Hundreds of millions of cable modems are vulnerable to critical takeover attacks by hackers halfway around the world, researchers said.

The attacks work by luring vulnerable users to websites that serve malicious JavaScript code that's surreptitiously hosted on the site or hidden inside of malicious ads, researchers from Denmark-based security firm Lyrebirds said in a report and accompanying website. The JavaScript then opens a websocket connection to the vulnerable cable modem and exploits a buffer overflow vulnerability in the spectrum analyzer, a small server that detects interference and other connectivity problems in a host of modems from various makers. From there, remote attackers can gain complete control over the modems, allowing them to change DNS settings, make the modem part of a botnet, and carry out a variety of other nefarious actions.

Cable Haunt, as the researchers have named their proof-of-concept exploit, is known to work on various firmware versions of the following cable modems:

Sagemcom F@st 3890

Sagemcom F@st 3686

Technicolor TC7230

Netgear C6250EMR

Netgear CG3700EMR

The exploit may also work against the Compal 7284E and Compal 7486E. Because the spectrum analyzer server is present in other cable modems, the exploit is likely to work on other models as well. Lyrebirds' proof-of-concept attack works reliably against the Technicolor TC7230 and the Sagemcom F@st 8690. With tweaks, the attack code will work on other models listed as vulnerable. The vulnerability is tracked as CVE-2019-19494. A more specific vulnerability targeting only the technicolor TC7230 modem is indexed as CVE-2019-19495.

Complete control

"The vulnerability enables remote attackers to gain complete control of a cable modem, through an endpoint on the modem," Lyrebirds researchers wrote. "Your cable modem is in charge of the Internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participat[e] in botnets."

There are at least two ways the exploit can gain remote access, meaning it can be exploited over the Internet by an attacker who is outside the local network.

The first and most straightforward way is to serve malicious JavaScript that causes the browser to connect to the modem. Normally, a mechanism called cross-origin resource sharing prevents a Web application from one origin (such as malicious.example.com) from working on a different origin (such as 192.168.100.1, the address used by most or all of the vulnerable modems).

Websockets, however, aren't protected by CORS, as the mechanism is usually called. As a result, the modems will accept the remote JavaScript, thereby allowing attackers to reach the endpoint and serve it code. While Cabe Haunt accesses modems through a browser, the attack can come from any place where running code can reach an IP on the local network.

Rebinding attacks, ROP, and more

The attack doesn't work when vulnerable targets use Firefox, because the websocket used by that browser isn't compatible with the websocket used by the spectrum analyzer. Attackers can still carry out their remote attack by using JavaScript that carries out what's known as a DNS rebinding attack. To bypass the same origin policy—a restriction that prevents code served from one domain from executing on a different domain—the rebinding attack manipulates DNS tables inside the local network. Because the attack site's domain address is mapped to the IP of the vulnerable modem, the JavaScript will execute the attack code successfully.

Besides the buffer overflow, the attack is possible because of known default credentials used to execute code on modems. These default credentials are simply added to the URL used by the attack code, e.g.: http://username:password@malicious.example.com. Lyrebirds cofounder Kasper Tendrup told me he believes there are other methods for making the attack work remotely.

The proof-of-concept exploit uses other clever tricks to work. Because of the memory structure of the MIPS assembly language that runs the spectrum analyzer, the attack code must know the precise memory address of the vulnerable code. (Normally, a buffer overflow exploit would be written directly to the memory stack.) To bypass the restriction posed by this memory structure, Cable Haunt uses return oriented programming to move between pre-existing pieces of code and then create a patchwork of existing code.

Once attackers exploit the vulnerability, they send commands to the modem's telnet server to install a reverse shell. From there, attackers can do all kinds of things, including changing the DNS settings, installing completely new firmware, making the modem participate in a botnet, and monitoring unencrypted data that passes through the modem.

200 million modems

The Lyrebirds research suggests that Cable Haunt works against as many as 200 million modems in Europe alone. The attack may work against a larger number of modems deployed throughout the rest of the world. Determining if a modem not on the Lyrebirds list is vulnerable isn't easy for average users because it requires them to run this PoC code against the device. Detecting hacked modems is also tough since there are a variety of ways to mask the infection once attackers gain root access on a device.

Cable Haunt is a serious vulnerability that deserves to be patched soon. The most likely way to target users would be to send emails to users of ISPs that are known to provide a vulnerable modem to users. The email would instruct users to visit sites that serve the attack.

Makers of the modems known to be vulnerable didn't immediately respond to emails seeking comment for this post. Concerned cable modem users should check with either the maker of the device or the ISP that issued it.