
Cable Haunt: A critical vulnerability found in cable modems - Aissen
https://cablehaunt.com/?
======
LeonM
This is nothing new, really. Crappy SOHO routers have been proven to be
vulnerable over and over again.

The thing though is that in most countries you don't actually own the modem,
it stays property of the ISP. And because of that you are locked out, and
often you can't even run a firmware update even if you have the technical
knowledge.

Really, ISPs should be held responsible for this. It is their equipment so
they should also maintain it.

For me this is the reason my 'modem' is still in the original box, I've
installed my own equipment which I maintain myself. Granted, I am lucky
because I have a fiber connection to my home, so really all I needed was an
SFP module for my Edgerouter. I also live in a country where ISPs are required
to support running your own equipment. With cable this becomes a lot harder or
even impossible due to all kinds of network specific systems such as DOCSIS.

~~~
behringer
You make it sound like the providers giving you a modem is a bad thing. This
is a good thing. You as the consumer just needs to buy a decent router, and
it's your ISPs responsibility to maintain the modem. If you have a decent
router you have nothing to worry about. You can simply consider an attack on
your modem an attack on your ISP.

All ISPs I've ever seen in the US allow you to use your own router.

~~~
smileysteve
At a $5+/mo fee for items that normally sell for $60 it seems like profit
seeking behavior.

Comcast at least now made equipment returns easier though ups franchises,
historically, it could take hours at an under staffed, low budget facility to
return a item. And if you didn't you'd often expect to argue with collections.

~~~
behringer
5/mo is 120 over 2 years, which is imo the expected life on a modem. Now of
course some last 5 years or more, but then some last 6 months. I think 60/year
is a decent price for a 100 percent satisfaction guaranteed working modem.

~~~
smileysteve
> for a 100 percent satisfaction guaranteed working modem.

Importantly, the company I mention historically had such a bad satisfaction
experience that it was rated lowest for customer experience. Such issues that
they rebranded. With their contractor model it was regularly the experience of
customers that the install goes through 2 or 3 cheap cable modems until one
worked; in combination with their Mac locking, dns poisoning data caps, almost
daily scheduled downtimes.

Though I'm still not sure how it's a decent price to pay $120 for something
that retails for $60.

~~~
behringer
Satisfaction guaranteed. Don't like the service? Move along, you're out very
little/nothing.

~~~
insulanus
This would be a good argument if:

* there was any choice in the market * my satisfaction was actually guaranteed * The cost of switching was low (it will take at least a day of coordination to end one service, and start the second)

------
onesmallcoin
I recently had the frustration of trying to use a Vodafone ISP Supplied modem.
It had a propietary interface which didn't allow using the modem as a bridge
to a network not on a vlan. Along with the help of the awesome team at hack-
technicolor we managed to find a command execution exploit in the dyndns
updater which allowed us to free the Vodafone UltraHub Technicolor DGA0130VDF
modem along with others. The device is a cool box running a Dual Core Broadcom
400MHz CPU with 256MB DDR3 RAM it's a DSL/WAN router with ADSL/VDSL, Wi-Fi
11b/g/n/ac 5GHz/2.4GHz, And SIP support for two phones. Also now a working WAN
port to a non-vodafone gateway. The device was running openwrt; We also
figured out how to keep persistance on the device after a firmware update to
an unexploitable version meaning you can even have SSH running on the latest
kernel from Vodafone too. In all had a great time working on this box and
feels awesome to free an otherwise awesome device from the trash-heap!
[https://github.com/kevdagoat/hack-
technicolor/issues/68](https://github.com/kevdagoat/hack-
technicolor/issues/68)

------
jwr
For years now I insisted on getting a modem operating in bridge mode, with a
Ubiquiti Unifi USG doing the actual routing and Unifi access points providing
Wi-Fi. I never trusted the crappy modems, especially the ones provided by the
cable company.

Ubiquiti cares much more about frequent software updates and the general
security and reliability of their gear. The cable companies push trash,
because they can get away with it in most cases.

In this particular case, I don't know if my modem is affected, but I don't
really care: it's part of the operator's network, beyond the security
boundaries of my network.

~~~
Arie
My cable modem is in bridge but I can also reach its web interface the
management IP. In that case, you should find out if the modem is vulnerable
because an exploited modem could still be messing with your traffic.

~~~
jwr
Messing how?

I mean, yes, it is a problem, but so is any networking device anywhere on the
Internet — as soon as the traffic leaves my network, all bets are off.

The point is not to allow operator-managed crappy devices (like cable modems)
into my network.

------
londons_explore
I'm hoping someone secretly deploys tor nodes onto all of these 200 million
connections, and tor (or something like it) becomes the defacto standard for
connecting to the internet.

