If you own or lease a Motorola/Arris SurfBoard 5100, 6121, or 6141 cable modem, security researchers have uncovered an annoying vulnerability that could expose you to a denial of service attack.

David Longenecker first discovered the flaw with the world’s most popular cable modem — the SB-6141, a highly recommended DOCSIS 3 model. The firmware does not password protect access to the cable modem’s configuration menu, accessible by visiting 192.168.100.1 in a web browser.

In addition to technical information about the modem and the cable system’s current cable broadband configuration, there are two user accessible reset buttons, one to reboot the modem and another to reset it to its original factory settings. Rebooting the modem will disrupt your Internet connection for under a minute, but doing a factory reset could bring the modem offline until someone reaches the cable company to request the modem be reauthorized. An individual with nefarious intent can repeatedly reset the modem, bringing the user offline again and again.

SB6141 is a DOCSIS 3 modem

The Houston Chronicle explains how this could become a widespread problem:

Included within this interface is the ability to reset the modem. A user can be tricked into clicking on a simple link that will reboot the SB6141, and you can see a proof of concept here. Note that if you have one of these modems with this flaw, and you click the link, your modem WILL reboot.

Normally, you’d have to be sitting at a computer on the same network as the modem to trigger a reboot. But the link above takes advantage of the fact that you can mask a local Web page address as an image file. As Longenecker describes it:

Did you know that a web browser doesn’t really care whether an “image” file is really an image? Causing a modem to reboot is as simple as including an “image” in any other webpage you might happen to open – which is exactly the approach taken on the RebootMyModem.net proof of concept:

<img src=”http://192.168.100.1/reset.htm”>

Of course it’s not a real image, but the web browser doesn’t know that until it requests the file from the modem IP address – which of course causes the modem to reboot. Imagine creating an advertisement with that line of code, and submitting it to a widely-used ad network…

Advanced users can go into their router’s configuration page and block access to the IP address 192.168.100.1 (the modem’s configuration page) for anyone inside their network. That step prevents you or anyone else on your network from accidentally clicking a link that tricks your modem into rebooting. But most users will probably wait until Arris has distributed firmware updates that cable operators will eventually apply to correct this vulnerability. The upgrade will occur in the background and most users will never notice it.

Sen. Schumer

That new Internet-enabled television in your living room may be allowing virtual Peeping Toms to watch and listen to you because manufacturers never bothered with adequate security measures to keep unwanted guests out.

Sen. Charles Schumer (D-N.Y.) is calling on major television manufacturers to create a uniform security standard to stop the hacking before it becomes widespread.

A security research group recently highlighted security flaws in so-called “smart” TVs that make it simple for anyone to hack the television’s internal microphone and embedded camera originally designed for video chatting. The security group warned that almost anyone could begin eavesdropping within minutes of identifying a vulnerable television — most lacking any significant security measures to prevent unauthorized video spying.

“You expect to watch TV, but you don’t want the TV watching you,” said Schumer. “Many of these smart televisions are vulnerable to hackers who can spy on you while you’re watching television in your living room. Our computers have access to firewalls and other security blocks but these televisions do not and that’s why manufacturers should do everything possible to create a standard of security in their internet-connected products.”

The security vulnerability exists because many modern “smart” TVs are now connected to the Internet. To enhance the social experience, many of these televisions are equipped with microphones and unobtrusive video cameras similar to those found in a laptop. But many consumers do not realize these devices could allow anyone on the outside to activate the camera and microphone unbeknownst to the owner and quietly watch and listen in on what is happening inside a home.

Particularly vulnerable

Samsung televisions starting with the 2012 model year were called particularly vulnerable to hacking. Researchers found they could not only access cameras and microphones, they could also tap into the television’s web browser, steal user accounts and passwords, and redirect consumers to hacked websites designed to capture personal information including credit card numbers and bank account information.

Some manufacturers have not taken responsibility for the security flaws, suggesting worried consumers put black electrical tape over the camera or unplug the TV when not in use. Samsung has issued patches for many of the affected devices and promises more changes in future models.

Schumer called current measures inadequate and too often leave the burden solely on consumers. He wants an industry security standard implemented that includes a firewall and other security measures that keep unwanted visitors out without forcing consumers to disable features they paid to have on their television.

[flv width=”368″ height=”228″]http://www.phillipdampier.com/video/WTEN Albany Schumer Says TV Could Be Watching You 8-4-13.mp4[/flv]

Your Internet enabled television set may be vulnerable to hacking. WTEN in Albany reports Sen. Schumer wants manufacturers to create a uniform security standard to keep unwelcome visitors out of your living room. (2 minutes)