One of the most popular posts on TechBlog is a June 2014 item on how to use your own modem and router with Comcast’s service, rather than the combo unit the cable company typically rents to its residential customers. In it, I recommended the Arris Motorola SurfBoard SB6141 as the cable modem to use. And if you’ve taken my advice and bought that modem, there’s something you should know.
Security researcher David Longenecker has discovered a flaw in that particular model that could cause a denial of service for its users. In other words, an evildoer could use it to prevent an SB6141 user from getting out to the Internet.
According to Longenecker, the SB6141 allows a user to access Web-based administration screens by going to 192.168.100.1 in a browser. No login or password is required to access it. If you’ve got one of these modems, give it a try. You may see something like this:
Included within this interface is the ability to reset the modem. A user can be tricked into clicking on a simple link that will reboot the SB6141, and you can see a proof of concept here. Note that if you have one of these modems with this flaw, and you click the link, your modem WILL reboot.
Normally, you’d have to be sitting at a computer on the same network as the modem to trigger a reboot. But the link above takes advantage of the fact that you can mask a local Web page address as an image file. As Longenecker describes it:
Did you know that a web browser doesn’t really care whether an “image” file is really an image? Causing a modem to reboot is as simple as including an “image” in any other webpage you might happen to open – which is exactly the approach taken on the RebootMyModem.net proof of concept:
<img src=”http://192.168.100.1/reset.htm”>Of course it’s not a real image, but the web browser doesn’t know that until it requests the file from the modem IP address – which of course causes the modem to reboot. Imagine creating an advertisement with that line of code, and submitting it to a widely-used ad network…
One other thing to note: A similar approach can be used to reset the modem to its factory settings. It would then take a while to reconnect as the modem negotiates with the cable network. In some cases, you may have to contact the provider in order to get the SB6141 reauthenticated.
How widespread is this issue? Arris claims this is the most popular cable modem in the world, and it’s been bought by consumers as as well deployed by cable providers. It’s in common use on Time Warner’s network. It’s not clear if it has been deployed by Comcast in the Houston area, but it has been used by Comcast in other markets in the past. Currently, Comcast in Houston has been using a combination modem/router that is also made by Arris. The manufacturer says only a “subset” of its 135 million SB6141 modems in production are vulnerable to this issue, but it’s not clear what that means in terms of real numbers.
The company has released a patch for the flaw, but it’s not a simple matter of an SB6141 owner downloading the fix and applying it. Cable modems aren’t upgradeable by users, and any firmware updates must be handled through the Internet provider. Arris says it’s in the process of getting the patch out to ISPs.
I’ve emailed the local Comcast PR person and asked if the company plans to update its customers’ SB6141 modems. I’ll let you know if I hear back.
In the meantime, the product recommendation site The Wirecutter – which also recommends the SB6141 – has a workaround that can prevent someone on your local network from resetting the modem. It requires that you change some settings in your router to block access to the 192.168.0.1 address. Check your router’s documentation – available at the support area of its manufacturer’s website – to see how to do that.
[Spotted at ZDNet.]
Exclusive Car Review at www.automoview.com