Today in Edworking News we want to talk about Hacking Millions of Modems (and Investigating Who Hacked My Modem)
Introduction
Two years ago, something very strange happened to me while working from my home network. I was exploiting a blind XXE vulnerability that required an external HTTP server to smuggle out files. After setting up an AWS box with a simple Python web server to receive the traffic from the vulnerable server, I sent a cURL request from my home computer to make sure it could receive external HTTP requests. Just seconds later, an unexpected log entry showed an unknown IP address replayed my HTTP request from my home network.
Perfect setup, faulty results. "Wow, that’s seriously weird," I thought. It turned out someone was intercepting and replaying my HTTP traffic. Assuming my computer had been hacked, I replicated the scenario with another device to corroborate my suspicion. Unsurprisingly, the same behavior was observed. This led me to conclude that my network, or more precisely, my modem, was compromised.
An interesting twist occurred when I queried the mysterious IP—it belonged to DigitalOcean. Weirdly, this did not tally with my ISP's address range. Who was this 159.65.76.209?
Handing Over Evidence
Investigating modem vulnerabilities to understand persistent interception and replay of HTTP traffic.
To eliminate AWS as a potential compromise vector, I spun up fresh instances on AWS and GCP, but the same interference persisted. Finally, when I implicated the modem as compromised, I aligned with friends in threat intelligence to investigate further. They traced the unknown IP address to phishing domains previously associated with a South American cybersecurity firm. There were indicators of a Control and Command (C&C) server set up intended for router malware.
Realizing my modem was compromised, I disconnected it immediately. However, getting a replacement proved tricky, as the ISP insisted on retrieving the old modem due to rental terms. Discontentedly, I handed it over and received a new one. To my dismay, this halted any further personal investigation since the unusual traffic ceased with the new device.
Targeting REST APIs using the TR-069 Protocol
Three years later, while helping a friend set up his Cox modem, I engaged with ISP support and became intrigued by their ability to remotely manage device settings. This dated back to the TR-069 protocol, extensively used but seldom publicly exposed. I theorized that hackers might target the support infrastructure that uses this protocol to exploit modems.
Journey from theory to hands-on investigation. To deepen this hypothesis, I examined the Cox Business portal API’s which seemed to manage most device-related functionalities. Many API calls had the same base path, hinting at potential commonalities worth delving into.
Hacking Millions of Modems
Discovering an initial endpoint under the API path revealed a wealth of admin capabilities, such as querying customer devices and running admin commands. Testing these endpoints unearthed a significant lapse—intermittent authorization errors allowed unauthorized access when requests were replayed, enabling modifications to anyone's modem settings.
API vulnerabilities enabling full control over extensive modem networks.
Accidentally discovering an authorization bypass transformed into a conclusive series of steps, allowing an attacker to access and modify any Cox modem configuration remotely. The vulnerabilities in the API's configuration confirmed my worst fears—this was indeed a pathway for accessing millions of modems.
Upon responsibly disclosing these vulnerabilities to Cox, they acted swiftly, eliminating exposed API calls within hours, effectively closing the access loophole.
Edworking is the best and smartest decision for SMEs and startups to be more productive. Edworking is a FREE superapp of productivity that includes all you need for work powered by AI in the same superapp, connecting Task Management, Docs, Chat, Videocall, and File Management. Save money today by not paying for Slack, Trello, Dropbox, Zoom, and Notion.
Remember these 3 key ideas for your startup:
Vulnerability Identification: Ensure regular security audits for not only hardware but also backend APIs to detect and mitigate potential vulnerabilities early.
Incident Response Planning: Develop and practice comprehensive incident response plans to swiftly address unexpected security breaches, minimizing downtime and potential damage.
Educate and Coordinate: Regularly educate employees and stakeholders on identifying suspicious activities and coordinate closely with security professionals to foster a culture of security.
For more details, see the original source.
