The ARRIS TG852G is a DOCSIS 3.0 cable modem/router that’s being deployed en masse by Time Warner and Comcast. If you’re a customer with this hardware, then you may be saddened to find that your service provider won’t give you a login to configure the box. This talk will walk you through two different methods to gain access to the device by exploiting weakly implemented authentication mechanisms on it. You’ll see how a three-year-old documented “feature” designed to keep customers out can quickly become a provider’s worst security nightmare. The talk will also go a step further and show you how aggregating some publicly available datasets would allow an attacker to use the vulnerability to quickly and effectively build an army of thousands of routers.