AT&T Uverse Modems Reportedly Are Riddled Like Swiss Cheese With Security Holes

Because there clearly haven't been enough ISP router vulnerabilities popping up this past year, another one helps usher in the new month. This one is being dubbed "SharknAT&To" (because every vulnerability needs a catchy name!), a portmanteau involving the cult classic in-the-making, Sharknado, and leading internet service provider, AT&T.

SharknAT&To was outed by security researcher J Hutchins, whose team discovered a handful of vulnerabilities on AT&T's U-verse modems. At this point, it's not clear just how many devices are affected, but if you are a U-verse subscriber and are equipped with an Arris modem, you may want to be on alert. In particular, confirmed affected models include the NVG589, and NVG599.

nvg 589 hero

While some security researchers decide to alert the affected vendors ahead of the public, Hutchins took a more carefree approach, releasing everything needed to exploit the vulnerability on your own. At this point, we haven't been able to find many signs of third-party confirmations, but there has been at least one person who backs up the claim.

If you want to see if you have a vulnerable modem, you need to try connecting to it through SSH (Putty is a good option for Windows users), presumably with the default port of 22. Hutchins says that the username is 'remotessh', and password, '5SaP9I26'. Beyond that, you can also run a port scan on your home IP address from another internet service that's not AT&T (you could install an app and use your mobile connection, in the worst case) to see if any of the exploitable services are running on the modem.

Arris NVG589 Modem Vulnerability
Example of logging in with Arris NVG589's hard-coded root account

According to Hutchins, logging in via the aforementioned account will automatically grant root access, meaning that absolutely anything someone wants to reconfigure on your modem is going to be made a lot easier - no privilege escalation bug needed.

At this point in time, very little information is known on this issue outside of the original blog post (which is quite detailed), but the issue is too severe to ignore, so if you're a U-verse customer, it'd be worth doing a little investigative work. Based on the comments at the source (found below), if you're using your U-verse modem in a passthrough configuration, you're more than likely not vulnerable to this exploit. A simple fix for a potentially disastrous vulnerability.

As of the time of writing, it doesn't appear that either AT&T or Arris have acknowledged this bug.