Hundreds of Millions of Broadcom Modems “Haunted” by New Bug

Security researchers have shared a warning regarding a new vulnerability that could affect multiple cable modem manufacturers that use Broadcom chips. This vulnerability could expose hundreds of millions of users, resulting in remote attacks.

Three researchers from Lyrebirds, a security consultancy, plus an independent, discovered the “Cable Haunt” bug. It is described as a buffer overflow, “which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim’s browser.”

The flaw is specifically found in Broadcom chip’s spectrum analyser component. This component is designed to spot issues with the modem cable connection. If an attacker has the ability to fool the user into clicking a link that contains malicious JavaScript, perhaps via a phishing scam, they then have the opportunity to affect the buffer overflow. As a result, they can then access the modem.

This gives the hackers a variety of potential options, including; changing the default DNS server; disabling 

This opens up a range of potential options to the hackers, including the following:

  • Changing the default DNS server
  • Disabling ISP firmware upgrades and covertly changing the code themselves
  • Man-in-the-middle attacks and conscripting the device into a botnet.

In other words, it can spy on any traffic that flows to the modem, send unsuspecting users to malicious domains and launch botnet attacks. The scale of the problem could be huge, affecting even more than the estimated 200 million in Europe.

“The reason for this is that the vulnerability originated in reference software, which has seemingly been copied by different cable modems manufacturers when creating their cable modem firmware,” the researchers warned. “This means that we have not been able to track the exact spread of the vulnerability and that it might present itself in slightly different ways for different manufacturers.”

The team have contacted ASPs with a proper fix for disclosure. However, it seems they have only had “limited success” with this approach. Models from Netgear, Sagemcom, Technicolor and Compal are some of the 10 that have been affected.

However, the vulnerable spectrum analyser in question is not directly exposed to the internet. As a result, fixing the problem is relatively complex and is unlikely to be used in mass campaigns given the variety of flaws that can be exploited with ease in routers.

Join us for ESRM March 2020

Whitehall Media’s prestigious biannual 12th ESRM conference is set to discuss how enterprises are increasing awareness from the board down, adopting effective incidence response planning, adding threat analytics to their security response and investigating security events with robust incident forensics.