venustus

Level 55
Verified
Trusted
Content Creator
A team of four Danish security researchers has disclosed this week a security flaw that impacts cable modems that use Broadcom chips.
The vulnerability, codenamed Cable Haunt, is believed to impact an estimated 200 million cable modems in Europe alone, the research team said today.
The vulnerability impacts a standard component of Broadcom chips called a spectrum analyzer. This is a hardware and software component that protects the cable modem from signal surges and disturbances coming via the coax cable. The component is often used by internet service providers (ISPs) in debugging connection quality.
On most cable modems, access to this component is limited for connections from the internal network.
The research team says the Broadcom chip spectrum analyzer lacks protection against DNS rebinding attacks, uses default credentials, and also contains a programming error in its firmware.
Researchers say that by tricking users into accessing a malicious page via their browser, they can use the browser to relay an exploit to the vulnerable component and execute commands on the device.
 

Cortex

Level 24
Verified
I suppose the definition of a cable modem differs where you are, BT used Broadcom chips in almost all their hybrid fibre/copper modem for years & still do, in UK a cable modem is usually defined as a none BT Infinity modem? Interesting.
 

blackice

Level 28
Verified
Hundreds of millions of cable modems are vulnerable to critical takeover attacks by hackers halfway around the world, researchers said.

The attacks work by luring vulnerable users to websites that serve malicious JavaScript code that's surreptitiously hosted on the site or hidden inside of malicious ads, researchers from Denmark-based security firm Lyrebirds said in a report and accompanying website. The JavaScript then opens a websocket connection to the vulnerable cable modem and exploits a buffer overflow vulnerability in the spectrum analyzer, a small server that detects interference and other connectivity problems in a host of modems from various makers. From there, remote attackers can gain complete control over the modems, allowing them to change DNS settings, make the modem part of a botnet, and carry out a variety of other nefarious actions.

Complete control
"The vulnerability enables remote attackers to gain complete control of a cable modem, through an endpoint on the modem," Lyrebirds researchers wrote. "Your cable modem is in charge of the Internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participat[e] in botnets."

Advertisement

There are at least two ways the exploit can gain remote access, meaning it can be exploited over the Internet by an attacker who is outside the local network.

The first and most straightforward way is to serve malicious JavaScript that causes the browser to connect to the modem. Normally, a mechanism called cross-origin resource sharingprevents a Web application from one origin (such as malicious.example.com) from working on a different origin (such as 192.168.100.1, the address used by most or all of the vulnerable modems).

Websockets, however, aren't protected by CORS, as the mechanism is usually called. As a result, the modems will accept the remote JavaScript, thereby allowing attackers to reach the endpoint and serve it code. While Cabe Haunt accesses modems through a browser, the attack can come from any place where running code can reach an IP on the local network.
 

blackice

Level 28
Verified
The Cable Haunt website isn’t very helpful. A lot of “*Shrugs* and even if the test fails you may still be vulnerable. Just buy a new modem.”

I have a ‘vulnerable’ modem, but there’s a router with a firewall behind it.The Ars discussion is all over the place on what the risk is even blocking 192.168.100.1 (the common router address). They seem to have published this information prematurely.
 
Top