According to experts, the problem jeopardizes more than 200 million cable modems in Europe alone. Moreover, it is impossible to determine the exact number of vulnerable devices, because the vulnerability is found in the reference software, which is most likely copied by many cable modem manufacturers.
The vulnerability is associated with one of the standard components of Broadcom chips, which is called a spectrum analyzer. It protects the device from signal surges and interference and is often used by Internet service providers to debug a connection.
Researchers write that the spectrum analyzer does not have protection against attacks such as DNS rebinding, and it also contains a vulnerability in the firmware (this is especially true with default credentials). Moreover, the component itself is available only on the internal cable modem network, but not directly via the Internet. That is, the implementation of the attack is actually very difficult, although in the end the attacker will need to lure the user to a malicious web page in order to use the browser to operate the vulnerable component. Thus, the offender will be able to:
- Change the default DNS server
- conduct remote man-in-the-middle;
- “On the fly” completely replace the code or firmware;
- Download, install and update firmware without the knowledge of the user;
- disable the firmware update by the provider;
- change the configuration file and settings;
- Get and set SNMP OID values
- Change all MAC addresses
- change serial numbers;
- operate the device in a botnet.
Given the magnitude of the problem, experts were not able to test all possible devices for vulnerabilities to Cable Haunt, but the tests, of course, were conducted, and their results can be seen in the table below. Also, experts have already published a PoC exploit, which users and providers can use to test their devices.