Danish cybersecurity experts Alexander Krog, Jens Stærmose and Kasper Terndrup of cybersecurity firm Lyrebirds ApS, and independent Danish researcher Simon Sillesen, announced a new vulnerability dubbed Cable Haunt. In the announcement, they disclosed a critical remote code execution vulnerability in hundreds of millions of cable modems.
According to the website the researchers set up, “The vulnerability enables remote attackers to execute arbitrary code on your modem, indirectly through an endpoint on the modem. Your cable modem is in charge of the internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participation in botnets.”
The researchers further state that the affected modems are vulnerable to a DNS rebind attack followed by overflowing the registers and executing malicious functionality. Use of default credentials and a programming error in the spectrum analyzer also contribute to the vulnerability.
While a buffer overflow exploit would normally be written directly to the memory stack, the memory structure of the MIPS assembly language that runs the spectrum analyzer requires the attack code to know the precise memory address of the vulnerable code. To get around this, Cable Haunt uses return-oriented programming to move between pre-existing pieces of code and then create a patchwork of existing code.
This approach indicates that through the use of a hardware root of trust model, this vulnerability could have been eliminated.
Bart Stevens, senior director of product marketing for Rambus elaborates. “The recent Cable Haunt exploit demonstrates the need for a security by design approach, led by a hardware root of trust to silo away secure processes from the main CPU. This siloed approach to security ensures that a potential compromise of the main processor does not expose critical keys and credentials — or impair the execution of security applications that monitor system operation and detect tampering. A hardware root of trust would not necessarily prevent the host CPU from being attacked by a similar attack like Cable Haunt. But at a minimum, a hardware root of trust could prohibit alternate firmware from replacing the original firmware. In addition, many future vulnerabilities could be prevented if sensitive configuration and network parameter handling is moved from the normal host CPU onto a separate and dedicated, secure CPU residing inside the root of trust section.”
It is important to note that this is a proof-of-concept exploit and has not been seen in the wild. The exploit is complicated by the fact that the vulnerable spectrum analyzer component is available on the cable modem’s internal network, and not directly exposed to the internet. While it would require a lot of skill, and maybe a bit of luck, if successful it would give a hacker intimate access to all the data coming in and going out. In a high-value target, the value of that access could inspire some to try.
“Hundreds of millions of Broadcom-based cable modems at risk of remote hijacking, eggheads fear,” The Register, 1/10/2020
“Cable Haunt Vulnerability Exposes Modems to Remote Attacks,” Tom’s Hardware, 1/13/2020
“Cable Haunt vulnerability affects millions of Broadcom cable modems,” Security Boulevard, 1/13/2020