Cable Haunt Modem List

[Dot Liljenquist]

Researcherstoday revealed Cable Haunt, a security vulnerability that affects modems from numerous manufacturers, and said it could affect hundreds of millions of modems in Europe alone. Unfortunately, there's little consumers can do about the issue.

According to the researchers, hackers could exploit Cable Haunt to "intercept private messages, redirect traffic, or [participate] in botnets." It turns out the vulnerability itself is exposed to a local network, but due to "improper websocket usage" it can be remotely exploited, even though it should have been limited to localized attacks.

Cable Haunt is said to affect modems from at least four different manufacturers. Those companies appear to share some code with each other, which is why the vulnerability is present in various products. That also makes it hard to guess how many modems are actually affected by the vulnerability.

"There are an estimated 200 million cable modems in Europe alone. With almost no cable modem tested being secure without a firmware update, the number of modems initially vulnerable in Europe is estimated to be close to this number. However, it is tough to give a precise estimate of the reach of Cable Haunt. The reason for this is that the vulnerability originated in reference software, which has seemingly been copied by different cable modems manufacturers when creating their cable modem firmware. This means that we have not been able to track the exact spread of the vulnerability and that it might present itself in slightly different ways for different manufacturers."

The researchers reportedly contacted numerous companies with information about Cable Haunt but had limited success. Some companies released firmware updates to defend their modems, and others didn't respond at all. That's why the researchers urged consumers to ask their modem's manufacturer if they're vulnerable.

Branding the vulnerability when many companies have yet to defend against it might seem ill-advised. The researchers explained on the Cable Haunt website that they felt compelled to gain as much attention as possible, however, because otherwise they wouldn't be able to effect meaningful change on the necessary scale.

Cable Haunt isn't limited to a single company's modems, and the software flaws that led to the vulnerability aren't managed by a single entity, either. Enlisting potentially affected consumers in efforts to force manufacturers to defend against the vulnerability might have been the only option available to Cable Haunt's discoverers.

The researchers set up an FAQ explaining the vulnerability's discovery and disclosure. They also compiled lists of modems known to be affected by the vulnerability or to have been secured against it. Now it's up to modem companies to fix the problem.

Cable Haunt is the code name assigned to represent two separate vulnerabilities that affect many of the cable modems in use around the world in 2020.[1][2] These vulnerabilities allow an attacker to obtain external access to a cable modem and perform any number of activities intended to modify the operation of, or monitor the data passing through a cable modem.[3]

The problem lies with the Broadcom system-on-a-chip, which is used in many cable modems, specifically with the software running the spectrum analyzer, which protects against any power surges in the cable signal.[3] It exposes an unsecured WebSockets interface that Cable Haunt can reach using JavaScript run in a victim's browser.[1]

Most home and small businesses obtain their cable modems directly from their Internet service providers (ISPs). In situations where ISPs control the patching and firmware updating processes, subscribers must wait for cable providers to receive updated firmware from manufacturers and push it down to each individual modem. Cable companies were initially slow to respond to this threat, but now are actively working to get updates for customers.[5]

On January 19, 2020 Schrock Innovations, a computer repair company based in Lincoln, Nebraska, released executable programs for x64 Windows systems and OS X systems based on Lyrebirds' original JavaScript. These programs allowed less technically advanced users the ability to test their own connections. Users of the programs were instructed to contact their ISP if their modem was vulnerable in order to increase public pressure for patches to be created in order to address the vulnerability.[6]

With the recent announcment of the Cable Haunt vulnerability (see ) and the inclusion of the CM1000 modem on the list of affected devices, is there an updated firmware available to address this issue?

And possibly more important, how can we update the firmware of our modems? I saw in another thread ( -Modems-Routers/CM1000-firmware-updates/m-p/1655395) that we cannot do that ourselves. @DarrenM said that "Its not Netgears fault this is apart of the docsis standard every company that makes cable modems has to send there firmware to the ISP and have them approve the firmware and then the ISP pushes the firmware when they want to." Like the user in that thread my ISP says I have to upgrade the firmware myself. Can you point me to where this is in the standard so I can beat my ISP into submission with it?

