Hundreds of Millions of Cable Modems Are Vulnerable To New Cable Haunt Vulnerability (zdnet.com) 26
A team of four Danish security researchers has disclosed this week a security flaw that impacts cable modems that use Broadcom chips. From a report: The vulnerability, codenamed Cable Haunt, is believed to impact an estimated 200 million cable modems in Europe alone, the research team said today. The vulnerability impacts a standard component of Broadcom chips called a spectrum analyzer. This is a hardware and software component that protects the cable modem from signal surges and disturbances coming via the coax cable. The component is often used by internet service providers (ISPs) in debugging connection quality. On most cable modems, access to this component is limited for connections from the internal network. The research team says the Broadcom chip spectrum analyzer lacks protection against DNS rebinding attacks, uses default credentials, and also contains a programming error in its firmware.
Just went to the web interface on my cable modem (Score:2)
192.168.100.1
LOL 2011 was the last firmware update it got. I have no idea what the user-id and password are for it
I'm pretty sure with what I paid for it, it was saving me 60-100 a year after the first bunch of months.
Re: (Score:3, Informative)
Re:Just went to the web interface on my cable mode (Score:4, Informative)
Here's the first thing to keep in mind, DOCSIS automatically flashes compatible modems that connect to the network with the certified firmware. So for this exploit to happen, they'd have to get into the guts of the CMTS. Modems that aren't authorized aren't flashed either. This doesn't work at the node level either, or at the hybrid-node(cable to fiber) level either. There's checks in place on those devices to stop tampering too.
As for the date of the firmware, that shouldn't be a surprise. The way cable modems work within the system is that they require certification and testing to make sure they're not going to piss all over new or legacy hardware with problems when they're connected. See the problems with the old DOCSIS 2 modems pissing all over DOCSIS 3 systems to the point that knock D3 modems and CMTS hardware right offline as they were screaming all over the available RF.
Re: (Score:2)
Re: (Score:2)
spectrum analyzer [...] a hardware and software component that protects the cable modem from signal surges and disturbances coming via the coax cable
Must remember that definition of what a spectrum analyzer is for my next EE exam, I never knew that.
As an end user, this is great! (Score:5, Funny)
Summary:
Using Cable Haunt, an attacker could:
Change default DNS server
Conduct remote man-in-the-middle attacks
Hot-swap code or even the entire firmware
Upload, flash, and upgrade firmware silently
Disable ISP firmware upgrade
Change every config file and settings
Get and Set SNMP OID values
Change all associated MAC Addresses
Change serial numbers
Be exploited in botnet
Are you telling me that as an end user I can finally upgrade the firmware in my DOCSIS modem myself, rather than relying on my ISP to get around to it?
Sounds like an awesome feature!
Re: (Score:3)
Only if you knew anything about embedded systems programming. And if you can screw up the RF, everyone on your node will love you.
Re: (Score:2)
From the one that serves ads whenever it can't resolve an IP address? What's the downside?
Re: (Score:3)
What's the downside?
The new ads that they replaced them with.
Re: (Score:2)
Maybe. If you're in Europe, the answer is probably.
It isn't really clear yet if the versions sold in the US can have the update feature turned off at all. If it relies on the setting being available in the firmware, then you won't be able to disable the ISP update, and the attack won't be as likely to be persistent. That's if it updates from a settable location at all.
Interesting in theory (Score:2)
Given what it would take to exploit this, I'm probably not going to lose much sleep over it - at least right now.
Re: (Score:1)
PRISM showed past support to get into tech and stay in tech over generations of hardware, crypto and software experts users expected to "work" and be tested...
Never thought being a VZ FIOS customer (Score:1)
Re: (Score:1, Funny)
Re: (Score:1)
I've only scanned the white paper, but if I'm understanding it correctly from a partial reading it would sufficient to block default access to private networks, add rules allowing whatever private networks you have, and then for the cable modem's configuration network restrict it to the published config address. Then you would still have access to the gui, but not the back door. Of course you may have to change your firewall if you ever need customer service from your ISP, but that's not likely for people w
Re: (Score:2)
The specific issue is literally the issue.
Words that some guy says, those don't affect my security.
Last line of the article is nonsense (Score:4, Insightful)
"All in all, it's clever research, but your cable modem will most likely get hacked because you forgot to change its default password or is vulnerable to other security flaws that are directly exploitable from the internet because you forgot to update its firmware."
Say what???
DOCSIS was specifically designed to *prevent* the user from being able to change things like firmware or configuration.
I give this article an "F".
Re: (Score:2)
I give your interpretation of the technology and F. DOCSIS wasn't designed that way. In fact it has nothing to do with access to the modems firmware. All firmware upgrades are handled through DHCP strings. Most newer modem use http instead of tftp. All newer ARRIS modems and most modems are ARRIS modems do not allow regular access through the wan side connection without setting a password. We changed things like WiFi SSID and password through SNMP. On older pre ARRIS Motorola modems we used a modifi
Knew this was coming. (Score:2)
I would regularly log in to these modems and play with the built in spectrometer. I of course had full access to the provisioning system to find and identity them but knew it would be possible to port scan for them. Most of them have no login to access the spectrometer. They came in handy when dealing with ingress noise.
Re: (Score:2)
I don't know why I have spectrometer in that post above. It should be spectrum analyzer. Brain fart of the day I guess.
Is DerEngel free again? (Score:2)