What a great article. Very easy to follow. The best part was that instead of attacking the messenger and denying any problem, Cox seem to have acted like the very model of responsible security response in this kind of situation. I'd love to read a follow up on what the bug was that intermittently permitted unauthorised access to the APIs. It's the kind of error that could easily be missed by superficial testing or depending on the reason behind the bug, perhaps not even experienced in the test environment.
What sucks about this situation is when your ISP forces you to use their modem or router. For example, I have AT&T fiber and it does some kind of 802.1X authentication with certificates to connect to their network. If they didn't do this, I could just plug any arbitrary device into the ONT. There are/were workarounds to this but I don't want to go through all those hoops to get online. Instead, I ended up disabling everything on the AT&T router and have my own router that I keep up to date plugged into that. Unbeknownst to me, the AT&T router could be hacked and I would never notice unless it was adversely affects my service.<p>Thank god most things use HTTPS these days.
Great read, and fantastic investigation. Also nice to see a story of some big corp not going nuclear on a security researcher.<p>I can't say for certain, and the OP if they're here I'd love for you to validate this - but I'm not convinced requests to the local admin interface on these Nokia routers is properly authenticated. I know this because I recently was provisioned with one and found there were certain settings I could not change as a regular admin, and I was refused the super admin account by the ISP. turns out you could just inspector hack the page to undisable the fields and change the fields yourself, and the API would happily accept them.<p>if this is the case, and an application can be running inside your network, it wouldn't be hard to compromise the router that way, but seems awfully specific!
<i>> After reporting the vulnerability to Cox, they investigated if the specific vector had ever been maliciously exploited in the past and found no history of abuse</i><p>Would you trust a thing they say? It seems their whole network is swiss cheese.
Many routers require manual firmware updates. GL.iNet routers had several RCE (Remote Code Execution) vulnerabilities within the last 6 months. I advise you to have a quick look in your own router to ensure its not hacked, and possibly upgrade firmware.<p>As a typical user the noticeable symptoms for me were:
- internet speed noticeably slows down
- WiFi signal drops and personal devices either don't see it, or struggle to connect. At the same time the router is still connected to the internet
- router's internal admin page (192.168.8.1) stopped responding<p>I imagine many users haven't updated their routers and thus may be hacked. In my case the hacker installed Pawns app from IPRoyal, which makes the router a proxy server and lets hacker and IPRoyal make money. The hacker also stole system logs containing information about who and when they use the device, whether any NAS is attached. They also had a reverse shell.<p>Solution:
1. Upgrade firmware to ensure these vulnerabilities are patched.
2. Then wipe the router to remove the actual malware.
3. Then disable SSH access, e.g. for GL.iNet routers that's possible within the Luci dashboard.
4. Afterwards disable remote access to the router, e.g. by turning Dynamic DNS off in GL.iNet. If remote access is needed, consider Cloudflare Tunnel or Zero Trust or similar. There is also GoodCloud, ZeroTier, Tailscale, etc. I am not too sure what they all do and which one would be suitable for protected access remotely. If anyone has advice, I would appreciate a comment.<p>Consider avoiding GL.iNet routers. They do not follow principle of least privilege (PoLP) - router runs processes using root user by default. SSH is also enabled by default (with root access), anyone can try to bruteforce in (10 symbol password consisting of [0-9A-Z] and possibly might be more predictable). I set mine to only allow ssh keys rather than a password to prevent that. Despite running OpenWrt they are actually running their own flavor of OpenWrt. So upgrading from OpenWrt 21.02 to 23.05 is not possible at the moment.
<i>> "...and found no history of abuse..."</i><p>Because they didn't have enough logging or auditing to start with, or no logs or audit data left since the hack.
Did they *<i>pay*</i> him? He kind of saved them, tipped them off to a complete compromise of their security infrastructure which was not trivial to discover. Looks like he got nothing in return for "doing the right thing". How insulting is that? What is their perception of someone walking in to their offices with this essential information? I guarantee his self image and their perception are very different. They see an overly caffeinated attention seeking "nerd" just handed them a 300k exploit in exchange for a gold star and then they ran like smeg to cover their asses and take all the credit internally. He feels like superman, goes home to his basement apt, microwaves some noodles and writes a blogpost. This is a perfect example why you never, never report a 0day.
An open question is still: how were the attackers able to grab his HTTP traffic?<p>Some CPEs have a cloud Wireshark-like capability for debugging. I'm not sure if those are even on the Cox production firmware images. Usually there's a set of firmware for production and a set for test (which obviously makes it hard to test for problems in production).<p>I suppose Cox could do a check to see what firmware versions are out there. ISPs can auto-upgrade firmware that doesn't match a specific firmware revision, and this was a Cox modem so they probably have firmware for it. So if it was a debug firmware how did it get there and survive?
One of the reasons to not be excited about ISP provided cable modems with WiFi functionality and to have good endpoint/service security on your LAN. (TLS, DNS over TLS at least accross the modem/ISP)<p>I just put it in bridge mode, disable wifi, and all network functionality is served by my own devices.<p>The last modem I rented from ISP, the ISP didn't bother with any firmware updates for ~10 years. It was rock stable because of that, though. :)
Nightmare fuel. Giant tech company, giant vuln. There’s so much to say, but more than anything Im just upset. The article and this dude are amazing. The exploit is not excusable.
