Identifying the Cable Haunt Vulnerability Using the Centrifuge Platform®
Cable Haunt is a critical vulnerability in the firmware of cable modems disclosed in January 2020 by the team at Lyrebirds in Denmark. With this vulnerability external attackers can exploit a buffer overflow to take control of the modem… including potentially changing the modem firmware, redirecting user traffic, or making the cable modem participate in a malicious botnet. It is estimated that hundreds of millions of cable modems are impacted by this vulnerability. More details about Cable Haunt can be found here.
This vulnerability emphasizes two key points we have been making at ReFirm Labs:
1. Vulnerabilities in embedded software (firmware) that runs IoT devices like cable modems are an attack vector that has traditionally been overlooked. Companies and consumers need to be aware of the security of the devices they are deploying on their networks, just as they are concerned about the security of applications and web sites they deploy.
2. Supply chain security needs to be top of mind for device manufacturers. The reason this vulnerability is present across so many vendors and devices is because the vulnerability is in a core piece of software delivered with one of the building blocks of most cable modems – the eCos-based cable modem middleware from Broadcom. Visibility into the security of 3rd party components is essential to building a secure device.
On February 4th, 2020 we deployed a new analyzer to the Centrifuge Platform, our automated firmware analysis platform which detects the presence of the Cable Haunt vulnerability in eCos-based firmware images.
Given a binary-only image of the Broadcom-based portion of the cable modem firmware image, Centrifuge will extract the full eCos image and conduct analyses to identify if the Cable Haunt vulnerability is present. This can be used by device manufacturers and cable operators to ensure that they are delivering solutions to their customers that are protected from this exploit.
This is an example of the many exploit, malware, and backdoor detectors in the Centrifuge Security Checklist. Centrifuge also analyzes firmware across a number of areas, including cryptographic and password weaknesses, automated reverse engineering to discover potential 0-days, libraries with known vulnerabilities, weak binary hardening and much more.
Find out more. Contact us today.
Backdoored firmware found in the supply chain of video surveillance chips from HiSilicon (a subsidiary of Huawei) allows remote access via Telnet.
A few days ago I decided to reverse engineer my router’s firmware image with binwalk. I’ve bought the TP-Link Archer C7 home router. Not one of the best, but good enough for my needs.
Part 4 of our series on firmware security analysis focuses on how to exploit the vulnerability Evan discovered in his analysis of the camera firmware.