Multiple cable modem models from various manufacturers found vulnerable to takeover attacks

Hundreds of millions of cable modems from various manufacturers may be susceptible to a critical vulnerability that can enable attackers to intercept people’s private messages or redirect their internet traffic, new research has found.

Tracked as CVE-2019-19494 and nicknamed Cable Haunt, the vulnerability is estimated to have affected nearly all cable modems in Europe until recently, with many still remaining at risk. How so? The researchers from Denmark-based security consultancy Lyrebirds – who discovered the security hole and detailed their findings in a paper available for download from this dedicated website – put it this way:

“There are an estimated 200 million cable modems in Europe alone. With almost no cable modem tested being secure without a firmware update, the number of modems initially vulnerable in Europe is estimated to be close to this number,” said the company. Some internet service providers (ISPs) were recently notified of the issue and shipped out firmware to address the problem. Either way, it is strongly suspected that there are more vulnerable modems throughout the world.

The ghost in the modem

The flaw resides in reference software that runs the spectrum analyzer tool on chips made by semiconductor company Broadcom. The spectrum analyzer component, which is tasked with pinpointing and debugging problems in modem cable connection, is used by various cable modem manufacturers in their devices’ firmware – hence the apparently vast number of vulnerable modems.

While the spectrum analyzer is exposed to the local network, attackers could still abuse Cable Haunt for remote access from anywhere in the world. The modems were found to be vulnerable to remote code execution through a WebSocket connection, which is initiated after the victim is lured to a booby-trapped website that serves malicious JavaScript code. The ensuing buffer overflow attack provides the threat actors with access to the modem, while browser security mechanisms are successfully bypassed with a DNS rebinding attack.

“The exploit is possible due to lack of protection proper authorization of the websocket client, default credentials and a programming error in the spectrum analyzer. These vulnerabilities can give an attacker full remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP and able to ignore remote system updates,” said the researchers.

The possible malicious actions include tampering with DNS settings, replacing modem firmware, corralling devices into a botnet, or conducting remote Man-in-the-Middle (MitM) attacks to intercept private information.

The research team created a proof-of-concept (POC) exploit and tested it successfully against multiple firmware versions on several cable modems from Sagemcom, Netgear, Arris, Compal and Technicolor. A full list of modems and firmware versions that were confirmed to be vulnerable is available on the aforementioned website. Also available is the POC code, which allows users to check whether their particular cable modem may also be susceptible to the threat.

What (else) to do?

The researchers also said that they had notified as many of the largest ISPs and manufacturers as possible, with varying success: “Some of the contacted ISPs have informed us that they have or are rolling out firmware updates; however, we are still missing updates from several, and some have wished not to be listed on this website”. People who have received their cable modem from their ISP will probably need to wait for their provider to ship the update, unless this has happened already.

In the meantime, BankInfoSecurity quoted Broadcom as saying that the company “made the relevant fix to the reference code and this fix was made available to customers in May 2019″.

On a positive note, the researchers said that they’re not aware of actual in-the-wild attacks abusing Cable Haunt. Indeed, the attacks are not trivial to carry out.

14 Jan 2020 – 05:23PM

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Top
%d bloggers like this: