Why Crypto Backdoors Don’t Work – Arris Modems
Apparently, in 2009 the developers at Arris, a manufacturer of cable modems for many cable providers, added a backdoor. They managed to keep it secret for a few years, but some details were leaked a couple of years ago. Now it is out in the open.
At least for several models of the Arris modems, there is a backdoor login. The backdoor relies on a publicly known algorithm. The attacker would need to be familiar with the algorithm, a seed key and the date. The firmware, based on this data, generates a unique password every day. The default seed key is MPSJKMDHAI and most, but not all, cable companies do not change it. But even for those that do, all you need is a sample of their modem to look at the code and see what they changed it to.
In theory, the access granted by this login is limited, but when you login (via SSH or Telnet, which you can turn on remotely with this account), it asks your for a second password. That password is the last 5 digits of the serial number of the box. At that point, you are an admin for the modem. A backdoor inside a backdoor!
This is in addition to other security vulnerabilities not related to the backdoor.
The point of this – besides the fact that there are over a half million, at least, modems that are relatively easy to attack – and for which there is no fix other to unplug your modem – is that the idea of a secret backdoor that the FBI and Congress critters keep asking for is good, as long as you keep the secret “secret”. Which is impossible. Especially when an attacker can look at the code and see the backdoor. It may take a while, but the secret will come out.
We see this time and time again. If you can insert a backdoor, hackers can find it. That is a fact. And, of course, facts are, well, inconvenient.
So as this discussion continues, people should consider that time and time again backdoors don’t work.
To quote Peter, Paul and Mary – When will we ever learn, when will we ever learn?
Oh yeah, and if you have an Arris cable modem you probably want to replace it – now.
Information for this post came from Threatpost.