​Newly discovered ‘Cable Haunt’ flaw exposes nearly 200 million Broadcom-based modem cables to MITM attacks

• The vulnerability impacts a standard component of Broadcom chips called a spectrum analyzer.
• The flaw can be exploited by tricking a victim into opening a specially crafted web page that contains malicious JavaScript code.

Nearly 200 million cable modems using Broadcom chips are vulnerable to a new vulnerability named Cable Haunt. The vulnerability impacts a standard component of Broadcom chips called a spectrum analyzer. The spectrum analyzer protects the cable modem from signal surges and disturbances coming via the coax cables.

More details about the flaw

A team of four Danish security researchers has tracked the vulnerability as CVE-2019-19494.

The flaw can be exploited by tricking a victim into opening a specially crafted web page - that contains malicious JavaScript code - on their browser. Researchers note that once the attackers gain access to the victim’s browser, they launch a buffer overflow attack, thus enabling them to obtain full control of the modem.

What is the impact?

By exploiting the ‘Cable Haunt’ flaw, the attackers can perform a range of malicious activities such as:

• Change default DNS server;
• Launch remote man-in-the-middle attacks;
• Hot-swap code or even the entire firmware;
• Upload, flash and upgrade firmware silently;
• Disable ISP firmware upgrade;
• Change every config file and settings;
• Get and Set SNMP OID values;
• Change all associated MAC addresses;
• Change serial numbers;
• Turn devices into bots for botnet attacks.

PoC for the exploit released

The researchers have published a proof-of-concept for the Cable Haunt vulnerability on a dedicated website.

"The purpose of this website is to inform as many affected users and providers as possible, in order to improve their ability to protect themselves," researchers said, ZDNet reported.

The Bottomline

It is estimated that the flaw affects millions of modems in Europe alone. Till now, four ISPs across Scandinavia - Telia, TDC, Get AS and Stofa - have released patches. Many other firms across Europe are expected to address the issue soon.