Privacy matters more now than it did in the 1980's, and in todays age, having
every website operator see your IP address isn't really cool.

~~~
nanis
It doesn't seem to be feasible using this vulnerability:

> Cable Haunt is exploited in two steps. First, access to the vulnerable
> endpoint is gained through a client on the _local network_ , such as a
> browser. (emphasis mine)

~~~
big_chungus
This is almost certainly exploitable remotely with a DNS rebinding attack.

~~~
thu2111
You don't need any fancy rebinding attacks. That's a bit 2001 era web hacking
:)

This issue is based on WebSockets where the software on the modem:

a) Doesn't verify any of the origin headers sent, so any origin works
(rebinding is designed to beat origin checks)

b) Copies an uploaded message straight onto the stack without doing any size
checks

------
Eikon
I'm wondering, how prevalent is DSL in the US?

In France, cable is basically non-existent except in a few large cities. DSL
is everywhere as legacy infrastructure and fiber coverage over the whole
country is increasing at a fast rate.

Is the US in a somewhat similar situation or is cable found pretty much
anywhere?

~~~
ljoshua
Cable is probably the leader in most markets in the US. DSL hasn’t been given
the same innovation love, so in markets where it is still marketed (primarily
by AT&T) the speeds are almost always lower/capped at 50Mbps down. In more
rural areas DSL still has a stronger foothold. But in general, yes, cable is
quite prevalent.

~~~
lotsofpulp
I haven’t seen DSL at more than 2-3mbps down even around the biggest US
cities. The only real high bandwidth download option is cable (coaxial), and
the only high bandwidth download and upload is fiber.

~~~
howard941
This is exactly my experience as well. In DSL's favor I would add that it's
not a shared pipe and the latency is generally low and very very consistent.
If it were 20-30mbps down DSL would be competitive again. Emotionally I'd like
to ditch both the phone and cable providers, they and their exploitive
business model suck fetid dingo kidneys.

~~~
bathory
That's weird, DSL is the most common way of going online in Germany and many
providers offer 20-200 Mbit connections

~~~
reaperducer
My current ILEC "offers" 100 Mbit DSL, but you have to be within a certain
distance of their main infrastructure (I forget what it's called. DMARC,
maybe?)

This means it offers 100 Mbit service, but at my house it actually maxes out
at 8 Mbit.

~~~
clachance
DSLAM: Digital subscriber line access multiplexer

That's probably the device you're looking for.

------
peter_d_sherman
I think it's high time for an FPGA-based, open hardware, open software,
auditable-by-everyone, cable modem project...

Even if it isn't immediately DOCSIS compatible...

Heck, just get a single packet of data over a cable from point A to point B
using an open FPGA-based design... Put that on the Internet... that's the
starting point...

Let it evolve from there...

~~~
raintrees
Our ISP (Spectrum) refuses to work with customer-supplied equipment. Even when
I have proven their equipment to be faulty - I still had to wait a day or two
for a technician. And having a business account, at least it was that quick.
My residential neighbors can sometimes wait up to a week for remedy, and are
frequently told things like "check with your neighbors to see if they have
service" when reporting service problems.

~~~
ollien
Eh? I have Spectrum and use my own modem and router... It's even advertised as
something I can do.

~~~
mturmon
You both seem to be right. According to [1], residential customers can use
Spectrum-approved modem models, but business customers must use Spectrum-
provided modems. (I use my own modem with Spectrum too.)

[1] [https://www.spectrum.net/support/internet/compliant-
modems-c...](https://www.spectrum.net/support/internet/compliant-modems-
charter-network/)

------
zaroth
As mentioned by several comments, an import defensive step that most home
users can take is to ensure you have a firewall rule in your router blocking
any traffic on your LAN from accessing the modem on its LAN port, and any
traffic originating from the modem LAN IP from getting onto your LAN.

This could be a default setting when going through a setup wizard on most
routers, detecting the MAC of the modem is easy, and automatically blocking
any LAN traffic to that MAC which is not merely using it as a next-hop.

I think the only challenge is that very rarely you will want to access your
modem’s LAN IP for debugging purposes. But I suppose the average user will
have no clue how to do this anyway...

