Now-patched authorization bypass points impacting Cox modems might have been abused as a place to begin to realize unauthorized entry to the units and run malicious instructions.
“This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could’ve executed commands and modified the settings of millions of modems, accessed any business customer’s PII, and gained essentially the same permissions of an ISP support team,” safety researcher Sam Curry mentioned in a brand new report revealed immediately.
Following accountable disclosure on March 4, 2024, the authorization bypass points have been addressed by the U.S. broadband supplier inside 24 hours. There isn’t a proof that these shortcomings have been exploited within the wild.
“I was really surprised by the seemingly unlimited access that ISPs had behind the scenes to customer devices,” Curry informed The Hacker Information through e mail.
“It makes sense in retrospect that an ISP should be able to remotely manage these devices, but there is an entire internal infrastructure built by companies like Xfinity that bridges consumer devices to externally exposed APIs. If an attacker found vulnerabilities in these systems, they could potentially compromise hundreds of millions of devices.”
Curry et al have beforehand disclosed a number of vulnerabilities affecting thousands and thousands of automobiles from 16 completely different producers that may very well be exploited to unlock, begin, and observe vehicles. Subsequent analysis additionally unearthed safety flaws inside factors.com that might have been utilized by an attacker to entry buyer data and even acquire permissions to difficulty, handle, and switch rewards factors.
The start line of the most recent analysis goes again to the truth that Cox help brokers have the flexibility to remotely management and replace the machine settings, corresponding to altering the Wi-Fi password and viewing related units, utilizing the TR-069 protocol.
Curry’s evaluation of the underlying mechanism recognized about 700 uncovered API endpoints, a few of which may very well be exploited to realize administrative performance and run unauthorized instructions by weaponizing the permission points and replaying the HTTP requests repeatedly.
This features a “profilesearch” endpoint that may very well be exploited to seek for a buyer and retrieve their enterprise account particulars utilizing solely their identify by replaying the request a few instances, fetch the MAC addresses of the related {hardware} on their account, and even entry and modify enterprise buyer accounts.
Much more troublingly, the analysis discovered that it is doable to overwrite a buyer’s machine settings assuming they’re in possession of a cryptographic secret that is required when dealing with {hardware} modification requests, utilizing it to finally reset and reboot the machine.
“This meant that an attacker could have accessed this API to overwrite configuration settings, access the router, and execute commands on the device,”
In a hypothetical assault situation, a menace actor might have abused these APIs to lookup a Cox buyer, get their full account particulars, question their {hardware} MAC handle to retrieve Wi-Fi passwords and related units, and run arbitrary instructions to take over the accounts.
“This issue was likely introduced due to the complexities around managing customer devices like routers and modems,” Curry mentioned.
“Building a REST API that can universally talk to likely hundreds of different models of modems and routers is really complicated. If they had seen the need for this originally, they could’ve built in a better authorization mechanism that wouldn’t rely on a single internal protocol having access to so many devices. They have a super hard problem to solve.”
