Hundreds of millions of cable modems are vulnerable to new Cable Haunt vulnerability:
A team of four Danish security researchers has disclosed this week a security flaw that impacts cable modems that use Broadcom chips.
The vulnerability, codenamed Cable Haunt, is believed to impact an estimated 200 million cable modems in Europe alone, the research team said today.
The vulnerability impacts a standard component of Broadcom chips called a spectrum analyzer. This is a hardware and software component that protects the cable modem from signal surges and disturbances coming via the coax cable. The component is often used by internet service providers (ISPs) in debugging connection quality.
On most cable modems, access to this component is limited for connections from the internal network.
The research team says the Broadcom chip spectrum analyzer lacks protection against DNS rebinding attacks, uses default credentials, and also contains a programming error in its firmware.
Researchers say that by tricking users into accessing a malicious page via their browser, they can use the browser to relay an exploit to the vulnerable component and execute commands on the device.
Cable Haunt: Millions of Cable Modems With Broadcom Chips Vulnerable to Attacks:
Hackers may be able to remotely take complete control of cable modems from various manufacturers due to a critical vulnerability affecting a middleware component shipped with some Broadcom chips.
The vulnerability, dubbed Cable Haunt and tracked as CVE-2019-19494, was identified by researchers from Lyrebirds and an independent expert. They've reproduced the attack on ten cable modems from Sagemcom, Netgear, Technicolor and COMPAL, but other manufacturers also likely use the Broadcom chip containing the vulnerability.
The researchers estimate that 200 million modems were initially affected by this vulnerability in Europe alone. However, over the past year they have been notifying affected ISPs — cable modems are typically provided to internet users by ISPs — and four companies in Denmark and Norway have reported patching their devices after being notified.
The flaw is related to a tool called spectrum analyzer, which uses a websocket to communicate with the device's graphical interface in the browser. The vulnerable tool is only exposed to the local network, but Cable Haunt attacks can also be launched from the internet by getting the targeted user to visit a malicious website or a site that serves malicious ads.
A hacker can set up a website that launches a DNS rebinding attack to gain access to the local network and execute the Cable Haunt exploit. DNS rebinding allows a remote hacker to abuse a targeted user's web browser to directly communicate with devices on the local network — in this case with the cable modem.
The researchers who discovered Cable Haunt explained that cross-origin resource sharing (CORS) in the browser should prevent such attacks, but they discovered that all of the tested modems were vulnerable to DNS rebinding.
(Score: 1, Interesting) by Anonymous Coward on Monday January 13 2020, @05:56PM (6 children)
As far as I can tell, my motorola cable modem doesn't allow *me* to update the firmware. Only the ISP can push it. My research indicates is may search for an update on a reboot/restart of the modem. So, trying that periodically to see if a new firmware is loaded. Otherwise, talking to Comcast won't get me anywhere. :(
(Score: 3, Funny) by Anonymous Coward on Monday January 13 2020, @06:42PM (3 children)
Open the cable modem. Find the flash chip. Often it will be a TSOP-48. If you are unlucky, it could be a BGA. Take it off. Use a soldering iron and some copper braid for a TSOP-48. For a BGA you'll need a hot air gun, being really careful to avoid blowing all the little tiny specs (resistors and capacitors) off of the board.
Get a flash programmer ready. You'll need an adapter that matches. If you have a BGA, get some sticky flux and balls and a laser-cut template so that you can put new balls on it. Put the chip in the flash programmer. Read out all the data.
Load up the data in IDA Pro, Ghidra, Binary Ninja, or Hopper Disassembler. Mark what is code and what is data, define functions and data types, and add comments. Do lots of thinking. When you spot the vulnerable code, figure out which bytes of code must be changed to fix it. Modify those bytes in a copy of the original flash image.
Write the modified flash image back to the flash chip. Read it out again to make sure it was written correctly. To be sure, you might even disassemble it again.
Solder the flash back into your cable modem, put the cover back on, and PLUG IN THE CABLE MODEM. That's it.
(Score: 4, Touché) by dmbasso on Monday January 13 2020, @07:56PM (1 child)
That's it? Why no one told me sooner?! I'll be back in a jiffy...
`echo $[0x853204FA81]|tr 0-9 ionbsdeaml`@gmail.com
(Score: 1, Informative) by Anonymous Coward on Tuesday January 14 2020, @01:47AM
Boo. I was expecting a NO CARRIER joke.
(Score: 2) by c0lo on Tuesday January 14 2020, @01:16AM
I was tempted to suggest making a backup of the vulnerable code so that you can analyze and craft exploits later.
But then I asked myself: as demonstrated, fixing hardware is easy, but who the hell has time to craft software and network exploits when there's still a mortgage to pay up? (grin)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Insightful) by Anonymous Coward on Monday January 13 2020, @06:58PM (1 child)
The correct answer is to make ISPs legally liable for exploits when they don't push the manufacturer patches and for manufacturers to continue to patch their gear for a period of a few years.
There's little that the customer can do here as most ISPs don't seem to care about updating their hardware and customers have few options. In this case, the article doesn't contain any real information to help customers figure out whether or not their modem is affected.
(Score: 0) by Anonymous Coward on Tuesday January 14 2020, @06:02AM
Isn't it revealing how the government raised holy hell over Volkswagen Diesel and emissions... But are so tolerant of sloppy business grade crap that embeds executables into arbitrary data files?
Maybe Boeing building Business Grade aircraft will highlight the aftermath of building Business Grade stuff in the first place. Grandpa always told me if I can't find the time to do it right, I will have to make time to do it over. That paradigm does not seem to be a part of a Business education these days.
(Score: 4, Interesting) by edIII on Tuesday January 14 2020, @04:13AM
I'm not sure how this would work for somebody that has both a vulnerable cablemodem and a their own router.
The DNS rebinding attack accesses the local network of the target machine, NOT the local network of the cablemodem. On my network, the cablemodem would need to be addressable all on its own. In their definition, and attack tools, I see 127.0.0.1 being used which obviously can't work. So they're using private IP addresses to do it, which means they must have advanced knowledge of the specific cablemodem, or grab the default gateway somehow.
When the cablemodem is attached to the WAN interface of my router, it's not possible to route private IP addresses past the WAN interface. PfSense for one has default rules to block private/bogon on the WAN interface, and I doubt it's the only router firewall to do so by default.
This exploit is all the more reason why the cablemodem, router/firewall, and wireless access points should be separate hardware.
Technically, lunchtime is at any moment. It's just a wave function.