What’s Cable Haunt?
It’s a critical vulnerability in the Broadcom firmware used in an unknown number of cable modems.
What could an attacker do with it?
If someone managed to compromise your cable modem via Cable Haunt they could effectively gain full control over it – they could execute code of their choice on your modem, intercept communications, redirect traffic, or recruit your device into a botnet.
Sounds nasty. How many cable modems are affected?
The security researchers who uncovered the Cable Haunt vulnerability put it like this:
“There are an estimated 200 million cable modems in Europe alone. With almost no cable modem tested being secure without a firmware update, the number of devices initially vulnerable in Europe is estimated to be close to this number.”
Close to 200 million? Strewth!
Yeah.
So we’re all doomed then?
Now now, you’re panicking.
You see, it’s not trivial to attack the cable modem. First, an attacker needs to trick a computer connected to the cable modem into running some malicious code. Maybe the most straight-forward way of doing this is by planting the malicious Javascript that exploits the device’s web server on a website that a user is tricked into visiting, perhaps through a link in a socially-engineered email or a drive-by download.
Nonetheless I don’t want that happening to me. What cable modems are confirmed to be vulnerable?
Researchers Alexander Dalsgaard Krog, Jens Hegner Stærmose, Kasper Kohsel Terndrup, and Simon Vandel Sillesen say that they have confirmed that the following cable modems can be exploited by Cable Haunt:
- Sagemcom F@st 3890
- Sagemcom F@st 3686
- Technicolor TC7230
- Netgear C6250EMR
- Netgear CG3700EMR
- Sagemcom F@st 3890
- Sagemcom F@st 3686
- COMPAL 7284E
- COMPAL 7486E
- Netgear CG3700EMR
However, they also list other devices that they say others in the community have confirmed to be at risk of exploitation.
How can so many different makes of cable modem be vulnerable to the same exploit?
According to the researchers, different cable modem manufacturers have “seemingly” copied code when creating their own cable modem firmware. If you copy someone’s code you also copy someone’s mistakes.
So, where do I get my patch?
Where indeed. Some ISPs in Scandinavia appear to have remotely patched the cable modems of their customers, but others have some catching up to do it seems.
If your cable modem contains a Broadcom chipset you might want to contact your ISP and ask them what they’re doing about this.
Where can I read more?
Visit cablehaunt.com. Yes, of *course* there’s a website. And a logo.
Although, to their credit, the researchers do seem a little embarrassed by that – admitting in their FAQ that the vulnerability cannot really be compared to other high profile vulnerabilities like Heartbleed, ETERNALBLUE, and Meltdown.
From our perspective, our only choice was to go big and branded to try to reach the affected end-users and let awareness bubble up from there. With this we run the risk of being seen as fearmongering upstarts who tries to sensationalize a buffer overflow in modems which some people would say is almost expected to be vulnerable. But this universal acceptance of modems and routers being insecure was not something we wanted to add to.
Stay safe folks.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
These are NOT modems. They are combination devices servicing as both a modem and a router. Of course, this makes the problem more widespread. But still, words matter.