Arris said it's aware of a backdoor vulnerability to its cable modems, but that the security risk is "low."
"Security is a top priority at Arris," said a company statement. "When it comes to our network and customer premises equipment products, we work actively with security organizations and our service provider customers to identify and quickly resolve any potential vulnerabilities to protect the consumers who use our devices. We are aware of the recently reported password vulnerability. The risk related to this vulnerability is low, and we are unaware of any exploit related to it. However, we take these issues very seriously and review them with the highest priority. Our team has been working around the clock on modem updates that address this reported vulnerability."
Arris released its statement after a Brazilian security analyst said he documented multiple backdoors allowing remote access to Arris cable modems.
"While researching on the subject, I found a previously undisclosed backdoor on Arris cable modems, affecting many of their devices including TG862A, TG862G, DG860A," said Bernardo Rodriques on his personal blog. "As of this writing, Shodan [search engine] searches indicate that the backdoor affects over 600.000 externally accessible hosts and the vendor did not state whether it's going to fix it yet."
Arris is a leading manufacturer of cable modems, selling its devices to Comcast (NASDAQ: CMCSA), Time Warner Cable (NYSE: TWC), Charter Communications (NASDAQ: CHTR) and Cox Communications.
Rodriques said he reported his findings to the Software Engineering Institute at Carnegie Melon University and to Arris. But he said he didn't get too much feedback from the vendor. He did comply with Arris' request not to publish the password generating algorithm for the back door.
"I'm pretty sure bad guys had been exploiting flaws on these devices for some time (just search for Arris DNS on Twitter, for example)," he said.
Some Arris cable modems reportedly can be hacked through back door
Arris CFO: ActiveVideo acquisition gives us a cloud DVR play
Arris sees 13.1% decline in Q3 revenue amid sluggish CPE sales with AT&T and Verizon