Unfortunately this is just the tip of the iceberg for so many ways these SOHO
devices are vulnerable, this level of defense in depth is nice in theory but
perhaps just a finger in the dike.

~~~
bscphil
> As mentioned by several comments, an import defensive step that most home
> users can take is to ensure you have a firewall rule in your router blocking
> any traffic on your LAN from accessing the modem on its LAN port, and any
> traffic originating from the modem LAN IP from getting onto your LAN.

Yep, most of this vulnerability is (very) old news. There used to be a
vulnerability for the very popular Motorola / Arris SB series where any
website could CSRF into the modem's webpage and do a "reset", which would shut
off your internet for up to half an hour until it could reprovision with your
ISP. There was even a proof of concept site that did this (with a big red
warning first), I really wish I could remember the domain name.

Anyway, I used that modem and of course I just completely blocked access to
its IP address on my router's firewall. It's really incredibly unfortunate
that even today you have to be tech savvy to protect yourself from the devices
running in your home. Basic security should come default.

Here's a another vulnerability for you. On my grandparents' DSL, the ISP
supplied combined modem/router has a config page that is (mostly) not password
protected. You can see the passwords for _every SSID_ without logging in, you
can reset the router, see information on other devices connected to the
network, etc etc. Absolute insanity.

Edit: I did find the website, but it was eventually taken down by the creator
after (most?) ISPs patched the problem.
[https://web.archive.org/web/20160921191154/http://www.reboot...](https://web.archive.org/web/20160921191154/http://www.rebootmymodem.net/)

------
debian3
Does someone know if I can « unlock » my modem speed with this exploit?

~~~
lima
Super illegal, AND all ISPs have bandwidth accounting that will quickly spot
the manipulation.

~~~
driverdan
> Super illegal

[citation needed]

Also, what makes it super? And how does that compare to normal illegal?

~~~
lima
Heh - sorry for the hyberbole.

At least in my country, Germany, fraudulent use of telecommunications
services, public transport or paid events/facilities ("Erschleichen von
Leistungen", § 265a StGB) is not just a civil matter, but also a criminal
offence. If you got caught manipulating your modem to avoid paying for faster
broadband, you would likely to get into trouble.

------
merpnderp
Why are the admin pages of all these cable modems written with websockets if
they can be accessed via a websocket request from any rando website you visit?
Is this just a bunch of massive mistakes or is there a good reason?

~~~
thrower123
I'm sure that this kind of thing is farmed out to the lowest bidder.

------
thrower123
I do not allow Comcast modems or routers on my network. I think this still
saves me $9/month or something, foregoing the rental charge for their
hardware, but even if it didn't I wouldn't trust them.

------
londons_explore
Nobody should be trusting a modem. You don't put your private keys on a modem.
Your credit card number isn't saved on the modem.

So if hackers break into the modem, the worst they can do is shut off your
internet. And if you really cared about reliability of your internet, you'd
have two connections anyway.

Really this is a non-issue.

~~~
LeonM
> the worst they can do is shut off your internet

No, if your modem gets owned, you are in a whole lot of trouble.

You become vulnerable for all sorts of MITM attacks. The attacker now also has
access to your LAN, which is usually trusted by all devices on it.

~~~
pixl97
You mean you're not using end to end certificate based encryption for all your
applications these days?

And all the pushback we get from people here that DoH/DoT is a bad thing.

~~~
satanspastaroll
Not all applications are, and there are specific automated downgrade attacks
for encrypted comms that force some back to plaintext. Giving outsiders access
to your internal network is rarely a good idea.

------
nanis
I haven't read the full report, but, the PoC[1] and the explanations I have
seen before seem to indicate one has to be on the "local" side of the cable
modem to run the exploit. That is, it doesn't seem like this is exploitable
remotely.

That is, the attacker either needs to have been allowed to connect to your
WiFi (either through another vulnerability or voluntarily) or attached a cable
to your WiFi router or your cable modem.

This is not impossible (not even requiring reliance on the fact that Google,
Apple, and Microsoft among them have pretty much everyone's WiFi
passwords[2]), but a wave of attacks based on this is much less feasible than
if they could be carried en masse on the internet.

[1]: [https://github.com/Lyrebirds/sagemcom-
fast-3890-exploit/blob...](https://github.com/Lyrebirds/sagemcom-
fast-3890-exploit/blob/deb542553a90d84c6c5ffba59eaeab8bc126aadd/exploit.py#L32)

[2]: [https://tourkick.com/advice-tips-howto/myth-busting-
windows-...](https://tourkick.com/advice-tips-howto/myth-busting-
windows-10-wi-fi-sense-google-wireless-mapping/)

~~~
stedaniels
This is incorrect. It's accessed with websockets, that can be run from any
webpage, so all you'd have to do is follow a malicious link.

From the article:

> Accessing the Endpoint

> The endpoint, which serves a tool called spectrum analyzer, uses a websocket
> for communication with the graphical frontend displayed in a browser.
> Whereas CORS would restrict access to such an endpoint for HTTP requests,
> websocket is not protected by this protocol. Therefore, it is up to the
> server to verify the relevant request parameters added by the browser.
> Because these parameters are never inspected by the cable modem, the
> websocket will accept requests made by javascript running in the browser
> regardless of origin, thereby allowing attackers to reach the endpoint. It
> should be noted that the exploit is not limited to run in a browser. Any
> place where running code can reach an IP on the local network, can be used
> to exploit Cable Haunt.

~~~
nanis
Thank you for correction. Voted your comment up.

