New Vulnerability Targets Cable Modems

Over the past few years, there have been many vulnerabilities found on all sorts of devices.

Not only are computers a prime target for hackers, but the Internet-of-Things (and the wide array of cheap IoT products without strong security) has opened up literally hundreds of weak points in your network if you use inexpensive or insecure IoT devices.

Routers are also vulnerable to attack and given their increasing complexity, their position on the network (exposed to outside traffic), and the fact that consumers hardly ever update them.

About the only thing that hasn’t been a possible target for malware and hackers has been the cable modem…until now.

Cable Haunt

A new vulnerability called Cable Haunt has been recently found in dozens of popular modems made by different companies.

Modems by Netgear, Arris, Cisco, and Technicolor (among others) are impacted by this vulnerability. All these modems share certain firmware (with reference code) that was created by Broadcom and copied by the modem manufacturers.

Broadcom fixed this vulnerability in their reference code back in April of 2019, but apparently many cable modem manufacturers and ISPs have not fixed their own code.

Cable Haunt Exposure

The good news is that the attack requires a (relatively) large amount of work to be done properly. At least so far.

There are certainly people working on making this exploit easy to use. Either for themselves or to sell it to the highest bidder, but right now, that hasn’t happened.

The bad news, though, is almost everything else.

What Can Cable Haunt Do?

Cable Haunt can do a number of things once it infects a modem. It can change your DNS server, it can conduct a man-in-the-middle attack, it can further alter your modem’s firmware, edit MAC addresses and serial numbers of hardware, be used as part of a larger botnet, and more.

With these possibilities, Cable Haunt can intercept messages, or redirect traffic to unintended sites without your knowledge.

How Does It Infect You?

If you’re running Chrome (or a Chromium-based browser) or Safari, you only have to run malicious JavaScript to be infected.

This JavaScript can be served from a malicious website or even from an ad present on a legitimate website.

Interestingly, it looks like Firefox doesn’t support the required spectrum analyzer that is used in this attack, so if you’re running Firefox you’re safe from web-based JavaScript attempts to run Cable Haunt.

You’re not totally safe, though, since it looks like the JavaScript could also be run from a compromised (or malicious) IoT device that is running on your network.

This is still something that needs to be fixed on your cable modem’s firmware.

Patching Cable Haunt

The interesting thing about patching the code on the cable modem is that you can’t do it.

Cable modem firmware can only be patched by the cable provider. So if you have one of the modem models affected by this vulnerability, you’ll just have to wait for your ISP to do it.

In the meantime, try and use Firefox if you can, and if you have a firewall and know what you’re doing, you can block access to your cable modem’s web interface (since it’s almost never used). I actually didn’t realize that my modem HAD a web interface until now!

You can read more about Cable Haunt here.