Vulnerabilities in Cox modems, now patched, that permitted permission bypasses, may have been used as a springboard to gain unauthorized access to the devices and execute malicious commands.

“This series of vulnerabilities demonstrated a way in which a fully external attacker, without any prerequisites, could have executed commands and modified the settings of millions of modems, accessed any business customer’s PII, and gained essentially the same permissions as an ISP support team,” said Sam Curry, a security researcher, in a report released this morning.

The American internet operator resolved the authorization bypass issues within a day of receiving a responsible disclosure report on March 4, 2024. There’s no evidence that these flaws were exploited in the wild.

This might be of your interest! LockBit Ransomware Shut Down

Curry emailed The Hacker News, stating, “I was really surprised by the seemingly unlimited access that ISPs had behind the scenes to customer devices.”

“In hindsight, it makes sense for an ISP to be able to remotely control these devices, but companies like Xfinity have developed an extensive internal infrastructure that connects consumer devices to externally accessible APIs. An attacker could potentially compromise hundreds of millions of devices if they discovered vulnerabilities in these systems.”

In the past, Curry and his team have revealed several vulnerabilities that could be used to monitor, unlock, and start cars from 16 different manufacturers. Further investigation also uncovered security holes in points.com that would have allowed a hacker to access consumer data and even obtain authorization to distribute, issue, and administer reward points.

The latest research details how Cox support agents can remotely update and manipulate device settings via the TR-069 protocol, including inspecting connected devices and resetting the Wi-Fi password.

Curry’s examination of the underlying methods revealed approximately 700 accessible API endpoints, some of which could be exploited by replaying HTTP queries and leveraging authorization vulnerabilities to gain administrative functionalities and execute unauthorized commands.

This includes a “profilesearch” endpoint that, with a few replays of the request, could be used to identify a customer and retrieve their business account details based solely on their name. It could also allow access to and modification of business customer accounts, as well as the retrieval of MAC addresses of connected hardware on those accounts.

Even more concerning, the study discovered that under the assumption that a customer has access to a cryptographic secret needed to process requests for hardware modifications, it is possible to overwrite the client’s device settings and use that secret to ultimately reset and reboot the device.

“This meant that an attacker could have used this API to overwrite configuration settings, access the router, and execute commands on the device,” Curry explained.

In a best-case scenario for a threat actor, these APIs could be used to locate Cox customers, obtain all of their account information, gather details about connected devices and Wi-Fi passwords by querying their hardware MAC addresses, and execute arbitrary commands to take control of the accounts.

“This issue was likely introduced due to the complexities involved in managing customer devices such as routers and modems,” Curry stated.

“It’s quite challenging to create a REST API that can communicate with hundreds or even thousands of different modem and router models. If they had recognized the necessity for robust authorization from the beginning, they might have implemented a more effective authorization system that didn’t rely on a single internal protocol having access to so many devices. They face an extremely difficult task.”