Researchers have discovered a way in which hackers can use devices as a hacking tool.
A series of vulnerabilities in Cox Communications modems could be a starting point for attackers who want to gain unauthorized access to devices and execute malicious commands. Sam Curry, a security researcher at Yuga Labs, has published a new report detailing the potential threats associated with vulnerabilities in Cox modems.
The vulnerabilities showed how a remote attacker, without any preconditions, could execute commands and change the settings of millions of Cox modems, gain access to personal information of business customers and, in fact, have the same rights as the support service of an Internet service provider, according to the researcher's report.
After a responsible disclosure on March 4, the vulnerabilities were promptly fixed by the US broadband Internet provider Cox within 24 hours. At the moment, there is no evidence that these vulnerabilities were used in real attacks.
Curry admitted that he was very surprised by the virtually unlimited access that Internet service providers like Cox have to their customers ' devices. Cox Support agents can remotely manage device settings, such as changing the Wi-Fi password and viewing connected devices, using the TR-069 protocol.
Curry's analysis identified about 700 open API endpoints in Cox modems, some of which could have been used to gain administrative rights and execute unauthorized commands by exploiting permission issues and replaying HTTP requests multiple times.
Among them was the "profilesearch" endpoint, which could be used to search for a customer and retrieve their business account data using just the name, replaying the query repeatedly. You could also get the MAC addresses of connected hardware on your account, and even access your business accounts and change their settings.
Even more disturbing was the fact that it was possible to overwrite the client's device settings if the attacker had the cryptographic secret necessary to process hardware modification requests. Thus, a hacker could reboot the device, gain access to the router and execute commands on it.
In a hypothetical attack scenario, an attacker could use these APIs to search for a Cox client, obtain its full account details, query the MAC address of the hardware to extract Wi-Fi passwords and connected devices, and execute arbitrary commands to hijack accounts.
Curry explains that the problem probably arose due to the complexity of managing client devices. Creating a REST API that can universally communicate with hundreds of different modem and router models is a really complex process. If Cox initially saw the need for this, they could have built in an authorization mechanism that would not rely on one internal protocol with access to so many devices. This is quite a complex task.
Curry, along with several other researchers, previously uncovered several vulnerabilities affecting millions of vehicles from 16 different manufacturers that can be used to unlock, launch, and track cars.
A series of vulnerabilities in Cox Communications modems could be a starting point for attackers who want to gain unauthorized access to devices and execute malicious commands. Sam Curry, a security researcher at Yuga Labs, has published a new report detailing the potential threats associated with vulnerabilities in Cox modems.
The vulnerabilities showed how a remote attacker, without any preconditions, could execute commands and change the settings of millions of Cox modems, gain access to personal information of business customers and, in fact, have the same rights as the support service of an Internet service provider, according to the researcher's report.
After a responsible disclosure on March 4, the vulnerabilities were promptly fixed by the US broadband Internet provider Cox within 24 hours. At the moment, there is no evidence that these vulnerabilities were used in real attacks.
Curry admitted that he was very surprised by the virtually unlimited access that Internet service providers like Cox have to their customers ' devices. Cox Support agents can remotely manage device settings, such as changing the Wi-Fi password and viewing connected devices, using the TR-069 protocol.
Curry's analysis identified about 700 open API endpoints in Cox modems, some of which could have been used to gain administrative rights and execute unauthorized commands by exploiting permission issues and replaying HTTP requests multiple times.
Among them was the "profilesearch" endpoint, which could be used to search for a customer and retrieve their business account data using just the name, replaying the query repeatedly. You could also get the MAC addresses of connected hardware on your account, and even access your business accounts and change their settings.
Even more disturbing was the fact that it was possible to overwrite the client's device settings if the attacker had the cryptographic secret necessary to process hardware modification requests. Thus, a hacker could reboot the device, gain access to the router and execute commands on it.
In a hypothetical attack scenario, an attacker could use these APIs to search for a Cox client, obtain its full account details, query the MAC address of the hardware to extract Wi-Fi passwords and connected devices, and execute arbitrary commands to hijack accounts.
Curry explains that the problem probably arose due to the complexity of managing client devices. Creating a REST API that can universally communicate with hundreds of different modem and router models is a really complex process. If Cox initially saw the need for this, they could have built in an authorization mechanism that would not rely on one internal protocol with access to so many devices. This is quite a complex task.
Curry, along with several other researchers, previously uncovered several vulnerabilities affecting millions of vehicles from 16 different manufacturers that can be used to unlock, launch, and track cars.
