I read this and _instantly_ wonder if it's viable for certificate extraction to bypass the god-awful NAT system in AT&T's equipment, a-la pfatt: https://github.com/MonkWho/pfatt
Edit: Ah yes, this is covered in the section "Obtaining the certificate via reboot & exploitation"
However, AT&T added another layer of authentication in mid-2021 that precludes the use of third-party hardware. I don't think that part has been cracked yet.
>It is possible to recover the WiFi access code and SSID, remote administration password, SIP credentials (if VoIP is supported), ISP CWMP/TR-069 endpoint URLs and their username and password as well as other sensitive information, although some parts may require more complicated techniques or computing resources that may not be available to all attackers. Network-based unauthenticated exploitation is most severe if the router’s web services (such as the administration portal) are exposed to the Internet, though it can also be exploited on the LAN.
I just a few weeks ago got another Arris S33 modem for a client using cable, it's fairly well regarded. While this vulnerability doesn't list those, to me this further highlights how it can be valuable to separate out networking components vs all-in-one. The modem is purely a modem and talks only to the ISP. The router is a SuperMicro system running OPNsense, which then goes out to TP-Link Omada (or UniFi at another older site) gear for switching and WiFi. There is a network control VLAN as well as admin VLAN accessible only via WireGuard, which is the only way to get to the modem's admin page from the LAN. Controllers are self-hosted with network control VLANs at multiple sites again routed via WG to the controller.
While there are other advantages as well in terms of being able to replace parts piecemeal for less, better coverage etc, it's also nice in terms of vulns in one thing doesn't necessarily mean everything else instantly collapses, and it's easier to have multiple layers. The router is still a chokepoint, but full opensource and standard hardware at least mean a lot of extra eyes and tools can be applied to it and one is never at some vendor's mercy for firmware updates. Modem compromise wouldn't affect the LAN beyond potentially messing with WAN access which would be noticeable fairly quickly. Default LAN users can't easily touch any of the infrastructure either. All while being transparently usable with internet of shit stuff that people want to utilize. Full zero-trust or a virtual overlay network might be better yet but starts to run into the same legacy issues that hound so much of the industry particularly for non-tech SoHo/SMB. While it's unfortunate how riddled with issues a lot of ISP devices have tended to be, it's pretty nice what reasonably priced powerful options exist for anyone with networking now across a huge range of skill levels. It could be much better still but it's not nothing.
Since you've operated both, whats your opinion on the Ubiquiti vs the TP-Link Omada and why did you switch?
I've done something similar with a Mikrotik CRS-309 as a router and some Ubiquiti U6 Meshes. The fiber ISP here leaves it to the owner to buy their own hardware to connect to a Icotera in bridge mode. I believe it allows the ISP to reduce their operating costs since theres no need to support a complex all in one router / switch / AP. Anything beyond the bridge is the users responsibility.
I have an ISP supplied Arris Cable Modem (luckily not vulnerable) and it is dreadful. The UI is shonky, looking at the HTML & CSS underlying it is enough to make you weep, outdated JS libraries, and - seemingly - no software updates.
I could just about understand if it was stable and gave good WiFi - but the ISP's forums are full of people complaining about it.
All I can assume is that Arris is £1 cheaper than the next model, and the ISP have decided that dealing with customer complaints is cheaper than a higher CapEx.
This modem is the last released DSL modem that Ziply seems to be supporting :c
I wish Ziply would officially support more modern DSL modems like the hardware that is in the C4000BG, that modem is able to make marginal DSL circuits perform so much better.
Pardon me for ignoring the implied "please ignore", but I'm very curious what "typedream" refers to? The only references I can find online are to a website builder platform, but the name sounds like it could represent a client app or maybe even a keyboard?
Monolithic network appliances, computers, endpoints, etc are fundamentally designed without a security-first posture.
There's nothing conceptually wrong with a modem that also contains a NAT firewall/router/switch/(WAP). But in practice, even examining the hardware architecture of a consumer-grade router reveals fundamental design flaws in terms of the monolithic nature of the hardware architecture. Thus, using separate appliances for modem, router, switch, etc., that are physically separated, is still a good idea.
Of course, once you pick apart the shortcomings of a global TCP/IP network itself, it's clear that a single pipe connected directly to the internet is also a horrible idea, security-wise. I have been asking myself of late: "Self, if we were to design the internet from scratch and from security-first principles, how would it look?" Doing so requires detaching entirely from the existing mess we've created. Actually building a new security-first internet with backwards-compatibility would be an enormous increase in complexity, and would put into question the viability of the security of trillions in investment into entrenched global-scale infrastructure. Thus, any attmepts to solve this problen -- essentially boiling the ocean(s) -- is likely to remain (literally) a (multi-)pipe dream.