I observed very similar behavior a few years back when transferring files between two servers under my control on different parts of a large university network.<p>We also initially thought we were the subject of a breach, but after the investigation we determined that the network's IDS was monitoring all traffic, and upon certain triggers, would make identical requests from external networks.<p>We found a way to identify all other similar IDSs across the internet and even "weaponize" this behavior. We ended up writing a paper on it: <a href="https://ian.ucsd.edu/papers/cset2023_fireye.pdf" rel="nofollow">https://ian.ucsd.edu/papers/cset2023_fireye.pdf</a>
Observation: The root of this problem is NOT because Cox's engineering practices lacked a comprehensive enough security review process to find and fix security vulnerabilities prior to them being discovered post deployment ("hindsight is always 20/20" as they say), but rather because there was (and still is) an <i>Information Asymmetry</i> between Cox and Cox's customers, i.e., in terms of complete knowledge of how Cox's devices actually work under the hood...<p>Although, in fairness to Cox, this <i>Information Asymmetry</i> -- also exists between most companies that produce tech consumer goods and most tech consumers (i.e., is it really a big deal if most other big tech companies engage in the same practices?), with the occasional exception of the truly rare, completely transparent, 100% Open Source Hardware, 100% Open Source Software company...<p><a href="https://en.wikipedia.org/wiki/Information_asymmetry" rel="nofollow">https://en.wikipedia.org/wiki/Information_asymmetry</a><p>Anyway, a very interesting article!
Great article, but unfortunately a determined threat actor would just go to the source and get a remote job as a Cox technician to gain access to millions of routers to add to their botnet. A real solution by the ISP would be to implement a software (or, preferably, hardware) setting that prevents remote access by default unless explicitly enabled by the customer. That approach would slow a social engineering campaign and limit the scope of a hack like this.
Great read, I loved following your thought process as you kept digging.<p>At what point did you inform Cox about your findings? It doesn't sound like you were ever given the green light to poke at their management platform. Isn't work like this legally dubious, even if it is done purely in white-hat fashion?
Holy hell, but how are your laws in the US aligned so doing something like this is okay?<p>In Germany you would get minimum 3 years in jail for this, people got in front of court for way way way way less.
Great writeup. There's just one thing I don't get: the auth part. It seems the author managed to access protected endpoints without any auth, by just repeating the same request over and over until the endpoint randomly accepted it. The part that confuses me is, <i>how could that possibly happen</i>? What possible architecture could this system have to enable this specific failure mode?<p>I struggle to think of anything, short of auth handling being a separate service injected between a load balancer and the API servers, and someone somehow forgot to include that in autoscaling config; but surely this is not how you do things, is it?
The intermittent auth thing in /profilesearch is a sign that they're round-robinning the servers and misconfigured one.<p>Also, it looks like he hit a front-end API that drives the TR-069 backend. Changing the WiFi SSID is a long way from being able to "...execute commands on the device"
i'm really glad that i can use my own modem.
In germany every ISP is by law required to accept self brought modems.
They can't force you to use their often shitty hardware.
My current modem/router is up for 3 months without a single interruption to my connection.
<p><pre><code> One of the things I'll never understand was why the attacker was replaying my traffic? They were clearly in my network and could access everything without being detected, why replay all the HTTP requests? So odd.
</code></pre>
I was thinking about this while reading. My guess is that the vulnerability was limited to reading incoming requests (to the modem) or something along those lines, not full control of the network. Replaying the requests is a good way to get both ends of the traffic if you can only access one. For instance, a login + password being authenticated. Just a thought!<p>EDIT: I'd be hard-pressed to know how one could exploit this, given TLS would encrypt the requests. Maybe they're counting on using badly encrypted requests, encrypted with e.g. TLSv1.0?
> One of the things I'll never understand was why the attacker was replaying my traffic? They were clearly in my network and could access everything without being detected, why replay all the HTTP requests? So odd.<p>Did you determine if POSTs were replayed? As in, logging into accounts and sending payment info and account info?
> Somehow, someone was intercepting and replaying the web traffic from likely every single device on my home network.<p>Normally I'd laugh and assume device compromise but...<p>The largest ISP in Australia (Telstra) got caught doing exactly this over a decade ago. People got extra paranoid when they noticed the originating IP was from Rackspace as opposed to within Telstra. Turned out to be a filter vendor scraping with dubious acceptance from customers. The ToS was quietly and promptly updated.
My bet on the replays was that the attacker misconfigured their payload or something and it was meant to replay command and control requests to obfuscate where the C2 server was
This reminded me to turn off "privacy settings" to "keep your vehicle in good condition and observe the vehicle's health" on my Volvo XC40 after the mechanics asked me to turn it on yesterday during the yearly maintenance.
I don't know if they can change some settings remotely, but I prefer to be cautious
I remember creating some webserver at work years ago, and I saw a router querying it. I warned the company admin.<p>Also, my wifi firmware occasionally crashes and needs to be restarted.<p>I don't work in cyber security or on anything sensitive, but if I was told I'm under surveillance by some government or some criminal, I would not be surprised.
<i>> there were about 700 different API calls..</i><p>That's more API endpoints than some first tier public clouds, wow. For a modem.<p>Somebody wanted (and sorta deserves) promo..<p>But also not, because the whole platform turned out to be incredibly insecure! Egregious!!!
Wow! I just what a high a security researcher would feel while performing this research and keep finding open doors!<p>I wonder if it’s a mix of exhilaration and being terrified!