I will add Netgear CM500 to the list of cable modems vulnerable to Cable Haunt (I have firmware V1.01.12). If I navigate to 192.168.100.1 and login with admin/password, I get to an admin interface on the cable modem. If I navigate to 192.168.100.1:8080, I get to the problematic "spectrum" web screen that gives stats to the cable company about your modem's performance. Neither screen let's me add security and from what I understand the 8080 server allows websocket connections directly from a web-browser session. That will allow a hacker to take over the cable router and run their own code there just by visiting a bad website, or a website with a bad advertisement.

I believe the right workaround for now is to block access to the admin for the cable modem from your LAN. I have an Orbi router in front and found that adding a static route for ip address: 192.168.100.1 with netmask 255.255.255.255 and metric 2 and gateway as my gateway (192.168.1.1) prevents the browser from getting to those sites now.

When I navigate to 192.168.100.1:8080 on my CM500, v1.01.11, I'm prompted for login credentials which I haven't yet tried to enter. I assume the username and password are same as for the port 80 login.

I was prompted only for the default port (80) and entered 'admin' and 'password' The 8080 port (spectrum) did not ask for credentials... from the CableHaunt report, it's not secured for your 'LAN' by design, so the cable company can access that information from their systems.

Most and ALL cable modems FW comes from the cable modem Mfr. Then passes to the ISPs for there continued testing and certification. Once they certify that it works on there network, then they are the ones who push it out to the connected modems. Users will not ever see FW updates they can update themselves. Updates will always come from the ISP!!!

For this problem however, the chip set Mfr, i.e. Broadcom has to make the change. Then they will pass it to the cable modem Mfrs for integration. Then the process starts again with the cable modem Mfrs passing to the ISPs for testing and certifiation.

Users will need to wait and be patient while the chipset Mfr review, test and fixes this problem. Broacom has made no accouncement acknowlegeding the problem that I can tell. All we can do is wait for the fix to eventually come thru. When and If it does.

No, thats one thing we don't see on the analyzer page is a log in or log out screen. Not sure if even having a PW put on this page will prevent hackers or not. Right now, a hacker needs to be on the LAN side of the modem to do something nefarious. Hopefully Broadcom will close this hole soon.

We have heard from Broadcom that they updated their reference software around that time, and we have no reason to believe otherwise. However we do not have access to this code or the previous version. We have only been able to see the binary firmware which the manufacturers deploy, so we can not confirm it.

Due to the nature of reference software, is not necessarily easily forwarded to the manufacturers, and we have no way of knowing for sure, if a manufacturer updated with the reference software or of their own accord.

We have not been able to get any worthwhile estimates of the units actually affected worldwide, however we are getting hundreds of emails from users reporting their modem vulnerable, and are constantly updating our website with this information."

Just a quick question in connecting to CM500 "spectrum" web screen/page at :8080 typically is there a default password to connect as I've changed my admin password from the unsecure user "admin" and "password" credentilas to a more secure one. Yet when I try to use the default password or my changed admin password to connect :8080 I'm not able to connect.

In addition I'll add here for Linux firewall users how to block access to your cablemodem using null routes to blackhole the 192.168.100.1 IP. I spend a long minute trying to find this solution ( ) and its really very easy you don't need to add an iptable rule to your firewall.

My network setup: Internet--ISP--Cable Modem--Smoothwall Firewall--Internal Network. On the firewall add a null route to blackhole the cable modem ip address (192.168.100.1). Here is a reference for specific how to setup and remove details - nixcraft, "How Do I Drop or Black Attackers IP Address with Null Routes on a Linux", -do-i-drop-or-block-attackers-ip-with-null-routes.html. I've done it and the cable modem access from the internal network is blocked. This should help until Broadcom, Modem manafactures and your ISP come up with a firmware fix for Cable Haunt. If you need to reconnect to the cable modem for some reason simple remove the null route block.

3a8082e126