However, I am hopeful that new initiatives to build out 'hyperscale' and 'edge' clouds will present a genuine opportunity to realize the dream of a secure internet, secure networking, secure devices.
You do realize that this is already a red flag, right? In 99% cases the decision to start from scratch when you already have something well established is a mistake.
RulerOf|3 years ago
Edit: Ah yes, this is covered in the section "Obtaining the certificate via reboot & exploitation"
Sadly my hardware appears to be patched.
physhster|3 years ago
However, AT&T added another layer of authentication in mid-2021 that precludes the use of third-party hardware. I don't think that part has been cracked yet.
xoa|3 years ago
I just a few weeks ago got another Arris S33 modem for a client using cable, it's fairly well regarded. While this vulnerability doesn't list those, to me this further highlights how it can be valuable to separate out networking components vs all-in-one. The modem is purely a modem and talks only to the ISP. The router is a SuperMicro system running OPNsense, which then goes out to TP-Link Omada (or UniFi at another older site) gear for switching and WiFi. There is a network control VLAN as well as admin VLAN accessible only via WireGuard, which is the only way to get to the modem's admin page from the LAN. Controllers are self-hosted with network control VLANs at multiple sites again routed via WG to the controller.
While there are other advantages as well in terms of being able to replace parts piecemeal for less, better coverage etc, it's also nice in terms of vulns in one thing doesn't necessarily mean everything else instantly collapses, and it's easier to have multiple layers. The router is still a chokepoint, but full opensource and standard hardware at least mean a lot of extra eyes and tools can be applied to it and one is never at some vendor's mercy for firmware updates. Modem compromise wouldn't affect the LAN beyond potentially messing with WAN access which would be noticeable fairly quickly. Default LAN users can't easily touch any of the infrastructure either. All while being transparently usable with internet of shit stuff that people want to utilize. Full zero-trust or a virtual overlay network might be better yet but starts to run into the same legacy issues that hound so much of the industry particularly for non-tech SoHo/SMB. While it's unfortunate how riddled with issues a lot of ISP devices have tended to be, it's pretty nice what reasonably priced powerful options exist for anyone with networking now across a huge range of skill levels. It could be much better still but it's not nothing.
oasisbob|3 years ago
I have a box somewhere with near-identical Motorola/Arris surfboards other than the logo and color.
nullify88|3 years ago
I've done something similar with a Mikrotik CRS-309 as a router and some Ubiquiti U6 Meshes. The fiber ISP here leaves it to the owner to buy their own hardware to connect to a Icotera in bridge mode. I believe it allows the ISP to reduce their operating costs since theres no need to support a complex all in one router / switch / AP. Anything beyond the bridge is the users responsibility.
edent|3 years ago
I have an ISP supplied Arris Cable Modem (luckily not vulnerable) and it is dreadful. The UI is shonky, looking at the HTML & CSS underlying it is enough to make you weep, outdated JS libraries, and - seemingly - no software updates.
I could just about understand if it was stable and gave good WiFi - but the ISP's forums are full of people complaining about it.
All I can assume is that Arris is £1 cheaper than the next model, and the ISP have decided that dealing with customer complaints is cheaper than a higher CapEx.
Arnavion|3 years ago
simfree|3 years ago
I wish Ziply would officially support more modern DSL modems like the hardware that is in the C4000BG, that modem is able to make marginal DSL circuits perform so much better.
unknown|3 years ago
[deleted]
albertpurnama|3 years ago
exikyut|3 years ago
jeffbee|3 years ago
nykolasz|3 years ago
former|3 years ago
There's nothing conceptually wrong with a modem that also contains a NAT firewall/router/switch/(WAP). But in practice, even examining the hardware architecture of a consumer-grade router reveals fundamental design flaws in terms of the monolithic nature of the hardware architecture. Thus, using separate appliances for modem, router, switch, etc., that are physically separated, is still a good idea.
Of course, once you pick apart the shortcomings of a global TCP/IP network itself, it's clear that a single pipe connected directly to the internet is also a horrible idea, security-wise. I have been asking myself of late: "Self, if we were to design the internet from scratch and from security-first principles, how would it look?" Doing so requires detaching entirely from the existing mess we've created. Actually building a new security-first internet with backwards-compatibility would be an enormous increase in complexity, and would put into question the viability of the security of trillions in investment into entrenched global-scale infrastructure. Thus, any attmepts to solve this problen -- essentially boiling the ocean(s) -- is likely to remain (literally) a (multi-)pipe dream.
However, I am hopeful that new initiatives to build out 'hyperscale' and 'edge' clouds will present a genuine opportunity to realize the dream of a secure internet, secure networking, secure devices.
trasz|3 years ago
You do realize that this is already a red flag, right? In 99% cases the decision to start from scratch when you already have something well established is a mistake.