Cable Haunt (formerly code named Graffiti) is a vulnerability found in most cable modem firmware that enables attackers to potentially see traffic in real-time, redirect web requests to unintended targets or participate in DDoS or other botnet attacks against third-party targets.
In more complex terms, Cable Haunt is a vulnerability that allows external attackers to use a buffer overflow to take complete control of a cable modem. Since all Internet communications move through the modem, it is possible to leverage this vulnerability to complete a wide assortment of attacks through multiple vectors.
Some of those attacks could include:
- Changing the default DNS server
- Reprograming modem firmware with customized software
- Turning off automatic updates and patching
- Changing any configuration option or system setting
- Initiating a man-in-the-middle attack
- Changing your modem’s MAC Address
- Changing your modem’s serial number
- Adding your modem to a botnet
Is my Cable Modem Impacted?
Almost all cable modems currently in use by internet service providers around the world are impacted. Schrock has confirmed that all three of our Cox cable modems (two business modems and one residential) were all vulnerable to attack. A partial list of modems both patched and known to be vulnerable can be found here.
The easiest way to determine if your modem is impacted by Cable Haunt is to test yours using the tools provided below.
How to Test Your Cable Modem
Note that over 30,000 ports are scanned in this test and it can take up to an hour to complete.
Most modems will reboot automatically after crashing, but if yours does not, simply unplug it and plug it back in to reset it.
What to Do if you are Vulnerable
If your modem is vulnerable to Cable Haunt, the only way to remedy it is to install a patch provided by the manufacturer of your cable modem. Typically searching for the term firmware update and the make and model of your modem is the fastest way to locate any available updates.
Unfortunately, if your modem is provided by your Internet Service Provider (ISP) you most likely do not have the authority to install a firmware update yourself. These need to be pushed to your modem by your ISP.
Cable Haunt is currently an emerging threat that that has not gained the attention of many manufacturers and ISPs yet. If your modem is provided by your ISP and you are vulnerable, please contact your ISP and ask them to install a firmware update for your modem. After the update (if available) is installed, you can test again to ensure it is patched properly.
If there is not a firmware update for your modem you must either switch the make and model of your modem to a compliant model, or wait for your modem’s manufacturer to create updated firmware and make it available to your ISP. Your individual requests really do matter, as that is the only mechanism that has resulted in patched modems to date.
Giving Credit and Special Consideration
None of us would know what Cable Haunt is if it was not for the tireless work of Lylebirds. For the latest updates on Cable Haunt, please consider following them on Twitter.
Schrock Interactive simply repackaged their work in a way that will allow millions of individuals to report their vulnerability to their ISPs. All credit for the discovery of Cable Haunt as well as the code to test for vulnerable devices belongs to Lylebirds.