Study Reveals Imperfections in Cox Modems, Possibly Affecting Millions
Authorization bypass vulnerabilities in Cox modems, which have now been resolved, could have been exploited to gain unauthorized access to the devices and execute malicious commands.
“This set of flaws showcased a method in which an outsider with no prerequisites could have carried out instructions and altered configurations on millions of modems, obtained sensitive information of any business client, and essentially achieved the same authority as an ISP support team,” mentioned security researcher Sam Curry stated in a recent report released today.
Following the responsible disclosure on March 4, 2024, the authorization bypass concerns were rectified by the U.S. broadband provider within a day. There is no proof that these vulnerabilities were exploited in real-world scenarios.
“I was genuinely taken aback by the seemingly boundless access that ISPs possessed behind the scenes to customer devices,” noted Curry in an email to The Hacker News.
Curry and his team have previously unveiled multiple vulnerabilities affecting millions of vehicles from 16 different manufacturers that could have been utilized to unlock, start, and track cars. Subsequent research also revealed security weaknesses in points.com that could have allowed an attacker to retrieve customer data and even attain authorization to issue, manage, and transfer rewards points.
The genesis of the recent investigation traces back to the fact that Cox support representatives possess the capability to remotely control and adjust the device settings such as altering the Wi-Fi password and monitoring connected devices through the TR-069 protocol.
Curry’s examination of the fundamental mechanism identified around 700 exposed API endpoints, some of which could be exploited to access administrative functions and execute illicit commands by exploiting permission issues and replaying HTTP requests continuously.
This encompasses a “profilesearch” endpoint that could be manipulated to search for a customer and retrieve their business account details solely by using their name after replicating the request a few times, fetching the MAC addresses of the connected hardware on their account, and even accessing and altering business customer accounts.
Much more worryingly, the research revealed the possibility of rewriting a customer’s device settings, assuming possession of a cryptographic secret essential when dealing with hardware modification requests, and utilizing it to ultimately reset and reboot the device.
“This indicated that a hacker could have utilized this API to alter configuration settings, gain access to the router, and execute commands on the device,”
In a hypothetical offensive scenario, a malicious actor could have misused these APIs to look up a Cox client, retrieve their complete account specifics, fetch their hardware MAC address to access Wi-Fi passwords and connected devices, and execute arbitrary commands to take control of the accounts.
“This problem likely arose due to the intricacies around managing customer devices like routers and modems,” Curry stated.
“Developing a REST API that can universally communicate with possibly hundreds of different models of modems and routers is highly complex. If they had foreseen the necessity for this initially, they could have integrated a more robust authorization mechanism that wouldn’t rely on a single internal protocol having access to numerous devices. They face an extremely challenging issue to resolve.”
About Author
