Cable Haunt: Unknown millions of Broadcom-based cable modems open to hijacking

A vulnerability (CVE-2019-19494) in Broadcom‘s cable modem firmware can open unknown millions of broadband modems by various manufacturers to attackers, a group of Danish researchers has warned.

About CVE-2019-19494

CVE-2019-19494, also dubbed Cable Haunt, is present in the spectrum analyzer, a standard component of Broadcom chips that identifies potential problems with the connection through the modem’s coaxial cable.

“The cable modems are vulnerable to remote code execution through a web-socket connection, bypassing normal CORS and SOC rules, and then subsequently by overflowing the registers and executing malicious functionality. The exploit is possible due to lack of protection proper authorization of the web-socket client, default credentials and a programming error in the spectrum analyzer,” the researchers explained.

“These vulnerabilities can give an attacker full remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP and able to ignore remote system updates.”

The attacker must trick the victim into opening a web page containing malicious JavaScript that establishes a connection directly to the modem’s web server and overwrites the CPU registers to execute the malicious payload delivered through the request.

Once control has been achieved by an attacker, the researchers say, he or she can do things like change the device’s default DNS server, conduct remote man-in-the-middle attacks, swap the firmware, disable firmware upgrade by the ISP, and more.

Which devices are vulnerable?

“There are an estimated 200 million cable modems in Europe alone. With almost no cable modem tested being secure without a firmware update, the number of modems initially vulnerable in Europe is estimated to be close to this number,” the researchers shared.

“However, it is tough to give a precise estimate of the reach of Cable Haunt. The reason for this is that the vulnerability originated in reference software, which has seemingly been copied by different cable modems manufacturers when creating their cable modem firmware. This means that we have not been able to track the exact spread of the vulnerability and that it might present itself in slightly different ways for different manufacturers.”

They have provided a list of (confirmed) vulnerable modems by Sagemcom, Technicolor, NetGear, Compal, and Arris, and are asking the broader research community to help by checking other devices for the flaw.

What to do about it?

They have been trying to contact ISPs and modem manufacturers for a while now to share their findings, but they have had limited success. Some Scandinavian ISPs have already deployed patches to their customers.

They went public with CVE-2019-19494 to spread awareness and hopefully push modem manufacturers and other ISPs to do the same. They urged users to contact their ISP and ask if their modem is or ever was vulnerable to Cable Haunt.

“Check with the manufacturer of your modem if the latest firmware prevents Cable Haunt, and if the modem were ever vulnerable. If you suspect that your modem has been compromised, update the firmware to a version not vulnerable to Cable Haunt. Then you should consider if your past non-encrypted internet traffic contains sensitive information, such as passwords or personal emails, and take precautions accordingly,” they added.

ISPs should contact their modem manufacturer and ask them to create a new firmware that is not vulnerable, so they can roll it out as quickly as possible, they advised. They also urged them to get in touch for mitigation strategies they can employ in the meantime.

But while the vulnerability is widespread, exploitation is not simple.

“Even though the vulnerability allows arbitrary code to be executed, it requires a lot of work from the attacker to find the needed commands and craft the package, for exploiting full control. For your average Joe, as long as ‘easy-to-use’ exploit packages for specific modems have not been crafted, they are not the target,” the researchers noted.

They did, however, publish a proof of concept exploit for the sagemcom F@st 3890 modem.