Hundreds of Millions of Cable Modems Vulnerable to New “Cable Haunt” Vulnerability


Hundreds of Millions of Cable Modems Vulnerable to New “Cable Haunt” Vulnerability (Jan 10, 2019)

Security research group Lyrebirds from Denmark, have disclosed a vulnerability in cable modems using Broadcom chips with a spectrum analyzer component. The vulnerability has been dubbed “Cable Haunt,” and is believed to impact an estimated 200 million cable modems in Europe, with a possibility of impacting users across the globe. According to the researchers, the spectrum analyzer lacks protection against DNS rebinding attacks and uses default credentials, and also contains a programming error in its firmware. At the time of this writing, the researchers have yet to test all of the cable modem models that may be vulnerable, and have created a website dedicated to informing as many affected users and providers as possible. Exploiting Cable Haunt is extremely complex, as the vulnerable spectrum analyzer component is only available on the cable modem’s internal network, and not exposed directly to the internet. While challenging, a determined threat actor could trick a target user into accessing a malicious page through their browser, and could then exploit the vulnerable component to execute commands on the device. A successful actor could conduct remote man-in-the-middle attacks, change config files and settings, and disable ISP firmware upgrades.

Recommendation: It is recommended that ISPs or cable modem users visit the Cable Haunt vulnerability website dedicated to assisting the public in identifying which devices are affected. The researchers have published proof-of-concept code that ISPs and users can use and test their cable modem and see if it's vulnerable to a Cable Haunt attack. Ideally, ISPs should test their devices and then release firmware updates to patch the attack vector.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.