Cable Haunt: Millions of Cable Modems with Broadcom Chips Vulnerable to Attacks

Recently, hackers are able to remotely take full control of the cable modems from different manufacturers due to a critical vulnerability affecting a middleware component shipped with some Broadcom chips.

This vulnerability is named as Cable Haunt and is identified by the researchers from Lyrebirds. They have also simulated the attack on 10 cable modems from Sagemcom, Netgear, Technicolor and COMPAL, but other manufacturers also likely use the Broadcom chip containing the vulnerability. The researchers have estimated that 200 million modems were initially affected by this vulnerability in Europe alone.

CVE ID: CVE-2019-19494

Vulnerability: the flaw is concerned with a tool called spectrum analyser, which makes use of a web socket to communicate with the device’s graphical interface in the browser. The vulnerable tool is only exposed to the local network, but Cable Haunt attacks can also be launched from the internet by getting the targeted user to visit a malicious website or a site that serves malicious ads. This can be achieved through DNS rebinding attack. A hacker can set up a website that launches a DNS rebinding attack to gain access to the local network and execute the Cable Haunt exploit. DNS rebinding allows a remote hacker to abuse a targeted user’s web browser to directly communicate with devices on the local network — in this case with the cable modem.

The researchers who discovered Cable Haunt explained that cross-origin resource sharing (CORS) in the browser should prevent such attacks, but they discovered that all of the tested modems were vulnerable to DNS rebinding. Once the attacker has gained remote access to a modem, they can exploit buffer overflow vulnerability in the spectrum analyser component to execute arbitrary code on the device. An attacker could change DNS and other settings, conduct man-in-the-middle (MitM) attacks, change the device’s firmware, obtain information about the device, and make the modem part of a botnet, the researchers said.

While in some cases, the modems require authentication before accepting requests, the researchers found that all the tested devices have default credentials that can be used for this purpose. It’s worth noting that these are not the credentials for the device’s administration panel, but for the spectrum analyser tool.

Recommendations:

  1. The vulnerability affects cable modems using Broadcom’s reference software as part of their firmware, so the first thing is to work out whether your broadband connection is served using that technology combination (ones advertised as being fibre or ADSL are not affected).
  2. Since cable modems are remotely managed, ISPs will apply a fix automatically when it becomes available.