The issue lies in underlying reference software used by multiple cable-modem manufacturers to create device firmware.
Multiple cable modems used by ISPs to provide broadband into homes have a critical vulnerability in their underlying reference architecture that would allow an attacker full remote control of the device. The footprint for the affected devices numbers in the hundreds of millions worldwide.
More specifically, “the cable modems are vulnerable to a DNS rebind attack followed by overflowing the registers and executing malicious functionality,” explained the researchers, in a technical paper on the attack. “The exploit is possible due to lack of protection against DNS rebind attacks, default credentials and a programming error in the spectrum analyzer.”
Lyrebirds researchers said that 200 million modems are potentially affected in Europe alone; they focused their research on European ISPs, many of which are already rolling out updates to fix the flaw. However, many of the same modems are used in North America, so Cable Haunt isn’t restricted by geography. Users can check to see if they’re affected using a test script that the researchers released in tandem with the bug details.
As far as U.S. ISPs, “we are rapidly testing all our in-home broadband equipment, determining any vulnerability and the best steps to mitigate, as needed,” a Cox spokesperson told Threatpost.
A Charter spokesperson meanwhile told us that Charter is “currently working with each of our vendors to determine if their equipment is vulnerable and when we could expect to see a firmware upgrade.”
Comcast, for its part, did not return a request for comment.
In the second step, they show that a DNS rebind attack can be used to gain remote access to the compromised spectrum analyzer. DNS rebinding is a technique that turns a victim’s browser into a proxy for attacking private networks.
“Without this DNS rebind attack, the spectrum analyzer would only be exploitable on the local network,” they wrote.
Through malicious communication with the endpoint, a buffer overflow can be exploited to gain control of the modem.
“The websocket requests are given as JSON,” the paper explained. “The parser which interprets this JSON request will copy the input parameters to a buffer, regardless of length, allowing values on the stack to be overwritten. Among these values are saved registers, such as the program counter and return address. With a carefully crafted message the modem can be manipulated to execute arbitrary code specified by a remote attacker.”
If successfully exploited, the vulnerabilities can give attackers “full remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP,” the researchers explained, adding that attackers could intercept private messages, redirect traffic, add the modems to botnets, replace their firmware and more. They could also direct the modem to ignore remote system updates, which could complicate any patching process.