Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Hundreds of Millions of Cable Modems Are Vulnerable To New Cable Haunt Vulnerability (zdnet.com) 26

A team of four Danish security researchers has disclosed this week a security flaw that impacts cable modems that use Broadcom chips. From a report: The vulnerability, codenamed Cable Haunt, is believed to impact an estimated 200 million cable modems in Europe alone, the research team said today. The vulnerability impacts a standard component of Broadcom chips called a spectrum analyzer. This is a hardware and software component that protects the cable modem from signal surges and disturbances coming via the coax cable. The component is often used by internet service providers (ISPs) in debugging connection quality. On most cable modems, access to this component is limited for connections from the internal network. The research team says the Broadcom chip spectrum analyzer lacks protection against DNS rebinding attacks, uses default credentials, and also contains a programming error in its firmware.
This discussion has been archived. No new comments can be posted.

Hundreds of Millions of Cable Modems Are Vulnerable To New Cable Haunt Vulnerability

Comments Filter:
  • 192.168.100.1

    LOL 2011 was the last firmware update it got. I have no idea what the user-id and password are for it

    I'm pretty sure with what I paid for it, it was saving me 60-100 a year after the first bunch of months.

    • Re: (Score:3, Informative)

      by msauve ( 701917 )
      Try 192.168.100.1:8080 that's the page for the spectrum analyzer on many.
    • by Mashiki ( 184564 ) <mashiki.gmail@com> on Friday January 10, 2020 @07:06PM (#59608544) Homepage

      Here's the first thing to keep in mind, DOCSIS automatically flashes compatible modems that connect to the network with the certified firmware. So for this exploit to happen, they'd have to get into the guts of the CMTS. Modems that aren't authorized aren't flashed either. This doesn't work at the node level either, or at the hybrid-node(cable to fiber) level either. There's checks in place on those devices to stop tampering too.

      As for the date of the firmware, that shouldn't be a surprise. The way cable modems work within the system is that they require certification and testing to make sure they're not going to piss all over new or legacy hardware with problems when they're connected. See the problems with the old DOCSIS 2 modems pissing all over DOCSIS 3 systems to the point that knock D3 modems and CMTS hardware right offline as they were screaming all over the available RF.

    • I just went to the interface on 127.0.0.1 and found I could log in with my own username and password!!!. This is a huge vulnerability, how did Broadcom get their hands on my password?
    • spectrum analyzer [...] a hardware and software component that protects the cable modem from signal surges and disturbances coming via the coax cable

      Must remember that definition of what a spectrum analyzer is for my next EE exam, I never knew that.

  • by DigitAl56K ( 805623 ) on Friday January 10, 2020 @02:48PM (#59607510)

    Summary:

    Using Cable Haunt, an attacker could:

    Change default DNS server
    Conduct remote man-in-the-middle attacks
    Hot-swap code or even the entire firmware
    Upload, flash, and upgrade firmware silently
    Disable ISP firmware upgrade
    Change every config file and settings
    Get and Set SNMP OID values
    Change all associated MAC Addresses
    Change serial numbers
    Be exploited in botnet

    Are you telling me that as an end user I can finally upgrade the firmware in my DOCSIS modem myself, rather than relying on my ISP to get around to it?

    Sounds like an awesome feature!

    • Only if you knew anything about embedded systems programming. And if you can screw up the RF, everyone on your node will love you.

    • Using Cable Haunt, an attacker could:

      Change default DNS server

      From the one that serves ads whenever it can't resolve an IP address? What's the downside?

    • Maybe. If you're in Europe, the answer is probably.

      It isn't really clear yet if the versions sold in the US can have the update feature turned off at all. If it relies on the setting being available in the firmware, then you won't be able to disable the ISP update, and the attack won't be as likely to be persistent. That's if it updates from a settable location at all.

  • Given what it would take to exploit this, I'm probably not going to lose much sleep over it - at least right now.

    • by AHuxley ( 892839 )
      Wonder what the NSA and GCHQ are doing on the cable modems globally?
      PRISM showed past support to get into tech and stay in tech over generations of hardware, crypto and software experts users expected to "work" and be tested...
  • would give me a smug feeling. I guess this loving feeling won't last.
  • by rwyoder ( 759998 ) on Friday January 10, 2020 @04:00PM (#59607880)

    "All in all, it's clever research, but your cable modem will most likely get hacked because you forgot to change its default password or is vulnerable to other security flaws that are directly exploitable from the internet because you forgot to update its firmware."

    Say what???
    DOCSIS was specifically designed to *prevent* the user from being able to change things like firmware or configuration.
    I give this article an "F".

    • by Revek ( 133289 )

      I give your interpretation of the technology and F. DOCSIS wasn't designed that way. In fact it has nothing to do with access to the modems firmware. All firmware upgrades are handled through DHCP strings. Most newer modem use http instead of tftp. All newer ARRIS modems and most modems are ARRIS modems do not allow regular access through the wan side connection without setting a password. We changed things like WiFi SSID and password through SNMP. On older pre ARRIS Motorola modems we used a modifi

  • I would regularly log in to these modems and play with the built in spectrometer. I of course had full access to the provisioning system to find and identity them but knew it would be possible to port scan for them. Most of them have no login to access the spectrometer. They came in handy when dealing with ingress noise.

    • by Revek ( 133289 )

      I don't know why I have spectrometer in that post above. It should be spectrum analyzer. Brain fart of the day I guess.

Algebraic symbols are used when you do not know what you are talking about. -- Philippe Schnoebelen

Working...