SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1937
Security researchers have found five gaping holes in the firmware running on Arris modems, three of which are hardcoded backdoor accounts.
An attacker could use any of these three accounts to access and take over the device with elevated privileges — even root — install new firmware, and ensnare the modem in a larger botnet.
The vulnerabilities came to light after a review of the Arris firmware carried out by experts from Nomotion Labs.
According to Nomotion, the flaws are found in both the standard Arris firmware, but also in the extra code added on top by OEMs. In their research, experts looked at an Arris modem installed on the network of AT&T.
Researchers said the flaws affect NVG589 and NVG599 modems. Both models aren't available through the Arris website and appear to be discontinued products. Based on Censys and Shodan data, researchers believe there are at least 220,000 of these vulnerable modems connected online.
[...] For owners of said devices, Nomotion has published basic self-mitigation instructions that device owners and ISPs can use to block access to the backdoors and fix some of the flaws. The self-mitigations are available at the end of the Nomotion report.
(Score: 5, Insightful) by melikamp on Wednesday September 06 2017, @03:57PM (2 children)
It is entirely safe to assume that every single bit of nonfree software running on any of your systems is compromised in the worst possible way, allowing the vendor, its affiliates, and various law enforcement agencies full access under certain conditions. The safety of this assumption is confirmed for a zillionth time with TFA. Here we have a hardware vendor who willfully hardcoded backdoors into a network appliance. Calling these "security holes" is like calling the anthropogenic global heating a "climate change". The year is 2017, the net is some 40 years old, and the state of the security research removes all hope that this was done by accident or even via negligence. These 3 backdoors are plainly acts of malice on the part of the vendor, so the next question is: what is going to happen? The vendor didn't just break into devices, like $ONY did with its infamous rootkit; the vendor willfully designed and sold the devices pre-broken-into, in a glaring breach of trust with the clients. This is like selling video recording equipment which secretly transmits video back to vendor. A half-assed apology may well come out, but I wouldn't hold my breath. But just as was the case with Juniper firewalls, there will be no investigation, internal or external, no one will get fined, and no one will get canned. From the point of view of the law enforcement, which is currently addicted to spying, everything is honky-dory, even better than usual.
Note that punishing companies for inserting backdoors will not work. They will continue to develop and insert backdoors, but they will do so in a plausibly deniable manner, and they will hide them better. If a backdoor can be hidden for a couple of years, and no one gets in trouble when it's found out, then every nonfree module is guaranteed to have one, it's just good business. The only way to prevent the bulk of this kind of abuse from happening is to discriminate against nonfree software in law, via basic consumer-protection mechanisms, similar to how we treat dangerous amusement drugs such as tobacco. Don't make nonfree software completely illegal, but regulate and tax is so tightly that it only survives in niches, and is not essential in any way to the society.
(Score: 2) by gidds on Thursday September 07 2017, @08:05AM (1 child)
Personally, I prefer to apply Hanlon's razor [wikipedia.org]. If you don't think something like this could be down to simple stupidity, terminal cluelessness, or neolithic incompetence, then you have a much higher opinion of corporate intelligence than I do!
Of course, the end result the same either way. This company deserves to be ridiculed, censored, and much worse for this, regardless of the internal processes (or lack thereof) which led to it.
In fact, hasn't the time come for legal safeguards? After all, we* have regulations covering food safety, fire safety, electrical safety, and many other things that ordinary people can't reasonably check for themselves. And network access is well on the way to becoming just as much of a necessity as clean water and electrical power. Shouldn't companies releasing such appallingly unsafe products be subject to some sort of regulation too, with monetary and even company-existence penalties?
(* I'm in the UK, though I gather that even the US has some rudimentary regulation…)
[sig redacted]
(Score: 2) by melikamp on Thursday September 07 2017, @02:19PM
Perhaps, but one has to be careful to draw the line in the right place. All non-free (and close-sourced) software products are extremely dangerous and unsafe. The temptation to conceal malicious functions is too great, and plausible deniability is one buffer overflow away. An intentional remote zero-day exploit may well go undetected by security hackers forever, even after some agency starts utilizing it.
Keeping this in mind, the most effective approach, IMHO, is to discriminate against non-free software wholesale, as it it's all bad. I am sure that a combination of these measures will work great: (1) forced transition and ban from government services, infrastructure, education, and healthcare (2) mandatory package/website labeling (3) very hefty tax on each sale/transmission/service, even when the transactions themselves are gratis, as they often are these days, since money is now made by exploiting addicts.