Millions of Arris cable modems vulnerable to denial-of-service flaw

Updated: The flaw lets an attacker cut off an entire network from the internet until the owner calls their provider to restore it.

Millions of cable modems are said to vulnerable to a flaw that can leave users cut off from the internet -- just by someone clicking on a trick link.

How many millions of cable modems is unclear.

Security researcher David Longenecker, who discovered the vulnerabilities, said the widely-used Arris Surfboard SB6141 cable modem, used in millions of US households, mishandles user authentication and cross-site requests.

The vulnerabilities can allow an attacker with access to the network to remotely reset the device, which wipes out the internet provider's settings and causing a denial-of-service attack. Every person and device on the network will permanently lose access to the internet until the modem owner contacts their internet provider.

Longenecker cited a 135 million cable modem figure based on Arris' sales and shipment data. Arris said that figure was misleading and the flaw represented a subset of that total. Arris later said it had shipped 175 million Surfboard modems.

What's unclear is how many modems will be shipped with this flaw in the future and whether cable providers will update the firmware. There's a bit of a herding the cable modem issue going on.

Longenecker released the "exploit" link after Arris stopped responding to emails he sent as part of the responsible disclosure process. He said there is no practical fix for the flaw.

Millions of Comcast, Time Warner Cable, and Charter customers (and more) were shipped one of these modems when they first subscribed.

The flaw is so easy to exploit that anyone on an affected network can be tricked into clicking on a specially crafted web page or email.

The flaw goes back at least eight years earlier prior to Arris' acquisition of Motorola's networking unit, according to a CERT vulnerability note dated April 2008.

"The simplest solution would be a firmware update such that the web [user interface] requires a username and password before allowing disruptive actions such as rebooting or resetting the modem, and that validates that a request originated from the application and not from an external source," he said.

Arris said that it recently addressed the access issue with a firmware update.

"We are in the process of working with our Service Provider customers to make this release available to subscribers," said the spokesperson. "There is no risk of access to any user data and we are unaware of any exploits."

"We take product performance very seriously. We work actively with security organizations and our service provider customers to quickly resolve any potential vulnerabilities to protect the subscribers who use our devices," the spokesperson added.

Updated with details from Arris and corrected throughout the story that the Surfboard device is a modem, not a router. We've also changed the headline based on shifting numbers and debate over shipments, actively used modems and potential impact.