We are currently verifying the specifics of the Nomotion security report. Until this is complete, we cannot comment on its details. We can confirm ARRIS is conducting a full investigation in parallel and will quickly take any required actions to protect the subscribers who use our devices."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.