AT&T U-Verse, which used to be what they called their triple play Internet-phone-TV package and now is just their TV package has about 4 million customers. Compared to AT&T Directv, that is small, but still substantial.
Some part of that customer base uses Arris modems – maybe 150,000. Those modems have serious security holes that are likely being exploited in the wild by bad guys (and spies) today.
For one of the bugs, a recent update turned on Secure Shell (SSH), a remote access protocol that AT&T likely uses for support. SSH is not inherently bad, but it is horrible if you package it with a hard-coded, universal userid of remotessh and a hard-coded password of 5SaP9126. It doesn’t take an expert hacker to understand that if I can log into your Internet router from anywhere in the world and does do things like look at your WiFi password (or change it), modify the network configuration or replace the modem’s software completely, that could be a problem. These bugs affect the NVG589 and NVG599 models only.
There is also a way to bypass the firewall of the modem by accessing the modem on port 49152. This security hole may affect every AT&T U-Verse customer.
AT&T and Arris says that they are “investigating” the issues and until they are done investigating, they are not going to say anything.
In the meantime AT&T U-Verse customers are supposed to hang out and hope that no one has hacked their network.
From AT&T’s standpoint, they are not legally required to do anything unless non-public personal information has been exposed. They could make the case that they are not aware of any data being exposed. These two sentences are not legally at odds with each other. if you are a customer, that is not much comfort.
These bugs were publicly announced over a month ago. As far as we know, AT&T has not patched them. Assuming some customer or customers are exploited, this has the possibility of being an Equifax-class event for AT&T.
If you are an AT&T U-verse customer, you need to start asking a lot of questions. Like NOW!
Information for this post came from Threatpost and other sources.