Trivially exploitable vulnerabilities have been discovered in several Arris home modems, routers and gateways distributed to consumers and small businesses through AT&T’s U-verse service.
It’s unknown yet whether the firmware vulnerabilities were introduced by the OEM or the ISP since AT&T seems to have access to Arris firmware and can customize code on the devices before they’re sent to customers, researchers at security consultancy Nomotion told Threatpost. The researchers uncovered support interfaces easily accessible over SSH, and hidden services exposing the devices to remote and local attacks.
