I'm not sure I'd trust Arris products at this point. From another blog post in 2014: "It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie." http://console-cowboys.blogspot.ca/2014/09/arris-cable-modem...

With mistakes like that, and three layers of backdoors, I'm half expecting discoveries of hardware backdoors next ...

I skimmed trough it so it wasn't clear to me.

But if you ssh and have root access, then you should be able to change the password. As well as edit a startup script to move/delete the backdoor files.

Try it at your own risk.

The whole point of a backdoor is that changing the password is ineffective. And the backdoor isn't a file you can delete, it's just a couple of extra instructions buried in the code - the article made that clear.

no, as the nature of it forces it to be on your network edge.

Wouldn't putting the Arris modem in bridging mode mitigate it? It should no longer be accessible via an outside IP at that point.

it almost certainly still has an externally accessible ip at that point for management purposes. (bridge 2 interfaces, add a virtual interface to the bridge)

I don't believe management from the CableCo is done over IP and the other management end requires being plugged into the LAN port.

Management for the DOCSIS modems is definitely done over IP. It isnt over SSH but via a webapp controller. This webapp is used to push the firmwares which have the speed limits set in them.

I know of a cable co now doing management over v6, but I think there's a non-IP protocol too

as the article states, scans found wan acessible modem uis

Yes, but by default a modem from your ISP is acting as a NAT device routing to a private IP space. By default, it has an externally available IP address and will answer on that or those addresses.

Many can, however, be configured as a bridge, which turns the device into just a converter between physical mediums. You now need another device to route and act as your gateway. In that setup you shouldn't be able to find it with an IP connection scan, because it doesn't have one.

> Yes, but by default a modem from your ISP is acting as a NAT device routing to a private IP space.

Not in my experience. The default modem provided by both Comcast and Knology (who is -I guess- now WOW!) is (or was, in the case of Knology) a bridge device that requires you to provide your own router. You have to ask for a modem that's also a router to get something that's not a bridge.

That doesn't mean that the modem doesn't have an IP address, mind. AIUI, on Comcast's network the modem gets an IPv6 address so that they can do network management stuff to it.

That said, it's possible that your cable company could protect you (and their other customers) at the expense of you possibly losing access to port forward SSH, etc.