A vulnerability in Broadcom’s cable modem firmware has left as many as 200 million home broadband gateways in Europe, and potentially more worldwide, at risk of remote hijackings.
At that point, the code can attempt miscreant-in-the-middle attacks, manipulate the firmware, change DNS settings to redirect connections to phishing pages, snoop on traffic, launch distributed denial-of-service assaults, and so on. A DNS rebinding technique is needed during the infection to bypass browser security mechanisms. This involves the script connecting to what the browser thinks is a legit internet-facing system, but the address actually resolves to the local IP address for the modem.
The end result, the team says, is that crooks can remotely take over vulnerable Broadcom-based cable modems without netizens or ISPs realizing; the victim simply has to surf to a dodgy website, or similar. The method is a little fiddly to pull off, we note, so crooks may not bother with it.
Dubbed Cable Haunt, and accompanied with a logo, for marketing purposes, the flaw was found by Alexander Dalsgaard Krog, Jens Hegner Stærmose, and Kasper Kohsel Terndrup from security company Lyrebirds, along with indie researcher Simon Vandel Sillesen.
The modem’s spectrum analyzer tool, which is part of the Broadcom-supplied stack, is exploited as part of the attack to gain code execution: a specially crafted JSON payload sent to the software can overwrite the CPU registers, leading to arbitrary memory manipulation and code execution.
Accenture pays for CSS injection from Symantec parent Broadcom: Yep, it bought its cybersecurity services arm
At this point, it’s game over for the modem. An attacker can do pretty much anything they want.
The team said the vulnerability affects cable modems using chipset designer Broadcom’s software running on the open-source Embedded Configurable Operating System (eCos), and fear that in Europe alone as many as 200 million modems may be vulnerable, though they are not certain.
“The reason for this, is that the vulnerability originated in reference software, which have seemingly been copied by different cable modems manufacturers, when creating their cable modem firmware,” the crew explained. “This means that we have not been able to track the exact spread of the vulnerability, and that it might present itself in slightly different ways for different manufacturers.”
Broadcom has yet to respond to a request for comment on the report. You can find a list of known affected broadband gateway models here. ®
READ MORE HERE