What is Cable Haunt?
Last week, news broke out of a critical vulnerability in hundreds of millions of Broadcom cable modems around the world.
Discovered by a team of researchers from Denmark, the Cable Haunt vulnerability exists in the middleware running on the Broadcom chip and can be exploited with a DNS rebind attack— malicious code running in an end user’s browser window.
A Cable Haunt exploitation enables a slew of potential malicious activities. These include: traffic hijacking, eavesdropping, and disabling CPE firmware updates.
In response to this attack, Minim has developed Cable Haunt exploit detection on our platform. We will alert any of our service provider customers of an exploitation. What's more, we will release Cable Haunt threat protection imminently.
Update: Minim released Cable Haunt Virtual Patch on January 24, 2020.
How does Cable Haunt work?
The Cable Haunt exploit details are captured in a vulnerability report and website, summarized below.
The report explains that Cable Haunt starts with a vulnerable middleware running on the Broadcom chip:
“The Broadcom cable modem middleware (CM) is a real-time operating system, which runs all networking tasks, such as DOCSIS Protocol, IP-stack etc. Along with the Broadcom middleware there usually exists a separate subsystem in the architecture, which is responsible for various things depending on the manufacturer... As all traffic goes through the CM, a would-be attacker with access to it, could listen and manipulate any traffic going through the modem. Attempts to regain control of the modem through firmware upgrades or remote resets, can not be counted on to recover the system, as this depends on the exploited system.”
From here, the main target of attack is the spectrum analyzer— a component in the cable modem's Broadcom chip that's used for identifying connection or signal problems that may occur via the coaxial electrical cable powering the modem.
As for how the attack is carried out, vulnerable cable modems can be exploited with DNS rebind attacks, a type of attack that consists of malicious JavaScript code running in a person's browser window. This allows Cable Haunt to gain access to the local network and thus the CM and spectrum analyzer.
Learn more about DNS rebind attacks and how Minim protects against
What cable modem models are vulnerable to Cable Haunt?
The research team shared a real-life demo of the Cable Haunt vulnerability being exploited on a Sagemcom F@st 3890 cable modem:
Other cable modem models found vulnerable to Cable Haunt include:
Model |
Firmware version |
| Sagemcom F@st 3890 | 50.10.19.* |
| Sagemcom F@st 3686 | SIP_3.428.0-* |
| Technicolor TC7230 | STEB 01.25 |
| Netgear C6250EMR | V2.01.05 |
| Netgear CG3700EMR | V2.01.03 |
| Sagemcom F@st 3890 | 05.76.6.3a |
| Sagemcom F@st 3686 | 4.83.0 |
| COMPAL 7284E | 5.510.5.11 |
| COMPAL 7486E | 5.510.5.11 |
| Netgear CG3700EMR | V2.01.05 |
The research team highlights that this list is not exhaustive, as they were unable to test all Broadcom-based cable modem models in use today. However, more models continue to be confirmed as affected by device owners.
Visit the Cable Haunt website, scroll down to the FAQ, and click the first question, "Am I Affected?" to see the growing list.
What happens if Cable Haunt is exploited?
If Cable Haunt is exploited, a number of severe actions can be taken as the attacker gains full control of the cable modem. The research team lists some examples, which include:
- Changing your network's default DNS server— Doing so impacts every device connected on your network and can allow an attacker to hijack traffic, redirecting network users to unsecure and malicious sites.
- Conducting remote man-in-the-middle attacks— Known as an eavesdropping attack, an attacker could steal any sensitive and Personally Identifiable Information (PII) you share over the internet.
- Disabling ISP firmware upgrades— We all know one of the first lines of defense in network security is keeping your router's firmware up-to-date. By disabling firmware upgrades enacted by your ISP, an attacker is ensuring your device doesn't receive any needed security patches or performance enhancements.
Have Cable Haunt exploits been detected?
While there have been no public incidents of Cable Haunt exploits reported at this time, Minim is actively monitoring for the vulnerability on our worldwide network of operators.
On that note, being able to detect this vulnerability is a first step to protecting against it. If you want to learn more about how Minim can help, get in touch.
Cable Haunt logo retrieved from cablehaunt.com on January 15, 2020
