Internet security isn’t just about your devices, but also what connects your devices to the internet.

Here at Webroot we have seen an influx of customers having problems with ads popping up on their devices while SecureAnywhere is reporting a clean scan. They report seeing multiple ads, some pornographic in nature, while connected to their home network—and only that network. Our advanced malware technicians have found that the DNS settings have been changed on the modem router and were causing these ads.

Getting a router from an ISP (Internet Service Provider) comes with several benefits and security risks. For benefits, the ISP technicians are trained on how to set up and support the modem, as well as being able to log into remotely using a backdoor they have set up to assist customers. This is not a setting you, as a user, can change or turn off.

Arris Cable modems are used by many major ISPs (Time Warner Cable, Comcast, Cox Communications, etc.) for this purpose. They are designed so a technician can login and help set up the router remotely for their customers. The backdoor they use has a password generated for it every day by a publically available algorithm (http://tylerwatt12.com/potd/) or—even worse—it’s a hardcoded password. This is not your default username/password, but a backdoor created by the manufacturer.

Once hackers/non-support technicians have access to the router through the technician’s backdoor, they can change the DNS settings to show ads on any device connected to the router. Because all traffic is being routed through the DNS server, your information can be compromised. Router settings can also be changed to allow for telnet access later if they want to get back in for any reason.

There are several ways they can infect your router, but it is usually done remotely by scouring IP addresses and seeing of the username/password of the day set by the algorithm works. Once they have access to the router, they are free to change the DNS settings as they wish.

How can you tell if you have this kind of infection?

If there are devices on your network receiving ads while only connected to that network—not seeing ads when on other networks (such as at a coffee shop or at the office)—and your antivirus software is reporting no threats, this could indicate the router has been accessed by someone outside your ISP’s company.

What can you do to protect your self?

By buying your own router, there will be no backdoor for ISP technicians. The routers you buy tend to last longer and have better configurations (port forwarding, encryption, SSID). However, you will have to set it up yourself, as major ISPs will not support modems that they do not provide.

Securing cable modems is more difficult than other embedded devices as, in most cases, you cannot choose your own device/firmware, and software updates are almost entirely controlled by your ISP. Below is an incomplete list of suspicious routers. You can also contact your ISP and ask them to address this exploit and provide a firmware update OR provide a non-vulnerable modem. 

• Arris CM820A
• Arris DG860
• Arris DG950A
• Arris TM501A
• Arris TM602A
• Arris TM602B
• Arris TM722G
• Arris TM802G
• Arris TM822G
• Arris TG862
• Arris TG862A
• Arris WBM760A

Sources:

• http://www.forbes.com/sites/andygreenberg/2012/07/13/researchers-say-time-warner-cable-and-comcast-distribute-wifi-routers-lacking-the-most-rudimentary-security/
• https://www.kb.cert.org/vuls/id/419568
• http://www.theregister.co.uk/2015/11/20/arris_modem_backdoor/
• https://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html
• https://github.com/borfast/arrispwgen

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.