November 19, 2017
(beginning compilation) x
January 13, 2018 (stopped back to add screenshot) x
Preface: On a fluke, I found the following writ *(credit to the author,
the name of which is contained below **and this IS for educational
At the bottom of this writ is a statement by someone unknown to me. IT
IS EXACTLY WHAT MY VIDEOS SHOW ON YOUTUBE AND THE VIDEOS ARE PROPERLY
DATED WITH MORE TO COME.
YOU HAVE BEEN WARNED (NOW WHAT YOU DO WITH THIS INFORMATION IS BETWEEN
YOU AND YOUR GOD). end of story
Irrefutable Video Evidence is forthcoming. Here's where I was at in
reference to this topic a mere 5 days ago:
Router flaws put AT&T customers at hacking risk
The bugs are easy to exploit, but can be easily mitigated.
By Zack Whittaker for Zero Day | September 4, 2017 -- 13:23 GMT (06:23
PDT) | Topic: Security
(Image: Victor Gevers)
Thousands of routers, many of which belong to AT&T U-verse
customers, can be easily and remotely hacked through several critical
Five flaws were found in common consumer Arris routers used by AT&T
customers and other internet providers around the world. The flaws were
detailed in a blog post by Joseph Hutchins, who described some of the
them as being as a result of "pure carelessness."
The report said Arris NVG589 and NVG599 modems with the latest 9.2.2
firmware are affected, but it's not clear who's responsible for the
Hutchins said that some of the flaws may have been introduced after the
routers were delivered to the internet provider, which often adds
customized code for remote interactions, such as customer support and
"Some of the problems discussed here affect most AT&T U-verse
modems regardless of the OEM, while others seem to be OEM specific,"
said Hutchins. "So it is not easy to tell who is responsible for this
situation. It could be either, or more likely, it could be both."
Among the vulnerabilities are hardcoded credentials, which can allow
"root" remote access to an affected device, giving an attacker full
control over the router. An attacker can connect to an affected router
and log-in with a publicly-disclosed username and password, granting
access to the modem's menu-driven shell. An attacker can view and
change the Wi-Fi router name and password, and alter the network's
setup, such as rerouting internet traffic to a malicious server.
The shell also allows the attacker to control a module that's dedicated
to injecting advertisements into unencrypted web traffic, a common
tactic used by internet providers and other web companies. Hutchins
said that there was "no clear evidence" to suggest the module was
running but noted that it was still vulnerable, allowing an attacker to
inject their own money-making ad campaigns or malware.
Here are 2017's biggest hacks, leaks, and data breaches so far
Here are 2017's biggest hacks, leaks, and data breaches so far
Dozens of data breaches, millions of people affected.
Buggy routers don't always lead to unauthorized network access, but can
instead be hijacked as part of botnet operations, like Mirai, which
when powered up can target and throw websites and services offline.
Rapid7 reported the vulnerability as an 8/10, on the higher end of the
It's not known exactly how many devices are affected, however.
One estimation said as many as 138,000 routers are vulnerable to
attackers, according to a tweet by Victor Gevers, chairman of the GDI
Foundation, a Dutch non-profit organization dedicated to internet
security. The numbers are more nuanced, he explained, and the
vulnerabilities are not limited to the hardcoded credentials flaw.
Another bug affects "every single" Arris-built AT&T U-verse device,
according to Hutchins, putting potentially millions of customers at
An attacker can bypass the firewall on the device by brute-forcing the
half-completed MAC address on the device. Hutchins said that he
believes the bug allows AT&T staff to connect to an AT&T-issued
television digital recorder on the same network, but the implementation
went "terribly wrong."
He said that this "most widespread vulnerability" has the easiest fix.
Hutchins has published several self-mitigation methods on the blog.
Hutchins said it was "hard to believe" that the flaws are not being
A spokesperson for Arris said the company wouldn't comment on specifics
as it was "currently verifying" the report. "We can confirm ARRIS is
conducting a full investigation in parallel and will quickly take any
required actions to protect the subscribers who use our devices," the
AT&T did not respond to a request for comment outside business
hours. (Monday is a US national holiday.) We'll update if that changes.
Alert: AT&T customers with Arris modems at risk of remote hacking,
claim infosec bods
Just the usual procession of firmware vulnerabilities
By Richard Chirgwin 1 Sep 2017 at 02:01
14 Reg comments SHARE
Infosec consulting firm Nomotion has reported vulnerabilities in Arris
broadband modems and which it says are trivial to exploit, and could
affect nearly 140,000 devices.
The report claims the modems carry hard-coded credentials, serious
since a firmware update turned on SSH by default. That would let a
remote attacker access the modem's cshell service and take a leisurely
walk through most of the devices' controls and levers.
“The username for this access is remotessh and the password is
5SaP9I26”, Nomotion states.
The shell's capabilities include “viewing/changing the WiFi
SSID/password, modifying the network setup, re-flashing the firmware
from a file served by any tftp server on the Internet” and there's also
access to a kernel module “whose sole purpose seems to be to inject
advertisements into the user’s unencrypted web traffic.”
That last isn't in use in the modem, Nomotion's Joseph Hutchins writes
but the code is present and vulnerable.
The modems in question are the Arris NVG589 and NVG599, which Nomotion
notes are provided as standard customer premises equipment for AT&T
The bugs could have been added by AT&T, the report says, since
while “examining the firmware, it seems apparent that AT&T
engineers have the authority and ability to add and customize code
running on these devices, which they then provide to the consumer (as
The cshell runs as root, which means any other possible exploit is also
trivial to exploit. For example, he provides a demonstration of a
command injection using its ping functionality.
Other vulnerabilities Hutchins says he's found in the modems include:
Default https server credentials Hutchins isn't sure why there's an
https server running on port 49955, but it's there, and user “tech”
with no password can access it; Command injection the same https server
(named “caserver”) accepts commands to upload a firmware image; rifle
through its internal databases; and send configuration commands with
requests to a set_data command; More information disclosure and
hard-coded credentials a service on port 61001 leaks device information
under the right conditions, including another set of credentials,
“bdctest/bdctest”; and A firewall bypass on port 49152.