Now-patched permission bypass problems impacting Cox modems might have been utilized as a starting point to obtain unauthorized access to the devices and conduct malicious instructions.
"This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could've executed commands and modified the settings of millions of modems, accessed any business customer's PII, and gained essentially the same permissions of an ISP support team," security researcher Sam Curry said in a new report published today.
Following appropriate publication on March 4, 2024, the permission bypass issues were addressed by the U.S. broadband provider within 24 hours. There is no evidence that these weaknesses were exploited in the wild.
"I was really surprised by the seemingly unlimited access that ISPs had behind the scenes to customer devices," Curry told The Hacker News via email.
"It makes reasonable in retrospect that an ISP should be able to remotely monitor these devices, but there is an entire internal architecture established by firms like Xfinity that bridges consumer devices to externally exposed APIs. If an attacker uncovered flaws in these systems, they might potentially compromise hundreds of millions of devices."
Curry et al had previously discovered multiple vulnerabilities impacting millions of vehicles from 16 different manufacturers that may be exploited to unlock, start, and track cars. Subsequent investigation also found security holes inside points.com that might have been utilized by an attacker to access customer information and even get permissions to issue, manage, and transfer rewards points.
The beginning point of the latest investigation goes back to the fact that Cox support agents have the capacity to remotely modify and update the device settings, such as altering the Wi-Fi password and viewing connected devices, using the TR-069 protocol.
Curry's research of the underlying mechanism discovered around 700 exposed API endpoints, some of which could be abused to achieve administrative functionality and perform unauthorized commands by weaponizing the authorization issues and replaying the HTTP requests continuously.
This includes a "profilesearch" endpoint that could be exploited to search for a customer and retrieve their business account details using only their name by replaying the request a couple of times, fetch the MAC addresses of the connected hardware on their account, and even access and modify business customer accounts.
Even more troublingly, the research showed that it's possible to change a customer's device settings presuming they are in possession of a cryptographic secret that's necessary when handling hardware modification requests, utilizing it to ultimately reset and reboot the device.
"This meant that an attacker could have accessed this API to overwrite configuration settings, access the router, and execute commands on the device,"
In a hypothetical attack scenario, a threat actor might have abused these APIs to lookup a Cox client, access their complete account details, query their hardware MAC address to retrieve Wi-Fi passwords and connected devices, and run arbitrary commands to take control the accounts.
"This issue was likely introduced due to the complexities around managing customer devices like routers and modems," Curry said.
"Building a REST API that can generically talk to presumably hundreds of distinct models of modems and routers is pretty complicated. If they had identified the need for this originally, they could've built in a stronger authorization method that wouldn't rely on a single internal protocol having access to so many devices. They have a really hard task to tackle."