Endpoint Security , Internet of Things Security

'Cable Haunt' Modem Flaw Leaves 200 Million Devices at Risk

Researchers: Buffer Overflow Allows Attackers to Seize Full Control of Unpatched Devices
'Cable Haunt' Modem Flaw Leaves 200 Million Devices at Risk

Security researchers have disclosed serious flaws in hundreds of millions of cable modems that they say could be exploited without leaving a trace.

See Also: The Weaponization of IoT Devices

The researchers say the flaw exists in middleware built into chips manufactured by semiconductor giant Broadcom that are widely used in cable modems. Due to a websocket implementation flaw, devices that are only exposed to a local network could still be remotely exploited by attackers via a buffer overflow, allowing them to remotely execute any code on the device.

The research team has dubbed such attacks Cable Haunt and says "an estimated 200 million cable modems in Europe alone" are at risk. They say every cable modem they have tested has been at risk, although some internet service providers have now developed and deployed firmware that mitigates the problem.

Broadcom says it issued updated firmware code to fix the flaw eight months ago. "We have made the relevant fix to the reference code and this fix was made available to customers in May 2019," a spokeswoman tells Information Security Media Group. Service providers who have issued a patch will have based it on Broadcom's code updates.

The vulnerability, originally codenamed "Graffiti," was discovered and has been disclosed by Alexander Dalsgaard Krog, Jens Hegner Stærmose and Kasper Kohsel Terndrup of Danish cybersecurity consultancy Lyrebirds, together with independent security researcher Simon Vandel Sillesen.

Has the flaw been abused by attackers in the wild? "Maybe," the researchers write on the Cable Haunt site. "We haven't found any evidence that suggests abuse, however a fairly skilled person could easily hide their exploitation."

The Technicolor TC7230 router is one of the many types of cable modems that use the vulnerable Broadcom chip.

Last year, they verified the flaw in cable modems built by four vendors before confirming that it was present in many more devices as well. The researchers say the buffer overflow flaw exists in the Broadcom chip's spectrum analyzer, which is meant to identify problems with a cable connection, such as interference. In addition, they report having found other flaws that attackers could also use, including the ability to conduct DNS rebinding - manipulating the resolution of domain names - and to make direct JavaScript requests to devices, aided by hardcoded access credentials built into many cable modems.

"We have worked hard for nearly a year now to try and spread the information amongst ISPs, manufacturers and suppliers," the researchers write, explaining their decision to publicly disclose the flaw now. "And even while some have been graciously working with us, we could tell that it would have taken us several years to get the information out."

The vulnerability has been designated CVE-2019-19494. Another version of the vulnerability, CVE-2019-19495, only exists in the Technicolor TC7230 modem, as detailed in a 32-page technical report (PDF) released by the researchers.

Two-Step Exploitation

"Cable Haunt is exploited in two steps," they say. "First, access to the vulnerable endpoint is gained through a client on the local network, such as a browser. Secondly the vulnerable endpoint is hit with a buffer overflow attack, which gives the attacker control of the modem."

Once attackers gain control of the modem, they could abuse it in multiple ways, the researchers warn:

  • DNS: Attackers could change the default DNS server, allowing them to eavesdrop on all traffic.
  • MiTM: Man-in-the-middle attacks could be launched against modem users.
  • Flash: Attackers could swap out or flash the firmware on devices, as well as disable ISP upgrades.
  • Configure: Every configuration file or setting could be altered.
  • SNMP: Attackers could alter simple network management protocol information, which is used to monitor device performance and status.
  • MAC: All MAC addresses associated with the modem could be changed.
  • Serial numbers: Attackers could alter serial numbers.
  • Zombie: Vulnerable devices could be pressed into service as "zombie" nodes in a botnet.

So far, the researchers note, five ISPs report having patched all vulnerable devices they've issued to customers:

  • TDC in Denmark
  • Stofa in Denmark
  • Get AS in Norway
  • Telia Norway
  • Com Hem / Tele2 in Sweden

Which specific makes and models are at risk? The researchers say that ISPs have confirmed to them that these 10 types of modems are vulnerable and need patching to be protected.

  • Sagemcom F@st 3890
  • Sagemcom F@st 3686
  • Technicolor TC7230
  • Netgear C6250EMR
  • Netgear CG3700EMR
  • Sagemcom F@st 3890
  • Sagemcom F@st 3686
  • Compal 7284E
  • Compal 7486E
  • Netgear CG3700EMR

In addition, the researchers say that others have found that these five also require firmware fixes.

  • Technicolor TC4400
  • Surfboard SB8200
  • Netgear CM1000
  • Netgear CM1000-1AZNAS
  • Arris CM8200A

Even so, "if your modem is not in the lists above it could still be vulnerable," the researchers say. They have released a test script via GitHub that can be used by network administrators and cable modem users to evaluate whether their device is at risk.

While their tests so far appear to have been largely confined to Europe, devices being used in many other regions also likely have the flaw.

Branded: Buffer-Overflow Flaw

The researchers say they're going public now to focus attention on the problem as well as help users to defend themselves.

"Without a way of unifying the issue across vendors, the chances of it being fixed universally were very slim," they say. "At this rate, it would eventually leak out of our hands and into organizations with time and resources to take advantage of the vulnerability. This is not fair for the users and would help expand, on scale, the ever-growing problems with cybersecurity companies and people face every day."

The researchers say they made the controversial decision to brand the flaw - following in the footsteps of Heartbleed, Meltdown, Spectre and others - to also help educate users, get everyone on the same page and drive ISPs to move more quickly (see: Perpetual 'Meltdown': Security in the Post-Spectre Era).

Explaining the name choice, the researchers say the flaw has silently and invisibly haunted cable modems for many years. "Due to its origins in reference code, it will be hard to truly say when it has been exorcised from all affected modems," they say. "Also, Spectre was taken."

This story has been updated with comment from Broadcom.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.asia, you agree to our use of cookies.