This vulnerability, called Cable Haunt nickname, followed by the technical definition of “CVE-2019-19494”, is estimated to have affected almost all cable modems in Europe in the near future and are still at risk.
So how did this happen? Cyber security agency Eset drew attention to the Danish-based security consultancy company Lyrebirds, who discovered this vulnerability and shared its findings.
Lyrebirds researchers said: “There are an estimated 200 million cable modems in Europe alone. It turned out that almost no modem tested was secure without a firmware update. Therefore, the number of modems that are vulnerable in Europe is estimated to be close to this figure. ”
According to the information obtained by Eset, some internet service providers have been informed about this problem and firmware updates for the solution. However, there are strong doubts that there are more vulnerable modems worldwide.
According to preliminary determinations, the vulnerability is due to reference software that runs the spectrum analyzer tool on chips manufactured by the semiconductor company Broadcom. The spectrum analyzer component, which is responsible for detecting and correcting the cable connection problems of the modem, is used by many cable modem manufacturers in the firmware of their devices. This is due to the large number of vulnerable modems.
While the spectrum analyzer is visible on the local network, attackers can exploit the Cable Haunt vulnerability for remote access from anywhere in the world. The researchers made the following assessment:
“This abuse is caused by lack of protection, improper authorization of the websocket client, default credentials, and a programming error in the spectrum analyzer. These weaknesses can give the attacker full remote control over the entire unit and the traffic passing over it. The attack may not be noticed by both the user and the internet service provider and can ignore remote system updates. ”
WHICH MODEMS RISK?
Possible malicious actions include tampering DNS settings, replacing the modem firmware with another, directing devices to a botnet, or performing Man in the Middle attacks remotely to capture private information.
The research team designed a POC attack to detect the vulnerability in modems and successfully tested it on multiple cable modems offered by Sagemcom, Netgear, Arris, Compal and Technicolor. A complete list of modems and firmware versions that have been confirmed to be vulnerable are available on the cablehaunt.com website. POC code is also available on this page, allowing users to check if a particular cable modem is vulnerable to the threat.
The researchers shared that as many major internet service providers and manufacturers were informed and achieved different levels of success: “Some of the communicated internet service providers reported that they had released or are releasing firmware updates, but many still did not send updates.”
Users who receive their cable modems from internet service providers will likely have to wait for the internet service providers to send this update if they have not received any updates yet.
Meanwhile, Broadcom reported that the related correction was made in the reference code and this correction was made available to customers in May 2019. On the positive side, the researchers stated that Cable Haunt is not an ongoing attack they know is exploiting the vulnerability. However, experts underline that it is not a subject to be underestimated despite everything and should be watched carefully.