*Updated* (see patch for Cable Haunt at end of post) Cable Haunt is the fancy name given for a vulnerability recently disclosed by a group of researchers at Lyrebirds in Denmark exploiting DOCSIS modems.
Cable Haunt affects cable modems using the Broadcom chipset specifically having the built-in spectrum analyzer many of us in the industry are quite fond of. Typically the forward path spectrum analyzer or Full Band Capture (FBC) analyzer in the broadcom chipset is used by the industry for proactive network maintenance (PNM) applications to identify a number of downstream impairments in the home without ever requiring the technician to enter the home, because we can access the modems spectrum analyzer remotely.
One aspect of the spectrum analyzer is that it can be used directly from the subscriber side of the cable modem by accessing the cable modem’s local IP address, which is typically http://192.168.100.1:8080 or http://192.168.0.1:8080
In most cases there is no password access required to open and view the downstream spectrum analyzer when connected directly to the cable modem or even connected wirelessly (i.e. WiFi to the cable modem network from within the home). It’s a great feature if you are a cable technician or a DYI home networking person trying to improve your own network performance.
Here is an image of the spectrum analyzer from an SBG6900-AC cable modem:
Figure 1: Spectrum Analyzer Display on Arris SBG6900-AC Cable Modem
What Went Wrong
The team Lyrebirds in Denmark found that by entering a bunch of letter ‘A’s into the Start frequency of the spectrum it would cause the cable modem to crash and reboot. This is something that is called a buffer overflow. A buffer overflow occurs when writing data to a program overruns the programs buffers, or memory, and then overwrites adjacent memory locations.
This can be really bad because instead of writing the letter “A” in the start frequency location, one could write malicious code in the start frequency location. The malicious code could then allow the modem to do a number of things. The team at Lyrebirds have suggested the following as a minimum of what they believe can be accomplished:
- Change default DNS server
- Conduct remote man-in-the-middle attacks
- Hot-swap code or even the entire firmware
- Upload, flash, and upgrade firmware silently
- Disable ISP firmware upgrade
- Change every config file and settings
- Get and Set SNMP OID values
- Change all associated MAC Addresses
- Change serial numbers
- Be exploited in botnet
Any of the above exploits by themselves is extremely dangerous to a cable network. They enable everything from denying subscribers access to the services they pay for to completely taking down the DOCSIS network by bricking modems. Even worse, they can turn every modem into a bot that will create a massive denial of service attack on another company, such as what happened to Imperva in 2019 or Github in 2018.
Who is Impacted?
Anyone with DOCSIS cable modem’s containing Broadcom chipsets. It is reported that Broadcom has fixed this exploit in April of 2019 (unconfirmed as of yet), however the fix would still have taken time to get into the market and even longer to get into product and then updated.
How Can You Test if Your Modem is Susceptible?
One of the really bad things about this exploit is that you can be compromised through your web browser. This means click on the wrong link, open the wrong file, even the wrong email and your modem could be in bad shape. The good news is so far there are no known exploits in the wild.
However, since the modem is exploitable from your web browser, this gives us the ability to test for the vulnerability directly from the web browser. Here’s how:
First, open the spectrum analyzer on your cable modem using the Chrome web browser (note that Internet Explorer and Firefox will not work for this test), typically using one of the two following URLs: http://192.168.100.1:8080 or http://192.168.0.1:8080
Once you see the spectrum analyzer, open the console by clicking on the three vertical dots on the left hand side of the Chrome web browser, select Developer tools and then select Console as shown in figure 2.
Figure 2: Accessing Developer Tools
Once the Developer toolbox opens, be sure to click on the Console panel highlighted in red shown in Figure 3.
Figure 3: Console Box – Exploit Execution
Once you have selected the Console box above, there will not be any text as shown. You will copy and paste the following text into the console box in Figure 3. This is where you will test if your cable modem is exploitable – don’t worry, we are only going to inject your modem with a bunch of letter “A”s, so nothing bad will happen other than rebooting your modem. The bad stuff happens when we do something other than injecting the letter “A”.
