Millions of Cable Modems Vulnerable to “Cable Haunt” Attacks

Last updated September 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

A team of researchers from the Lyrebird infosec firm and Simon Vandel Sillesen has discovered a new type of attack which they dub as “Cable Haunt”. This critical vulnerability concerns the cable modems of various manufacturers and enables a remote actor to take over a device through an unprotected endpoint. The main implication of this is the interception of the internet traffic of all the devices that are connected to the modem, including the private messages. Other forms of exploitation include the redirection of the traffic, the disabling of firmware updates, the changing of the default DNS server, changing of serial numbers, and also the participation of the modem in malicious botnets.

The attack is based on the exploitation of an endpoint that is open to serve a spectrum analyzer tool. As the WebSocket for this tool isn’t protected, an attacker can access the endpoint via an HTTP request. All that would be needed in the execution of a specially crafted JavaScript snippet running in the browser. The next step is to trigger a buffer overflow vulnerability in the JSON request parsing system of the WebSocket. By creating a special message, one could push the modem into arbitrary code execution mode, which would eventually lead to device takeover.

spectrum analyzer

Source: Cable Haunt Report

The researchers have even developed a proof of concept code, so the first question that comes into everyone’s mind is "am I affected?". The following modems have been confirmed to be vulnerable to “Cable Haunt”, although more are bound to be added onto the list soon.

The team has also developed a tool to check if your modem is vulnerable or not, which you may grab from GitHub.

If someone has already taken over your modem, chances are that you won’t have a clue. One thing that could potentially help stop the actors on your network's door would be a strict firewall configuration that regular users are unlikely to have set up. As for whether “Cable Haunt” is being exploited in the wild right now, the researchers have found no evidence of that, but it would be easy for skilled actors to hide their tracks anyway. The only thing that we as users can do is to check our modems, apply the latest firmware updates, and contact our ISP and modem vendor to inform them of the problem.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: