Hundreds of millions of cable modems could be hacked due to 'Cable Haunt' flaw

Cable Haunt logo superimposed on a collection of cable modems.
(Image credit: Lyrebirds/Future)

Updated Jan. 13 to add more cable-modem models discovered to be vulnerable and to add comment from Broadcom. This story was originally published Jan. 12, 2020.

Hundreds of millions of cable modems around the world may be vulnerable to a software flaw named "Cable Haunt" by its Danish discoverers. 

The flaw lies in the Broadcom systems-on-a-chip used in many cable modems, specifically in the software running the spectrum analyzer, which protects against power surges in the cable signal. 

We've reached out to Broadcom for comment, and a company spokesperson gave us this statement: "We have made the relevant fix to the reference code and this fix was made available to customers in May 2019."

The resulting attack requires local network access and is hard to pull off, but skilled attackers could embed attack code in web pages or email messages, which would then exploit the flaw once the victim viewed them in a web browser.

Successful attackers could seize control of the modem and send users of the compromised network to malicious websites, conduct man-in-the-middle attacks on online transactions, or change the modem's firmware, said researchers at Lyrebirds, the Danish security firm that found Cable Haunt and put up a website detailing the flaw.

What you can, and can't, do about Cable Haunt

Unfortunately, there isn't much you can do about the Cable Haunt flaw yet. Four internet service providers in Scandinavia have remotely patched their customers' cable modems, but ISPs in the rest of the world don't seem to have caught on yet. 

It's not clear why Lyrebirds implied that those ISPs had patched their customers' modems only after receiving notice from the researchers, if Broadcom provided a patch several months ago.

Right now, you can screen out some malicious websites and email messages by using some of the best antivirus software. This goes for Macs as well as PCs, since the attack code doesn't care which desktop platform you use.

Using Mozilla Firefox exclusively for the time being might also help. The Cable Haunt website FAQ notes that "in general ... the spectrum analyzer's websocket server is not compatible with the websocket version used in Firefox." However, it adds that "other techniques to exploit specific modems" do work in Firefox.

Is your modem at risk from Cable Haunt?

The Lyrebirds team thinks nearly 200 million cable modems may be vulnerable to Cable Haunt in Europe alone. 

The Lyrebirds researchers say models known to be vulnerable include the Arris Surfboard CM8200A, Arris Surfboard SB6183 (misspelled by Lyrebirds as the nonexistent SB6813), Arris Surfboard SB8200, COMPAL 7284E, COMPAL 7486E, Humax HGB10R-02, Netgear C6250EMR, Netgear CG3700EMR, Netgear CM1000, Sagemcom F@st 3686, Sagemcom F@st 3890, Technicolor TC4400, Technicolor TC7230 and Technicolor TC7300, although some firmware versions of those models may not be at risk.

If you rent your cable modem, or a combined cable modem/router, from your ISP, then contact your ISP and ask whether your model is vulnerable to the Cable Haunt flaw. If so, then ask when a firmware update might be coming. 

If you own your cable modem, your first step should be to find out if the modem has a Broadcom chipset. Unfortunately, that's not the kind of information most cable-modem makers include in customer documentation. So Google the name and model number of the modem along with the word "chipset" to find out what's inside your modem. 

We discovered that our aging Arris Surfboard SB6141 uses a Texas Instruments chipset, so we're out of the woods. But two later Arris models, the Surfboard SB6183 and SB8200, do use Broadcom chipsets, and the latter is on the list of known models vulnerable to Cable Haunt. 

Here are links to charts listing the chipsets used in several Arris and Netgear modems and modem/routers.

If you own your modem, are familiar with Linux and are pretty tech-savvy, the Lyrebirds team has posted a script on Github that you can run to see if your modem is vulnerable to Cable Haunt. If you happen to own a Sagecom F@st 3890, you can even run a proof-of-concept exploit script.

If you own your modem, you've still got to wait

Here's the catch: Even if you own your own modem or combined modem/router, you probably will have to wait for the ISP to push out updated firmware for your model. ISPs are very fussy about which customer-owned modems their networks are compatible with, and this extends to the firmware. 

For example, neither Arris nor Netgear lets customers update their own cable-modem firmware. Instead, they give the firmware to the ISPs, which test it to make sure it doesn't cause any problems.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.