Here is the code you want to copy and paste into the console box in your web browser as shown in Figure 3:
exploit = ‘{“jsonrpc”:”2.0″,”method”:”Frontend::GetFrontendSpectrumData”,”params”:{“coreID”:0,”fStartHz”:’ + ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’ +’,”fStopHz”:1000000000,”fftSize”:1024,”gain”:1},”id”:”0″}’
console.log(exploit)var socket = new WebSocket(“ws://192.168.100.1:8080/Frontend”, ‘rpc-frontend’) //Or some other ip and port!!!
socket.onopen = function(e) {
socket.send(exploit)
};
The code above is called JavaScript. JavaScript runs in nearly all web sites that you visit. I’m stating this so that you know that it is quite common. Therefore it is very easy to inject this type of code directly into your cable modem as we are doing right now.
After you paste the code into your browser console, just hit the Enter or Return button on your keyboard and wait a few seconds. If your modem lights start blinking and/or your connection to the Internet has been disconnected you know that your modem is exploitable.
Out of ten different Broadcom-based modems in my lab, all ten of them were exploitable. Intel-based modems were not exploitable.
What Should Cable Operators Do?
(Update – see Cable Haunt patch at end of post) Talk to your vendor and make sure that they can provide you with firmware that resolves this exploit as soon as possible. Lyrebirds is also offering to provide support to cable operators via email here: contact@lyrebirds.dk While we are not aware of any existing breeches or attacks it is likely only a matter of time before a malicious person or persons makes use of this exploit.
What Should Subscribers Do?
As a subscriber myself, I believe that Cable Haunt and the work exposed through Cable Haunt will forever change the security of cable modems. However, in today’s world as consumers we really must take a position of trust no one (TNO). Assume that your cable modem, your DSL modem, your fiber modem, your LTE modem, etc. are all susceptible to being breeched.
Your modem should be treated as a gateway. Between you and that gateway should be a trusted firewall which is monitored by you or someone you trust to monitor that firewall. I personally use PFSense (https://en.wikipedia.org/wiki/PfSense ), which is an open source or paid for firewall / router. You can configure rules in the firewall to block all traffic to the http://192.168.100.1:8080 or http://192.168.0.1:8080 ports on the cable modem and any monitor any nefarious exploits which may occur in the future.
Further Reading
For those who want to know more I encourage you to visit the Cable Haunt web site at https://cablehaunt.com and read the technical paper created by Lyrebirds HERE.
Cable Haunt Patch
This is not so much as a patch for the exploit, but it blocks access from the subscriber side to the spectrum analyzer. This was issued as a security advisory from Arris – not sure why they are not using their new name of CommScope, but I’m glad to see they sent out the advisory.
Please do read the full advisory from Arris, but here is the short version of the required patch:
The Spectrum Analyzer Ul operates on an HTTP Server running on port 8080. Using a DOCSIS configuration file, including TLV-11’s, it is possible to block this port’s access from the LAN/CPE, HFC/WAN, or both sides of the device. This is done by adding the following values to the config file.
NOTE: These entries are NOT persistent and MUST be configured via the DOCSIS configuration file.
cmHostlpFilterlnterfaces 1.3.6.1.4.1.4413.2.2.2.1.2.2.1.1.5.x = 0xc0 or 0x80
0xc0 = CM and LAN side
0x80 = LAN side
cmHostlpFilterDirection 1.3.6.1.4.1.4413.2.2.2.1.2.2.1.1.6.x = 1
cmHostlpFilterDestPortLow 1.3.6.1.4.1.4413.2.2.2.1.2.2.1.1.7.x = 8080
(spectrum analyzer HTTP TCP port)
cmHostlpFilterDestPortHigh 1.3.6.1.4.1.4413.2.2.2.1.2.2.1.1.7.x = 8080
(spectrum analyzer HTTP TCP port)
cmHostlpFilterStatus 1.3.6.1.4.1.4413.2.2.2.1.2.2.1.1.2.x = 4 (createAndGo)
The remaining required read-create row-entry objects default values are acceptable. Where ‘x’ is the index for the entry which MUST be greater than ten. It could be any other value, so long as it does not conflict with any existing entry (of which there are probably none).
Upcoming events can be seen under Broadband Events. Previous events can be seen under the blog.
- If you are watching this on youtube please hit the subscribe button!
- Let us know what you think and remember to share!
- You can find slides at the bottom of the page and some on slideshare.
- Find out about events or articles by following us on Twitter, LinkedIn or Facebook too.
Also available on iTunes, Google Podcasts, Spotify, vurbl see podcasts “get your tech on”.
Leave a Reply