Hackers Discover a Major Vulnerability that could Affect More than 200 Million Modems

Posted on January 15, 2020 at 2:34 PM

Hackers Discover a Major Vulnerability that could Affect More than 200 Million Modems

Researchers have recently revealed that there are more than 200 million modems reportedly vulnerable to serious attacks by hackers. According to Lyrebirds researchers, the attackers can lure their victims to malware-infested sites that serve malicious JavaScript code.

From there, they use remote methods to gain access over the modems, which allow the attackers to change the DNS settings of the modem. The vulnerability also gives them the invitation to carry out a series of other nefarious actions in the modem.

Lyrebirds Researchers have called the vulnerability in the modem Cable Haunt. The vulnerability has been detected in different types of firmware versions of cable modems, including Netgear CG3700EMR, Technicolor TC7230, Sagemcom F@st 3686, Compal 7486E, and Compal 7284E.

Since other cable modems contain the spectrum analyzer server, hackers may also succeed in exploring other models, the researchers said. Lyrebird’s proof-of-concept attack worked against the Sagemcom F@st 8690 and the Technicolor TC7230 modems. With some changes, the attack code could also work on other modem models.

Vulnerability gives hackers Complete control

According to the Lyrebirds researchers, the vulnerability gives hackers remote access through an endpoint on the vulnerable modem. The researchers explained that the cable modem is responsible for the internet traffic of all devices within the network. As a result, hackers may exploit Cable Haunt to participate in botnets, redirect traffic, and intercept private messages.

Hackers have two options to gain access

The researchers explained that hackers could gain remote access to the modem in two different ways. The first and simplest way is to use malicious JavaScript, which enforces automatic connection to the browser. Generally, a protocol, known as cross-origin resource sharing, stops a web application from connecting directly to another web application from a different origin.

However, Websockets are not backed by this protocol, which means that modems are not able to prevent the JavaScript from connecting. This gives the attackers easy access into the modem to launch their code.

Cable Haunt usually accesses modems via a browser. However, the malicious attack could spring up from any section as the code gets to the IP on the local network. The attack does not work when the susceptible targets use Firefox, because the WebSockets the spectrum analyzer uses is not compatible with the WebSocket the browser uses.

However, it’s still possible for the attackers to attack remotely through a JavaScript. The JavaScript can be used to scale through the restrictions through what is usually referred to as a DNS rebinding attack, which changes the DNS tables within the local network. Since the domain address of the attack’s site is linked to the IP of the exposed modem, the JavaScript will be able to carry out the attack successfully.

Apart from the buffer overflow, the attacker is successful because of the default credentials the attacker utilized to attack the modems. The default credentials are usually included in the URL the attacker used.

Other methods the attacker could explore

Kasper Tendrup, a Lyrebirds co-founder, pointed out that the hackers could explore other options and still succeed in the attack.

According to him, the proof-of-concept protocol can use other methods to work on the modem. However, the attack code has to identify with the exact memory address of the susceptible code. This is because of the MIPS assembly memory structure, which runs the spectrum layer.

Cable Haunt utilizes return-oriented programming to scale through the restrictions placed by the memory structure. It would skim through the existing codes and develop a patchwork from the code.

After the attacker has succeeded in exploiting the vulnerability, they install a reverse shell by sending commands to the telnet server of the vulnerable modem. After gaining access, the attacker would be able to do a whole lot of things. They would have access to installing an entirely new firmware, changing the DNS settings, as well as screening any encrypted data that comes through the modem. The attacker could have complete control over the modem

Lyrebirds Researchers said that the vulnerability could affect more than 200 million modems in Europe. According to the researchers, the attack may also work on several millions of other modems all over the world.

The worst part is the fact that an average user would not be able to determine whether their modem is vulnerable. According go the researchers, it would require them to run POC code against the modem, which is not feasible for an average user.

Summary
Hackers Discover a Major Vulnerability that could Affect More than 200 Million Modems
Article Name
Hackers Discover a Major Vulnerability that could Affect More than 200 Million Modems
Description
Researchers have recently revealed that there are more than 200 million modems reportedly vulnerable to serious attacks by hackers. According to Lyrebirds researchers, the attackers can lure their victims to malware-infested sites that serve malicious JavaScript code.
Author
Publisher Name
Koddos
Publisher Logo

Share this:

Related Stories:

Newsletter

Get the latest stories straight
into your inbox!

YOUTUBE

Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading