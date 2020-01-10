Loading...

A team of four Danish security researchers reported a security flaw this week affecting cable modems that use Broadcom chips.

The vulnerability, codenamed Cable Haunt, is estimated to be 200 million cable modems in Europe alone.

Cable Haunt influences Broadcom spectrum analyzers

The vulnerability affects a standard component of Broadcom chips called a spectrum analyzer. This is a hardware and software component that protects the cable modem against signal spikes and interference via the coaxial cable. The component is often used by internet providers (ISPs) when debugging connection quality.

With most cable modems, access to this component is limited for connections from the internal network.

The research team says the Broadcom chip spectrum analyzer does not protect against DNS rebinding attacks, uses standard credentials, and also contains a programming error in the firmware.

Researchers say that by tricking users into accessing a malicious page through their browser, they can use the browser to redirect an exploit to the vulnerable component and execute commands on the device.

Using Cable Haunt, an attacker can:

Change the default DNS server

Perform remote man-in-the-middle attacks

Hot-swap code or even the entire firmware

Silently upload, flash, and upgrade firmware

Disable ISP firmware upgrade

Change every configuration file and all settings

Retrieve and set SNMP OID values

Change all associated MAC addresses

Change serial numbers

Being exploited in botnet

Although the research team estimated that the number of vulnerable devices in Europe is around 200 million, they believe that the total number of exploitable devices is impossible to quantify.

“The reason for this is that the vulnerability arose in reference software, which apparently was copied by different cable modem manufacturers when creating their cable modem firmware,” researchers said. “This means that we have not been able to follow the exact spread of the vulnerability and that it can occur in slightly different ways for different manufacturers.”

Proof of concept code available

The four-man research team published a white paper and a special website with information about Cable Haunt this week.

“The purpose of this website is to inform as many affected users and providers as possible to improve their ability to protect themselves,” they said.

The idea is to have ISPs test their devices and then release firmware updates to patch the CAble Haunt attack vector. At the time of writing, four ISPs have issued patches in Scandinavia (Telia, TDC, Get AS and Stofa), but many others in Europe are unaware of this security flaw.

In addition, for the reasons explained above, the research team was unable to test all Broadcom-based cable modem models in use today. Although they confirmed that some cable modems are vulnerable (see table below), many cable modem models have not yet been tested.

The researchers have published proof-of-concept code that ISPs and technically skilled users can use and test their cable modem and see if it is vulnerable to a Cable Haunt attack.

An important point of interest that the ZDNet team wants to communicate about Cable Haunt is that this attack is extremely complex to start, especially since the component for analyzing vulnerable spectra is only available on the internal network of the cable modem and is not directly exposed to internet.

Exploitation of Cable Haunt requires an attacker to go through several hoops in a multi-step process, making this attack highly unlikely to be used by botnet operators. However, the attack does not fall outside the reach of a determined attacker who wants to compromise a high value goal.

All in all it is smart research, but your cable modem will most likely be hacked because you have forgotten to change the default password or are vulnerable to other security errors that can be abused directly over the internet because you have forgotten to update the firmware.

a super interesting vulnerability discovered by some researchers at @lyrebirds_dk! affects the cable modem reference software and is misused by accessing the vulnerable endpoint and then hitting it with a buffer overflow attack. #cablehaunthttps: //t.co/JJwJgZWv59

– gabsmashh (@gabsmashh) January 9, 2020