Now-patched authorization bypass issues impacting Cox modems that could have been abused as a starting point to gain unauthorized access to the devices and run malicious commands.
“This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could’ve executed commands and modified the settings of millions of modems, accessed any business customer’s PII, and gained essentially the same permissions of an ISP support team,” security researcher Sam Curry said in a new report published today.
Following responsible disclosure on March 4, 2024, the authorization bypass issues were addressed by the U.S. broadband provider within 24 hours. There is no evidence that these shortcomings were exploited in the wild.
“I was really surprised by the seemingly unlimited access that ISPs had behind the scenes to customer devices,” Curry told The Hacker News via email.
“It makes sense in retrospect that an ISP should be able to remotely manage these devices, but there is an entire internal infrastructure built by companies like Xfinity that bridges consumer devices to externally exposed APIs. If an attacker found vulnerabilities in these systems, they could potentially compromise hundreds of millions of devices.”
Curry et al have previously disclosed several vulnerabilities affecting millions of vehicles from 16 different manufacturers that could be exploited to unlock, start, and track cars. Subsequent research also unearthed security flaws within points.com that could have been used by an attacker to access customer information and even obtain permissions to issue, manage, and transfer rewards points.
The starting point of the latest research goes back to the fact that Cox support agents have the ability to remotely control and update the device settings, such as changing the Wi-Fi password and viewing connected devices, using the TR-069 protocol.
Curry’s analysis of the underlying mechanism identified about 700 exposed API endpoints, some of which could be exploited to gain administrative functionality and run unauthorized commands by weaponizing the permission issues and replaying the HTTP requests repeatedly.
This includes a “profilesearch” endpoint that could be exploited to search for a customer and retrieve their business account details using only their name by replaying the request a couple of times, fetch the MAC addresses of the connected hardware on their account, and even access and modify business customer accounts.
Even more troublingly, the research found that it’s possible to overwrite a customer’s device settings assuming they are in possession of a cryptographic secret that’s required when handling hardware modification requests, using it to ultimately reset and reboot the device.
“This meant that an attacker could have accessed this API to overwrite configuration settings, access the router, and execute commands on the device,”
In a hypothetical attack scenario, a threat actor could have abused these APIs to lookup a Cox customer, get their complete account details, query their hardware MAC address to retrieve Wi-Fi passwords and connected devices, and run arbitrary commands to take over the accounts.
“This issue was likely introduced due to the complexities around managing customer devices like routers and modems,” Curry said.
“Building a REST API that can universally talk to likely hundreds of different models of modems and routers is really complicated. If they had seen the need for this originally, they could’ve built in a better authorization mechanism that wouldn’t rely on a single internal protocol having access to so many devices. They have a super hard problem to solve.”