The Stack Archive

600,000 Arris cable modems have ‘backdoors in backdoors’, researcher claims

Fri 20 Nov 2015

600,000 Arris cable modems could be affected by a “backdoor-within-a-backdoor”, according to a security researcher.

Bernardo Rodrigues, a vulnerability tester with Brazil’s Globo TV network, posted that he discovered the undocumented library within three Arris cable modems. However, using the search engine for internet-connected devices, Shodan, this found that in fact, 600,000 modems were affected.

While researching the subject, Rodrigues had found a previously undisclosed backdoor on Arris cable modems. But when extending the search through Shodan, Rodrigues claims that more than 600,000 externally accessible hosts are affected by the backdoor. The initial backdoor-admin password was disclosed as far back as 2009 and is based on a known seed.

Restricted shells

Restricted shells

The backdoor was found in the hidden administrative shell that can control the cable modems. The backdoor account can be used to remotely allow Telnet  and SSH through the hidden HTTP administrative interface, or through custom SNMP MIBs.

Rodrigues explains that the default password for the SSH user ‘root’ is ‘arris’. When the Telnet session is accessed, the system spawns the ‘mini_cli’ shell which requests the backdoor password. After log in using the password of the day, this redirects the user to a restricted technician shell.

During analysis of the backdoor library and the restricted shells, Rodrigues that a backdoor had been put in the backdoor. Rodrigues says that the undocumented backdoor password is based on the final five digits from the modem’s serial number. After logging in on the Telnet/SSH with these passwords, a full busybox shell is the result.


Rodrigues concludes that he is “pretty sure” that these flaws on the devices have been exploited for some time. He says that “A broader view on firmwares is not only beneficial, but necessary to discover new vulnerabilities and backdoors, correlating different device families and showing how vulnerabilities reappear across different products.”


hacking news security
Send us a correction about this article Send us a news tip