Posted on January 15, 2020 at 2:34 PM
From there, they use remote methods to gain access over the modems, which allow the attackers to change the DNS settings of the modem. The vulnerability also gives them the invitation to carry out a series of other nefarious actions in the modem.
Lyrebirds Researchers have called the vulnerability in the modem Cable Haunt. The vulnerability has been detected in different types of firmware versions of cable modems, including Netgear CG3700EMR, Technicolor TC7230, Sagemcom F@st 3686, Compal 7486E, and Compal 7284E.
Since other cable modems contain the spectrum analyzer server, hackers may also succeed in exploring other models, the researchers said. Lyrebird’s proof-of-concept attack worked against the Sagemcom F@st 8690 and the Technicolor TC7230 modems. With some changes, the attack code could also work on other modem models.
Vulnerability gives hackers Complete control
According to the Lyrebirds researchers, the vulnerability gives hackers remote access through an endpoint on the vulnerable modem. The researchers explained that the cable modem is responsible for the internet traffic of all devices within the network. As a result, hackers may exploit Cable Haunt to participate in botnets, redirect traffic, and intercept private messages.
Hackers have two options to gain access
Cable Haunt usually accesses modems via a browser. However, the malicious attack could spring up from any section as the code gets to the IP on the local network. The attack does not work when the susceptible targets use Firefox, because the WebSockets the spectrum analyzer uses is not compatible with the WebSocket the browser uses.
Apart from the buffer overflow, the attacker is successful because of the default credentials the attacker utilized to attack the modems. The default credentials are usually included in the URL the attacker used.
Other methods the attacker could explore
Kasper Tendrup, a Lyrebirds co-founder, pointed out that the hackers could explore other options and still succeed in the attack.
According to him, the proof-of-concept protocol can use other methods to work on the modem. However, the attack code has to identify with the exact memory address of the susceptible code. This is because of the MIPS assembly memory structure, which runs the spectrum layer.
Cable Haunt utilizes return-oriented programming to scale through the restrictions placed by the memory structure. It would skim through the existing codes and develop a patchwork from the code.
After the attacker has succeeded in exploiting the vulnerability, they install a reverse shell by sending commands to the telnet server of the vulnerable modem. After gaining access, the attacker would be able to do a whole lot of things. They would have access to installing an entirely new firmware, changing the DNS settings, as well as screening any encrypted data that comes through the modem. The attacker could have complete control over the modem
Lyrebirds Researchers said that the vulnerability could affect more than 200 million modems in Europe. According to the researchers, the attack may also work on several millions of other modems all over the world.
The worst part is the fact that an average user would not be able to determine whether their modem is vulnerable. According go the researchers, it would require them to run POC code against the modem, which is not feasible for an average user.