Charter Spectrum Ubee Modem Remote Reboot Attack
It has been some time now where my Ubee modem provided by Charter Spectrum Business would reset itself out of the blue. This has been a big frustration for me since I work from home and need my internet connection to be able to work. Calling into support; well I have called support many times over a 2 month period about the modem resetting itself multiple times a day. Now I do run a hardware VPN and also use software VPN, so maybe this can cause some drops if the Ubee modem couldn’t handle the streams. Well I took the VPN out of the picture and I still got the same results, so it was not VPN causing this issue. After speaking with charter support the following had been done to help correct the issue:
– New Line from the Node to the house (they had to dig under the drive way)
– New Modem replacement
– New Coax cables in the house (even though I replaced them myself a few years back)
– New Coax ends (which I think is a gimmick and just makes it look like the tech is doing something)
– Coax wall jack replaced
Now It was nice that Charter stepped up and was trying to get my line stable and eat the cost. The techs that come out are very professional and really try to help you. After saying this, the phone techs don’t have much knowledge and if they don’t see anything in the modem logs they can’t help.
What might be the Issue?
Well the other day I got off the phone with Charter business again and they saw the modem resetting from the modem logs; they scheduled another tech to come on sight. Now I told them I would setup a monitoring tool to try and help collect data since it seems Charter doesn’t have any sort of tool to help their techs out.
Before I was to setup my monitoring tool, I ran a port scan on my public IP to see what ports might be opened on my firewall. While running the port scan my modem reset itself. At this point I did not think anything of it. After the modem came back up I ran the port scan again, then once more the modem reset. Well I think I found the issue, every time I port scanned my public IP the modem would reset itself. I called charter back and told them what I found. Of course the tech didn’t believe this and blamed the modem being bad and needed to be replaced.
So after some research online I noticed this has been an issue since 2013 at least and is called “Remote Reboot Attack” this has affected many models of cable modems.
How does this work?
Well for some reason when a port scan sends packets to port 161/UDP which is used for SNMP, the modem takes that as a command to reboot itself. Interesting right? After I dug more into this, I tried running a nmap scan to my public IP and only use port 161. Sure enough the modem reset itself.
nmap -p 161 -T4 iphere
What to do?
After looking into how to fix this, I found that the manufacturers know about this issue and have a firmware to patch this bug, unfortunately I am unable to upgrade the firmware on the Ubee modem since it’s the ISP property. So for now I am looking into purchasing a cable modem to replace this Ubee one, unless charter will update the firmware for me to fix this issue.
Charter tech came out today and I showed him the Remote Reboot Attack. He was shocked and went back into his truck to get another modem. This time is was not an Ubee modem but a Hitron modem. After it was installed and setup we tried the Remote Reboot Attack again, this time the port was closed and the modem rejected the packet. Looks like I am good for now. Thank you Charter.