Cable Haunt

Cable Haunt (formerly code named Graffiti) is a vulnerability found in most cable modem firmware that enables attackers to potentially see traffic in real-time, redirect web requests to unintended targets or participate in DDoS or other botnet attacks against third-party targets.

In more complex terms, Cable Haunt is a vulnerability that allows external attackers to use a buffer overflow to take complete control of a cable modem.  Since all Internet communications move through the modem, it is possible to leverage this vulnerability to complete a wide assortment of attacks through multiple vectors.

Some of those attacks could include:

• Changing the default DNS server
• Reprograming modem firmware with customized software
• Turning off automatic updates and patching
• Changing any configuration option or system setting
• Initiating a man-in-the-middle attack
• Changing your modem’s MAC Address
• Changing your modem’s serial number
• Adding your modem to a botnet

Cable Haunt is also identified as CVE-2019-19494 and CVE-2019-19495 and was originally discovered by Lyrebirds.  

Is my Cable Modem Impacted?

Almost all cable modems currently in use by internet service providers around the world are impacted.  Schrock has confirmed that all three of our Cox cable modems (two business modems and one residential) were all vulnerable to attack.  A partial list of modems both patched and known to be vulnerable can be found here.

The easiest way to determine if your modem is impacted by Cable Haunt is to test yours using the tools provided below.

How to Test Your Cable Modem

Lyrebirds created a javascript after discovering Cable Haunt that can be used to test individual modems.  You can find their original javascript here.

The Javascript option is a great solution for those with an IT background, however the vast majority of exposed modems will belong to residential customers and small businesses who may not have the ability to easily run javascript and interpret the results.

Schrock Innovations’ software development division, Schrock Interactive, used that javascript as a base to develop executable applications for PC and OSx that can test your modem in a safe and convenient way.

Download Cable Haunt PC Test Application

Download Cable Haunt OSx Test Application

Note that over 30,000 ports are scanned in this test and it can take up to an hour to complete.

Both applications implement the original javascript provided by Lyrebirds, but do it in a simple point and click way.  The applications both attempt to crash your cable modem as a test of vulnerability. If the programs are able to force your modem to fail and reboot, your modem is vulnerable.  If your modem is not vulnerable, no negative impacts will occur.  

Most modems will reboot automatically after crashing, but if yours does not, simply unplug it and plug it back in to reset it.

What to Do if you are Vulnerable

If your modem is vulnerable to Cable Haunt, the only way to remedy it is to install a patch provided by the manufacturer of your cable modem.  Typically searching for the term firmware update and the make and model of your modem is the fastest way to locate any available updates.

Unfortunately, if your modem is provided by your Internet Service Provider (ISP) you most likely do not have the authority to install a firmware update yourself.  These need to be pushed to your modem by your ISP.

Cable Haunt is currently an emerging threat that that has not gained the attention of many manufacturers and ISPs yet.  If your modem is provided by your ISP and you are vulnerable, please contact your ISP and ask them to install a firmware update for your modem.  After the update (if available) is installed, you can test again to ensure it is patched properly.

If there is not a firmware update for your modem you must either switch the make and model of your modem to a compliant model, or wait for your modem’s manufacturer to create updated firmware and make it available to your ISP.  Your individual requests really do matter, as that is the only mechanism that has resulted in patched modems to date.

Giving Credit and Special Consideration

None of us would know what Cable Haunt is if it was not for the tireless work of Lylebirds.  For the latest updates on Cable Haunt, please consider following them on Twitter.

Schrock Interactive simply repackaged their work in a way that will allow millions of individuals to report their vulnerability to their ISPs.  All credit for the discovery of Cable Haunt as well as the code to test for vulnerable devices belongs to Lylebirds.