Modems used primarily by AT&T U-Verse customers suffer from a number of critical security vulnerabilities that make the devices easy to for hackers to attack remotely, security researchers discovered.

The flaws, discovered by security researcher Joseph Hutchins, affect modems manufactured by Arris—telecommunications equipment manufacturing company that provides devices to internet providers around the world, including AT&T.

Two models of modems at risk are the Arris NVG589 and NVG599 running the firmware version 9.2.2—though some of the issues discovered by Hutchins affect AT&T routers regardless of original equipment manufacturer (OEM), meaning even devices made by a manufacturer other than Arris are at risk.

One of the primary vulnerabilities putting the devices at risk are hardcoded administrative credentials that allow for anyone with the login to gain “root” or full remote access, essentially allowing an attack to take full control over the modem.

Because the username and password are hardcoded and publicly disclosed, anyone could connect to an affected modem and enter the login information to gain access to the modem’s shell menu. From there, the attacker can view and change information about the Wi-Fi network, including routing traffic to malicious sites and servers.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

With access to the shell, a threat actor could also inject other attacks into the modem that could put users at risk. For example, an attacker could inject advertisements into unencrypted web traffic to generate revenue or trick the user into a clicking a malicious ad.

The vulnerabilities also put the modems at risk of being hijacked for other malicious tasks. A threat actor could use remote access to the modem to utilize the device as part of a botnet, in which hundreds or thousands of compromised devices are used to direct traffic at a single source to overwhelm it.

While it’s not clear what is responsible for the bugs appearing in the latest update, Hutchins wrote the vulnerabilities are the result of "pure carelessness." He did note that at least some of the vulnerabilities were introduced after the routers were delivered to the internet provider, suggesting AT&T may have added its own customized code for customer support that caused issue.

"Some of the problems discussed here affect most AT&T U-verse modems regardless of the OEM, while others seem to be OEM specific," Hutchins wrote. "So it is not easy to tell who is responsible for this situation. It could be either, or more likely, it could be both."

There are a number of fixes that can help users mitigate the vulnerabilities and keep their modem and online activity safe, which Hutchins lays out in a step-by-step fashion on his blog.

The patches to the security holes are relatively simple, though with an estimated 138,000 modems active with the vulnerabilities, there are plenty of people who will need to apply the fixes to remain safe from potential exploits.

AT&T did not immediately respond to request for comment.