Hundreds of millions of cable modems are vulnerable to critical takeover attacks by hackers halfway around the world, researchers said.
The attacks work by luring vulnerable users to websites that serve malicious JavaScript code that's surreptitiously hosted on the site or hidden inside of malicious ads, researchers from Denmark-based security firm Lyrebirds said in a report and accompanying website. The JavaScript then opens a websocket connection to the vulnerable cable modem and exploits a buffer overflow vulnerability in the spectrum analyzer, a small server that detects interference and other connectivity problems in a host of modems from various makers. From there, remote attackers can gain complete control over the modems, allowing them to change DNS settings, make the modem part of a botnet, and carry out a variety of other nefarious actions.
Cable Haunt, as the researchers have named their proof-of-concept exploit, is known to work on various firmware versions of the following cable modems:
- Sagemcom F@st 3890
- Sagemcom F@st 3686
- Technicolor TC7230
- Netgear C6250EMR
- Netgear CG3700EMR
The exploit may also work against the Compal 7284E and Compal 7486E. Because the spectrum analyzer server is present in other cable modems, the exploit is likely to work on other models as well. Lyrebirds' proof-of-concept attack works reliably against the Technicolor TC7230 and the Sagemcom F@st 8690. With tweaks, the attack code will work on other models listed as vulnerable. The vulnerability is tracked as CVE-2019-19494. A more specific vulnerability targeting only the technicolor TC7230 modem is indexed as CVE-2019-19495.
Complete control
"The vulnerability enables remote attackers to gain complete control of a cable modem, through an endpoint on the modem," Lyrebirds researchers wrote. "Your cable modem is in charge of the Internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participat[e] in botnets."