Do you trust the WiFi router that you’re renting from your internet service provider? Maybe you should think twice. After some tinkering, a security researcher found a way to hack into millions of routers used by Cox customers.
On March 5th, Cox, a major cable and internet service provider in the US, hot-patched a critical vulnerability that could’ve permitted remote attackers to change customers' device settings, execute commands on their modems, and retrieve full account personal information.
Discovered by Sam Curry, a whitehat security researcher and recognized bounty hunter from the US, the exploit allowed external actors to obtain a similar set of permissions to Cox’s tech support admins.
Millions of Cox devices were accessible through exposed APIs without any authentication required, the researcher detailed in his blog post.
“This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could've executed commands and modified the settings of millions of modems, accessed any business customer's PII, and gained essentially the same permissions of an ISP support team,” he said.
Poking around the Cox Business portal, which “had a ton of interesting functionality to remotely manage devices, set firewall rules, and monitor network traffic,” Curry discovered over 700 exposed API calls for account management, equipment administration, billing, and more.
“Each API suffered from the same permission issues, where replaying HTTP requests repeatedly would allow an attacker to run unauthorized commands,” Curry explained.
Just by searching for “FBI” using one of the API endpoints – the “profilesearch” – Curry obtained what appeared to be the physical addresses of several FBI field offices. Later, he accessed his own modem using the Business website API functionality and obtained the equipment list and details. The researcher was then able to abuse the APIs to push updates to account information.
“At this point, I'd demonstrated that it was possible to search a customer and retrieve their business account personally identifiable information using only their name, then retrieve the MAC addresses of the connected hardware on their account, then run commands against the MAC address via the API,” Curry said in the blog post.
Code execution was no exception. All attackers would need is the device MAC address, which could be obtained by querying the system with exposed APIs using other customer information. Curry managed to send a device update request and demonstrated that API calls could be used to update the device configuration.
“We now had essentially a full kill chain,” the researcher noted. “This meant that an attacker could've accessed this API to overwrite configuration settings, access the router, and execute commands on the device.”
New writeup:
undefined Sam Curry (@samwcyo) June 3, 2024
undefinedHacking Millions of Modems (and Investigating Who Hacked My Modem)undefinedhttps://t.co/VZbWEIF5I8
Thanks for reading! Huge thanks to @blastbots, @bbuerhaus, @infosec_au, @d0nutptr, @iangcarroll, and everyone who reviewed the post beforehand.
The attack scenarios were nearly limitless. Malicious actors could search for customers' names, phone numbers, email addresses, or account numbers, obtain device IDs, such as Mac addresses, query those to retrieve WiFi passwords and connected devices, execute arbitrary commands, update any device property, and even take over accounts.
The researcher reported the vulnerabilities to Cox through their responsible disclosure program. The company took the issues very seriously and responded rapidly.
“They took down the exposed API calls within six hours, then began working on the authorization vulnerabilities. I was no longer able to reproduce any of the vulnerabilities the next day,” the researcher said.
This vulnerability underscores risks posed by ISP-provided devices, especially when they have remote access capabilities.
Cybernews has previously reported on an unprecedented wiperware campaign targeting an undisclosed ISP, which turned 600,000 WiFi routers into e-waste. Attackers infected and bricked the devices in just 72 hours.
Your email address will not be published. Required fields are markedmarked