.webp)
Now-patched permission bypass problems affecting Cox modems might have been utilized as a starting point to obtain unauthorized access to the devices and conduct malicious instructions.
"This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could've executed commands and modified the settings of millions of modems, accessed any business customer's PII, and gained essentially the same permissions of an ISP support team," security researcher Sam Curry said in a new report published today.
Following appropriate publication on March 4, 2024, the permission bypass concerns were rectified by the U.S. broadband provider within 24 hours. There is no indication that these weaknesses were exploited in the wild.
"I was really surprised by the seemingly unlimited access that ISPs had behind the scenes to customer devices," Curry told The Hacker News via email.
"It seems reasonable in hindsight that an ISP should be able to remotely monitor these devices, but there is a whole internal architecture established by firms like Xfinity that links consumer devices to externally available APIs. If an attacker uncovered flaws in these systems, they might potentially compromise hundreds of millions of devices."
Curry et al had previously discovered multiple vulnerabilities impacting millions of automobiles from 16 different manufacturers that may be exploited to unlock, start, and track cars. Subsequent investigation also found security holes inside points.com that might have been utilized by an attacker to access customer information and even get authorization to issue, manage, and transfer rewards points.
The beginning point of the new investigation goes back to the fact that Cox support agents have the capacity to remotely modify and change the device settings, such as altering the Wi-Fi password and seeing connected devices, using the TR-069 protocol.
Curry's research of the underlying mechanism discovered around 700 accessible API endpoints, some of which could be abused to achieve administrator capabilities and perform illegal commands by weaponizing the authorization problems and repeating the HTTP requests continuously.
This includes a "profilesearch" endpoint that could be exploited to search for a customer and retrieve their business account details using only their name by replaying the request a couple of times, fetch the MAC addresses of the connected hardware on their account, and even access and modify business customer accounts.
Even more troublingly, the study showed that it's feasible to change a customer's device settings presuming they are in possession of a cryptographic secret that's necessary when processing hardware modification requests, utilizing it to eventually reset and reboot the device.
"This meant that an attacker could have accessed this API to overwrite configuration settings, access the router, and execute commands on the device,"
In a hypothetical attack scenario, a threat actor might have misused these APIs to search a Cox client, access their entire account data, query their hardware MAC address to get Wi-Fi passwords and connected devices, and execute arbitrary commands to take control the accounts.
"This issue was likely introduced due to the complexities around managing customer devices like routers and modems," Curry added.
"Building a REST API that can generically communicate to presumably hundreds of distinct kinds of modems and routers is pretty tough. If they had identified the need for this initially, they could've put in a stronger authorization method that wouldn't depend on a single internal protocol having access to so many devices. They have a really hard task to tackle."
