Popular cable modem vulnerable to remote reboot/reset flaw

Updated Security defence man David Longenecker says millions of users could have their internet connections severed thanks to a flaw in Surfboard SB6141 modems.

The soon-to-be-patched cross-site request forgery flaw allows attackers to cut off users from the internet until their modem renegotiates with the ISP and reconfigures itself. In a worst case scenario, the subscriber would have to contact their internet provider's tech support to get back online.

A victim has to click on a maliciously crafted link to trigger the vulnerability. Surfboard manufacturer Arris disputes that 135 million devices are affected* and says a patch will be distributed to affected users, if internet service providers decide to sling the patch at the cable modems.

"Rebooting one remotely is so easy, it doesn't even require a password," Longenecker says. "It is possible to factory reset the modem with a simple unauthenticated URL.

"This causes a longer outage while the modem renegotiates with the ISP - which can in certain cases even require calling the ISP to initiate the reactivation."

Longenecker says pranksters could place his code into an image and post it as an online advertisement that could stealthily reboot the modems en-masse.

$vendor: "the number you reported as vulnerable is misleading."
$researcher: "Well yeah - actually I underestimated the scope."

— David Longenecker (@dnlongen) April 10, 2016

He said the modem is the company's "number one seller" with more than 135 million units sold*.

He spun up a proof-of-concept website to demonstrate how the modems could be rebooted and borked.

Personal information is not exposed in the attacks and only diagnostic data, logs, and factory reset and reboot functions are exposed. ®

Updated to add

* Here is Arris' page on the SB6141, which enthuses "The SURFboard SB6141 is easy to install so you’ll be surfing in a matter of minutes. With over 135 million sold, it’s easy to see why we’re the market leader!". It contacted the Reg after the publication to say the 135 million number at the end refers to every single modem of every model number that it has sold.

It further said that it had "recently addressed the reported GUI access issue with a firmware update. We are in the process of working with our Service Provider customers to make this release available to subscribers." It added: "There is no risk of access to any user data and we are unaware of any exploits."