A client of Cox Communications, the third-largest cable TV provider in the United States and one of the largest broadband access operators with 6.5 million subscribers, published the results of experiments with the internal Web API used by the provider, available for external requests and used, among other things, to access subscriber modems and the user base of the Cox Business service. It turned out that knowing only the MAC address of the subscriber device, you can get full control over the modem, allowing you to change settings and execute any commands on the modem. In fact, any attacker could gain access to the modem, similar to the engineering access that the carrier's support service receives. Cox was notified of the issue on April 3 and fixed the vulnerability the next day.
It is noteworthy that the MAC address of the subscriber's device could be found by accessing the public Web API without passing authentication, using the subscriber search function, for example, by selecting by email or by account number (by going through the numbers, you can sequentially upload customer data). In addition to the MAC address, other information about the subscriber was also displayed, including the address, phone number, full name and email. All information was available for requests from the external network without authentication. At the same time, information could not only be obtained, but also changed.
In total, the publicly available API had more than 700 handlers, many of which implemented administrative operations. The API was accessed via the host myaccount-business.cox.com related to the Xox Business service, which allows users to remotely manage devices, configure a firewall, and monitor traffic, among other things. The modem was directly controlled by the provider service via the TR-069 protocol (accepts connections via network port 7547), designed for remote diagnostics and equipment management.
An encrypted parameter was used to verify the transmission of commands and settings to users ' modems, but the encryption functions were found in one of the JavaScript scripts provided by the site webcdn-business.cox.com. The encryption key was determined by setting a breakpoint for these functions in the browser's JavaScript debugger during registration on the site myaccount-business.cox.com. The encryption key was generated using the MAC address, device ID, and user account number, as well as several auxiliary parameters, such as the device model and access type.
The attack scenario boils down to finding the victim through the public Web API, using a request by name, phone number, email, or account number. Next, the attacker accesses the Web API to upload the full set of personal data of the subscriber, using the UUID obtained during the search at the first stage. Using the modem's MAC address specified among the subscriber data, the attacker could view the list of devices connected to the modem, change any parameters on the modem, request the password used to connect to Wi-Fi, and execute any commands on the device, which can be used, for example, to analyze or redirect user traffic.
It is noteworthy that the MAC address of the subscriber's device could be found by accessing the public Web API without passing authentication, using the subscriber search function, for example, by selecting by email or by account number (by going through the numbers, you can sequentially upload customer data). In addition to the MAC address, other information about the subscriber was also displayed, including the address, phone number, full name and email. All information was available for requests from the external network without authentication. At the same time, information could not only be obtained, but also changed.
In total, the publicly available API had more than 700 handlers, many of which implemented administrative operations. The API was accessed via the host myaccount-business.cox.com related to the Xox Business service, which allows users to remotely manage devices, configure a firewall, and monitor traffic, among other things. The modem was directly controlled by the provider service via the TR-069 protocol (accepts connections via network port 7547), designed for remote diagnostics and equipment management.
An encrypted parameter was used to verify the transmission of commands and settings to users ' modems, but the encryption functions were found in one of the JavaScript scripts provided by the site webcdn-business.cox.com. The encryption key was determined by setting a breakpoint for these functions in the browser's JavaScript debugger during registration on the site myaccount-business.cox.com. The encryption key was generated using the MAC address, device ID, and user account number, as well as several auxiliary parameters, such as the device model and access type.
The attack scenario boils down to finding the victim through the public Web API, using a request by name, phone number, email, or account number. Next, the attacker accesses the Web API to upload the full set of personal data of the subscriber, using the UUID obtained during the search at the first stage. Using the modem's MAC address specified among the subscriber data, the attacker could view the list of devices connected to the modem, change any parameters on the modem, request the password used to connect to Wi-Fi, and execute any commands on the device, which can be used, for example, to analyze or redirect user traffic.
