'Cable Haunt' Modem Threat Gets Fixes

Minim and CommScope have come forward with interim fixes for "Cable Haunt," a recently discovered vulnerability that threatens tens of millions of cable modems powered by certain Broadcom chipsets equipped with a built-in spectrum analyzer.

Discovered by a group of Danish researchers, the Cable Haunt vulnerability is exploitable via a malicious web page script that can be loaded unknowingly and enable a bad actor to take control of a modem to intercept private messages, redirect traffic or join a botnet.

The Lyrebirds researchers question whether applying the Cable Haunt moniker to the vulnerability was warranted, but ultimately figured it made sense to 'go big and branded' with the findings, given the potential scope of the issue.

"The specific vulnerability is abusing an interface that technicians can use to check the quality of the signal to your service provider," Sam Stelfox, senior security engineer at Minim and the developer behind the company's virtual patch for Cable Haunt, explained in this blog post.

Minim's patch blocks Cable Haunt exploit attempts for cable modems and routers on its network. The company noted that tracking the spread of Cable Haunt has been difficult because it appears the vulnerability originated in reference software that has seemingly been copied by different cable modem makers when creating their firmware.

CommScope, which acquired Arris last year, posted a security advisory about Cable Haunt on January 17 that highlights affected product models. CommScope's initial suggested method for neutralizing Cable Haunt is to direct existing DOCSIS filters to block access to the RF Spectrum Analyzer, whose interface operates on an HTTP server running on port 8080.

"In the interim, CommScope is reviewing plans for firmware upgrades to eliminate this vulnerability which will allow access to the Spectrum Analyzer to be restored," CommScope added.

More details about Cable Haunt
As explained in this post by cable industry veteran Brady Volpe, that Full Band Capture analyzer in Broadcom chips is typically used for proactive network maintenance applications to identify downstream impairments in customer homes remotely and without the need for an on-site technician. He adds that, in most cases, a password isn't required to open and view the analyzer when connected to the cable modem (even when connected via WiFi), which could allow for the insertion of malicious code.

The Lyrebirds researchers who discovered this vulnerability believe that a bad actor could do a bunch of bad things, including changing the default DNS server, upload and update firmware, disable firmware upgrades, change configuration files and settings, change serial numbers and exploit devices to botnets.

"Any of the above exploits by themselves is extremely dangerous to a cable network," wrote Volpe, the president and founder of The Volpe Firm and NimbleThis, which provides tech consulting services to cable operators and telecom operators and suppliers worldwide. "They enable everything from denying subscribers access to the services they pay for to completely taking down the DOCSIS network by bricking modems. Even worse, they can turn every modem into a bot that will create a massive denial of service attack on another company, such as what happened to Imperva in 2019 or Github in 2018."

While the bad news is that clicking on a bad link or opening a bad file could wreak havoc on vulnerable modems, the good news so far is that "there are no known exploits in the wild," Volpe noted, but warned that it's likely only a matter of time before someone tries to exploit the vulnerability.

"I believe that Cable Haunt and the work exposed through Cable Haunt will forever change the security of cable modems," he concluded.

Related posts:

• BBWN News: Broadcom Cable Modem Vulnerability Threatens 200M+ Subs
• Broadcom Boots Up 1GHz 'Full-Band' Tuner

— Jeff Baumgartner, Senior Editor, Light Reading