CableTap Vulnerabilities Detailed At DefCon Expose ISP Gateway Risks
Security researchers detailed a set of 26 different vulnerabilities that impact millions of wireless gateways set up by internet service providers
While some hackers were busy on one level of the DefCon security conference in Las Vegas, hacking voting machines, others were detailing a set of 26 vulnerabilities dubbed ‘CableTap’ flaws that impact wireless gateway and set-top boxes provided by internet service providers (ISPs) and cable television operators.
The impacted vendors and ISPs include Comcast, Time Warner, Cisco, Arris and Motorola, with the researchers estimating that tens of millions of ISP customers are at risk.
The CableTap vulnerabilities were publicly disclosed on July 29 at DefCon by a team of researchers including Marc Newlin and Logan Lamb from Bastille Networks, and Christopher Grayson from Web Sight. Newlin noted that the CableTap vulnerabilities could enable a complete compromise of the impacted devices and if not patched, could have potentially exposed millions of users to risk.
Cyber threat
Due to the high number of vulnerabilities, the researchers responsibly disclosed the vulnerabilities to the impacted vendors in four different groups through March and April 2017. Public disclosure of the vulnerabilities was delayed until July 28 to give the vendors time to patch the flaws.
At the root of many of the CableTap vulnerabilities, is an open-source library known as RDK (Reference Development Kit) which provides a base set of capabilities that ISPs have used to build gateways and set-top boxes firmware. Grayson explained that while the open-source project has issued multiple patches for different vulnerabilities, not all of those patches have found their way into devices deployed by consumers.
Among the vulnerabilities included in CableTap is CVE-2017-9475, which is a flaw in the Comcast XFINITY WiFi Home Hotspot that could potentially enable an attacker to impersonate a Comcast customer connected to an “xfinitywifi” hotspot. The vulnerability could allow an attacker to access the internet, with any malicious activity being attributed to the Comcast customer they are impersonating.
The way the vulnerability works is that when a Comcast customer connects to an “xfinitywifi” hotspot on a previously unregistered device, they first login to their Comcast account in order to access the Internet. The WiFi MAC (Media Access Control) address of the newly connected customer device is then associated with the correct Comcast account. Whenever the Comcast customer connects to another “xfinitywifi” hotspot, it is authenticated using the WiFi MAC address.
“An attacker can impersonate a Comcast customer by wirelessly sniffing the MAC addresses of a device connected to an “xfinitywifi” hotspot, and then configuring their device to use the same MAC address,” the CableTap CVE-2017-9475 advisory states.
The CableTap vulnerabilities also include one on Time Warner gateways identified as CVE-2017-9522. As is the case with Xfinity issue, the Time Warner flaw enables an attacker to access the Internet for free, with any malicious activity being attributed to the customer they are impersonating.
“A vulnerability has been discovered that enables an attacker to connect to a Time Warner customer’s WiFi network, provided that the customer’s gateway is using the default WiFi credentials,” the CableTap advisory states. “The default WiFi passphrase is a combination of the SSID and BSSID, making it trivial for an attacker to connect to a Time Warner customer’s WiFi network.”
The Service Set Identifier (SSID) is the name associated with a given WiFi access point while the Basic Service Set Identifier (BSSID) provides the MAC address for the access point.
While hard-coded credentials and misconfiguration are to blame for a number of CableTap issues, some of the vulnerabilities identified by the CableTap researcher were the result of vendors using the FastCGI protocol in combination with the PHP programming language.
“It’s not a good idea to take random inputs from the internet and then let them run locally,” Lamb said.
Vendor Response
According to Bastille, many of the CableTap vulnerabilities have been patched. As part of its own disclosure, Bastille included the response it received from Comcast.
“Nothing is more important than our customers’ safety, and we appreciate Bastille bringing these matters to our attention,” Comcast wrote in a response sent to Bastille Networks. “We have made a number of updates to our software and systems to prevent the issues Bastille identified from impacting Comcast customers, including breaking the attack chains Bastille described in this paper.”
Bastille has a few simple suggestions for users that might be impacted by CableTap.
“Ensure your device is running the latest version of its firmware, and if you have further questions, please contact your ISP,” Bastille stated in its advisory.
Do you know all about security in 2017? Try our quiz!