Investigator Reveals Weaknesses in Cox Modems, Possibly Affecting Millions
Recently fixed authorization bypass issues affecting Cox modems could have been misused as an entry point to gain unauthorized access to the devices and execute harmful commands.
“The vulnerabilities discovered showcased a method through which an external attacker with no prerequisites could have carried out commands and altered the configurations of countless modems, accessed any business client’s Personal Identifiable Information (PII), and essentially acquired the same privileges as an ISP support team,” security analyst Sam Curry stated in a new report released today.
Following responsible disclosure on March 4, 2024, the authorization bypass problems were rectified by the U.S. broadband provider within 24 hours. There is no proof that these weaknesses were exploited in the wild.
“I was quite taken aback by the seemingly boundless access that ISPs had behind the scenes to customer devices,” Curry informed The Hacker News through email.
“In hindsight, it is logical that an ISP should possess the capability to manage these devices remotely, but there exists an entire internal framework established by corporations like Xfinity that links consumer devices to externally exposed Application Programming Interfaces (APIs). If an attacker uncovered vulnerabilities in these systems, they might potentially compromise hundreds of millions of devices.”
Curry and colleagues had previously disclosed multiple vulnerabilities affecting millions of vehicles from 16 different manufacturers that could be exploited to unlock, start, and track cars. Subsequent research also uncovered security flaws within points.com that could have been leveraged by an attacker to access customer data and even secure permissions to issue, manage, and transfer rewards points.
The genesis of the recent investigation harkens back to the fact that Cox support agents hold the capability to remotely operate and update the device configurations, such as altering the Wi-Fi passcode and monitoring connected devices, utilizing the TR-069 protocol.
Curry’s scrutiny of the foundational mechanism identified approximately 700 exposed API endpoints, some of which could be exploited to secure administrative capabilities and execute unauthorized commands by exploiting the permission issues and replaying the HTTP requests persistently.
These encompass an endpoint named “profilesearch” that could be manipulated to search for a client and fetch their business account specifics using solely their name by replaying the request multiple times, retrieve the MAC addresses of the connected hardware on their account, and even access and alter business client accounts.
Of even more concern, the research revealed the plausibility of overwriting a client’s device configurations assuming they possess a cryptographic secret necessary when handling hardware modification requests, using it to essentially reset and restart the device.
“This indicated that an attacker could have utilized this API to overwrite configuration settings, access the router, and execute commands on the device,”
In a hypothetical attack scenario, a malicious actor could have misused these APIs to search for a Cox customer, access their complete account details, query their hardware MAC address to fetch Wi-Fi passwords and connected devices, and implement arbitrary commands to take control of the accounts.
“This problem likely arose due to the intricacies surrounding the management of customer devices like routers and modems,” Curry commented.
“Developing a REST API that can universally communicate with likely hundreds of different models of modems and routers is exceedingly complex. Had they recognized the necessity for this originally, they could have established a more robust authorization mechanism that didn’t rely on a solitary internal protocol having access to so many devices. They face an incredibly challenging issue to resolve.”
About Author
