Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cable Haunt: Millions of Cable Modems With Broadcom Chips Vulnerable to Attacks

Hackers may be able to remotely take complete control of cable modems from various manufacturers due to a critical vulnerability affecting a middleware component shipped with some Broadcom chips.

Hackers may be able to remotely take complete control of cable modems from various manufacturers due to a critical vulnerability affecting a middleware component shipped with some Broadcom chips.

The vulnerability, dubbed Cable Haunt and tracked as CVE-2019-19494, was identified by researchers from Lyrebirds and an independent expert. They’ve reproduced the attack on ten cable modems from Sagemcom, Netgear, Technicolor and COMPAL, but other manufacturers also likely use the Broadcom chip containing the vulnerability.

The researchers estimate that 200 million modems were initially affected by this vulnerability in Europe alone. However, over the past year they have been notifying affected ISPs — cable modems are typically provided to internet users by ISPs — and four companies in Denmark and Norway have reported patching their devices after being notified.Cable Haunt

The flaw is related to a tool called spectrum analyzer, which uses a websocket to communicate with the device’s graphical interface in the browser. The vulnerable tool is only exposed to the local network, but Cable Haunt attacks can also be launched from the internet by getting the targeted user to visit a malicious website or a site that serves malicious ads.

A hacker can set up a website that launches a DNS rebinding attack to gain access to the local network and execute the Cable Haunt exploit. DNS rebinding allows a remote hacker to abuse a targeted user’s web browser to directly communicate with devices on the local network — in this case with the cable modem.

The researchers who discovered Cable Haunt explained that cross-origin resource sharing (CORS) in the browser should prevent such attacks, but they discovered that all of the tested modems were vulnerable to DNS rebinding.

Once the attacker has gained remote access to a modem, they can exploit a buffer overflow vulnerability in the spectrum analyzer component to execute arbitrary code on the device. An attacker could change DNS and other settings, conduct man-in-the-middle (MitM) attacks, change the device’s firmware, obtain information about the device, and make the modem part of a botnet, the researchers said.

While in some cases the modems require authentication before accepting requests, the researchers found that all the tested devices have default credentials that can be used for this purpose. It’s worth noting that these are not the credentials for the device’s administration panel, but for the spectrum analyzer tool.

Advertisement. Scroll to continue reading.

The researchers have made their findings public, including by setting up a dedicated website and publishing a detailed research paper, in an effort to raise awareness of the vulnerability and the risks. They have also released a proof-of-concept (PoC) exploit that can be used to determine if a device is vulnerable.

Related: Credential Leaking Vulnerabilities Impact Comba, D-Link Routers

Related: Wi-Fi Flaws Expose iPhone, Nexus Phones to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.