Cable Haunt Vulnerability Haunts Cable Modems Using Broadcom Chips

A vulnerability has threatened the online security of millions of cable modem users globally. Dubbed as ‘Cable Haunt’, the vulnerability affects cable modems and allows for remote attackers to take control of the device.

Cable Haunt Vulnerability Threatening Modems

Researchers from a Danish security firm Lyrebirds have uncovered a vulnerability affecting cable modems. What they called ‘Cable Haunt’, the bug risks the security of millions of devices around the world.

In brief, the vulnerability exists in the spectrum analyzer component of Broadcom chips in cable modems. Spectrum analyzer is a component that identifies any connection issues with the cable, such as interference. The access to this component is limited to the internal network in most cable modems.

However, the researchers found that it is possible for an attacker to exploit this component and gain access to the device. For this, an attacker simply has to trick the user into clicking a malicious URL. In turn, the attacker will gain access to the local network, intercept private messages, reroute traffic, or set up botnets. Whereas, neither the user nor the ISP will ever detect the attack.

Regarding the exploit, the researchers stated in their white paper,

The cable modems are vulnerable to remote code execution through a websocket connection, bypassing normal CORS and SOC rules, and then subsequently by overflowing the registers and executing malicious functionality. The exploit is possible due to lack of protection proper authorization of the websocket client, default credentials and a programming error in the spectrum analyzer.

The researchers have set up a dedicated website for the Cable Haunt explaining the details. They have also shared a white paper as well as the PoC for the exploit.

The vulnerability has received the CVE number CVE-2019-19494. Also, another vulnerability specifically targeting the Technicolor TC7230 modem has received the CVE ID CVE-2019-19495.

Millions Of Modems Vulnerable

According to researchers, the vulnerability affects numerous devices, at least over 200 million devices in Europe alone. They have tested this vulnerability on a few modems listed, including Netgear, Sagemcom, COMPAL modems, and a Technicolor modem.

Pulling off the attack is a somewhat complex process, massive exploitation campaigns for this bug aren’t likely. Yet, it isn’t entirely improbable either. As stated by the researchers,

We haven’t found any evidence that suggests abuse, however, a fairly skilled person could easily hide their exploitation.

Cable Haunt requires immediate attention from the ISPs to release patches. Though four Scandinavian ISPs have fixed the bug, the remaining ISPs globally still need to address the flaw. The researchers urge all ISPs to update their firmware and roll-out the updates not vulnerable to Cable Haunt.

Whereas, the users should communicate with their ISPs regarding this error. Doing so will also help them learn the vulnerability.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients