Hundreds of millions of cable modems are vulnerable to critical takeover attacks by hackers halfway around the world, researchers said.
Cable Haunt, as the researchers have named their proof-of-concept exploit, is known to work on various firmware versions of the following cable modems:
- Sagemcom F@st 3890
- Sagemcom F@st 3686
- Technicolor TC7230
- Netgear C6250EMR
- Netgear CG3700EMR
The exploit may also work against the Compal 7284E and Compal 7486E. Because the spectrum analyzer server is present in other cable modems, the exploit is likely to work on other models as well. Lyrebirds’ proof-of-concept attack works reliably against the Technicolor TC7230 and the Sagemcom F@st 8690. With tweaks, the attack code will work on other models listed as vulnerable. The vulnerability is tracked as CVE-2019-19494. A more specific vulnerability targeting only the technicolor TC7230 modem is indexed as CVE-2019-19495.
“The vulnerability enables remote attackers to gain complete control of a cable modem, through an endpoint on the modem,” Lyrebirds researchers wrote. “Your cable modem is in charge of the Internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participat[e] in botnets.”
There are at least two ways the exploit can gain remote access, meaning it can be exploited over the Internet by an attacker who is outside the local network.
Rebinding attacks, ROP, and more
Besides the buffer overflow, the attack is possible because of known default credentials used to execute code on modems. These default credentials are simply added to the URL used by the attack code, e.g.: http://username:firstname.lastname@example.org. Lyrebirds cofounder Kasper Tendrup told me he believes there are other methods for making the attack work remotely.
The proof-of-concept exploit uses other clever tricks to work. Because of the memory structure of the MIPS assembly language that runs the spectrum analyzer, the attack code must know the precise memory address of the vulnerable code. (Normally, a buffer overflow exploit would be written directly to the memory stack.) To bypass the restriction posed by this memory structure, Cable Haunt uses return oriented programming to move between pre-existing pieces of code and then create a patchwork of existing code.
Once attackers exploit the vulnerability, they send commands to the modem’s telnet server to install a reverse shell. From there, attackers can do all kinds of things, including changing the DNS settings, installing completely new firmware, making the modem participate in a botnet, and monitoring unencrypted data that passes through the modem.
200 million modems
The Lyrebirds research suggests that Cable Haunt works against as many as 200 million modems in Europe alone. The attack may work against a larger number of modems deployed throughout the rest of the world. Determining if a modem not on the Lyrebirds list is vulnerable isn’t easy for average users because it requires them to run this PoC code against the device. Detecting hacked modems is also tough since there are a variety of ways to mask the infection once attackers gain root access on a device.
Cable Haunt is a serious vulnerability that deserves to be patched soon. The most likely way to target users would be to send emails to users of ISPs that are known to provide a vulnerable modem to users. The email would instruct users to visit sites that serve the attack.
Makers of the modems known to be vulnerable didn’t immediately respond to emails seeking comment for this post. Concerned cable modem users should check with either the maker of the device or the ISP that issued it.