Exploit Gives Access to 200 Million Cable Modems

Over 200 million cable modems are open to attacks that would allow malicious entities to hijack them from anywhere in the world. Malicious JavaScript hidden in unlikely places can give hackers a troubling amount of permissions and unchecked power, due to the findings of Denmark’s Lyrebird, a security firm that seeks such vulnerabilities, Cable Haunt, as Lyrebirds calls it, has the ability to impact some of the most popular makes and models of modems with potentially devastating consequences.

How the Attack Works

Vulnerable modem users are lead to malicious websites or shown malicious ads that utilize a JavaScript code that creates a websocket connection to the modem. These modems have a vulnerability in their spectrum analyzer, which is a server meant to detect connectivity issues or interference in the device, and this leaves the modems open to interference by an attacker. Once the malicious JavaScript code hits the spectrum analyzer, a buffer overflow vulnerability is exploited.

Once the modem has become fully compromised, the attacker has complete control. The modem can essentially be weaponized against the user and the rest of the internet at large. Lyrebirds described their findings as such:

“The vulnerability enables remote attackers to gain complete control of a cable modem, through an endpoint on the modem. Your cable modem is in charge of the Internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participat[e] in botnets.”

Most safeguards prevent attacks like this utilizing something called cross origin resource sharing, or CORS. CORS won’t allow a web application from one origin to work on another origin, preventing such malicious JavaScript attacks from being successful. Since this particular attack targets websockets, the hackers can utilize a sly maneuver – websockets aren’t protected by CORS and will allow the code to run.

Am I in Danger?

Cable Haunt is a proof of concept attack. Lyrebird has proven that this type of attack is possible and demonstrated exactly how it might happen. There have not yet been proven cases of Cable Haunt or similar attacks impacting actual internet users. Just because we have not discovered malicious people or organizations utilizing this vulnerability does not mean it isn’t cause for concern – there’s no way of telling if anyone other than the research group as found this vulnerability.

Since this kind of attack would be very hard to detect, it’s possible (and even likely) that the exploit has been carried out to some degree. Hackers are very persistent when they want something, and they’re more successful in obtaining and maintaining power if they allow their discoveries to fly under the radar.

If your modem could be impacted by the Cable Haunt exploit, you should immediately change your modem. This vulnerability has been made known to the world, and hackers who are not already exploiting it or intending to exploit it may start to develop meaningful plans to do so.

The Impacted Modems

The exploit is known to work on a multitude of firmware versions used on the following cable modems:

Netgear C6250EMR
Netgear CG3700EMR
Sagemcom [email protected] 3890
Sagemcom [email protected] 3686
Sagemcom [email protected] 8690
Compal 7284E
Compal 7486E
Technicolor TC7230

With minimal re-engineering and slightly different approaches, the attack is likely to work on many more modems with similar firmware. Lyrebird has been able to modify the JavaScript code to specifically target several other types of cable modems.

The Versatile Ways the Attack Can Work

Funnily enough, the main attack can easily be rebutted by one thing – Firefox. The Firefox browser uses a websocket that is incompatible with the websocket used by the modem’s spectrum analyzer. This, however, would not leave a potential attacker without options.

If the websocket cannot be effectively targeted, a different type of JavaScript can carry out a DNS rebinding attack. This would also allow CORS to be bypassed.

Long story short, there are about a million ways the attack can be repurposed or restructured protective mechanisms in cable modems with subpar or outdated firmware. Lyrebird has it all mapped out, and they’ve made the information available. Think of these vulnerabilities like an exploitable hydra – one vulnerability is cut off, and three more grow back in its place.

It’s easier to understand this exploit from the perspective that there’s almost always a workaround, even in cable modems that are slightly more difficult to attack directly. If you’re utilizing a vulnerable modem, it’s smart to stop using it.

The People Who Are Affected

It’s difficult to count on a normal cable modem to keep you safe online, as the 200 million people with vulnerable modems are coming to find out on the back of Lyrebird’s discovery. When possible, opt for a highly secure VPN router like one from PrivateRouter. Advanced routers with advanced security precautions will prevent most attacks from being able to execute and keep prying eyes at bay.

Leave a Reply

Your email address will not be published. Required fields are marked *