Hundreds of millions of cable modems are vulnerable to new Cable Haunt vulnerability


Level 56
Content Creator
Dec 30, 2012
A team of four Danish security researchers has disclosed this week a security flaw that impacts cable modems that use Broadcom chips.
The vulnerability, codenamed Cable Haunt, is believed to impact an estimated 200 million cable modems in Europe alone, the research team said today.
The vulnerability impacts a standard component of Broadcom chips called a spectrum analyzer. This is a hardware and software component that protects the cable modem from signal surges and disturbances coming via the coax cable. The component is often used by internet service providers (ISPs) in debugging connection quality.
On most cable modems, access to this component is limited for connections from the internal network.
The research team says the Broadcom chip spectrum analyzer lacks protection against DNS rebinding attacks, uses default credentials, and also contains a programming error in its firmware.
Researchers say that by tricking users into accessing a malicious page via their browser, they can use the browser to relay an exploit to the vulnerable component and execute commands on the device.


Level 25
Aug 4, 2016
I suppose the definition of a cable modem differs where you are, BT used Broadcom chips in almost all their hybrid fibre/copper modem for years & still do, in UK a cable modem is usually defined as a none BT Infinity modem? Interesting.


Level 28
Apr 1, 2019
Hundreds of millions of cable modems are vulnerable to critical takeover attacks by hackers halfway around the world, researchers said.

The attacks work by luring vulnerable users to websites that serve malicious JavaScript code that's surreptitiously hosted on the site or hidden inside of malicious ads, researchers from Denmark-based security firm Lyrebirds said in a report and accompanying website. The JavaScript then opens a websocket connection to the vulnerable cable modem and exploits a buffer overflow vulnerability in the spectrum analyzer, a small server that detects interference and other connectivity problems in a host of modems from various makers. From there, remote attackers can gain complete control over the modems, allowing them to change DNS settings, make the modem part of a botnet, and carry out a variety of other nefarious actions.

Complete control
"The vulnerability enables remote attackers to gain complete control of a cable modem, through an endpoint on the modem," Lyrebirds researchers wrote. "Your cable modem is in charge of the Internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participat[e] in botnets."


There are at least two ways the exploit can gain remote access, meaning it can be exploited over the Internet by an attacker who is outside the local network.

The first and most straightforward way is to serve malicious JavaScript that causes the browser to connect to the modem. Normally, a mechanism called cross-origin resource sharingprevents a Web application from one origin (such as from working on a different origin (such as, the address used by most or all of the vulnerable modems).

Websockets, however, aren't protected by CORS, as the mechanism is usually called. As a result, the modems will accept the remote JavaScript, thereby allowing attackers to reach the endpoint and serve it code. While Cabe Haunt accesses modems through a browser, the attack can come from any place where running code can reach an IP on the local network.


Level 28
Apr 1, 2019
The Cable Haunt website isn’t very helpful. A lot of “*Shrugs* and even if the test fails you may still be vulnerable. Just buy a new modem.”

I have a ‘vulnerable’ modem, but there’s a router with a firewall behind it.The Ars discussion is all over the place on what the risk is even blocking (the common router address). They seem to have published this information prematurely.