Multiple flaws in Cox modems could have impacted millions of devices
June 04, 2024
Researcher discovered several authorization bypass vulnerabilities in Cox modems that potentially impacted millions of devices.
The security researcher Sam Curry discovered multiple issues in Cox modems that could have been exploited to modify the settings of the vulnerable modem and run malicious commands on them.
Cox is the largest private broadband provider in the United States, the third-largest cable television provider, and the seventh-largest telephone carrier in the country. The company has millions of customers.
“This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could’ve executed commands and modified the settings of millions of modems, accessed any business customer’s PII, and gained essentially the same permissions of an ISP support team.” wrote Curry.
Curry described a potential attack scenario where a threat actor could exploit exposed APIs to target Cox business customers.
The attack involves searching for a specific target using their identifiable information, such as name, phone number, email address, or account number. Upon finding a match, the attacker uses the returned UUID to query the API for the target’s full PII, including device MAC addresses, email, phone number, and physical address. With the hardware MAC address, the attacker can retrieve the WiFi password and a list of connected devices, allowing them to execute arbitrary commands, update device properties, and ultimately take over the victim’s account. This compromises the security of the target’s network and endangers their personal and business data.
The researchers reported the flaws on March 4, 2024, via the company’s responsible disclosure program. Cox addressed the vulnerabilities within 24 hours.
The company also investigated if the vulnerabilities had ever been exploited in attacks in the wild, however, they found no evidence of previous abuses.
“They had also informed me that they had no affiliation with the DigitalOcean IP address, meaning that the device had definitely been hacked, just not using the method disclosed in this blog post.” added Curry.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Cox modems)