Identifying the Cable Haunt Vulnerability Using the Centrifuge Platform®
Cable Haunt is a critical vulnerability in the firmware of cable modems disclosed in January 2020 by the team at Lyrebirds in Denmark. With this vulnerability external attackers can exploit a buffer overflow to take control of the modem… including potentially changing the modem firmware, redirecting user traffic, or making the cable modem participate in a malicious botnet. It is estimated that hundreds of millions of cable modems are impacted by this vulnerability. More details about Cable Haunt can be found here.
This vulnerability emphasizes two key points we have been making at ReFirm Labs:
1. Vulnerabilities in embedded software (firmware) that runs IoT devices like cable modems are an attack vector that has traditionally been overlooked. Companies and consumers need to be aware of the security of the devices they are deploying on their networks, just as they are concerned about the security of applications and web sites they deploy.
2. Supply chain security needs to be top of mind for device manufacturers. The reason this vulnerability is present across so many vendors and devices is because the vulnerability is in a core piece of software delivered with one of the building blocks of most cable modems – the eCos-based cable modem middleware from Broadcom. Visibility into the security of 3rd party components is essential to building a secure device.
On February 4th, 2020 we deployed a new analyzer to the Centrifuge Platform, our automated firmware analysis platform which detects the presence of the Cable Haunt vulnerability in eCos-based firmware images.
Given a binary-only image of the Broadcom-based portion of the cable modem firmware image, Centrifuge will extract the full eCos image and conduct analyses to identify if the Cable Haunt vulnerability is present. This can be used by device manufacturers and cable operators to ensure that they are delivering solutions to their customers that are protected from this exploit.
This is an example of the many exploit, malware, and backdoor detectors in the Centrifuge Security Checklist. Centrifuge also analyzes firmware across a number of areas, including cryptographic and password weaknesses, automated reverse engineering to discover potential 0-days, libraries with known vulnerabilities, weak binary hardening and much more.
Find out more. Contact us today.
One of our favorite new capabilities in the Centrifuge Spring ‘20 release is Firmware Differencing. This is how to compare two binary files quickly and efficiently for Linux, QNX, and VxWorks. But that’s not all it compares!
With all of these certification standards and compliance regulations, conducting product cyber-security assessments quickly becomes very complicated and expensive. Here’s how to save time and money.
GHIDRA may be the preferred tool of choice for analyzing RTOS firmware images. We will demonstrate identification of a published vulnerability as a case study.