Vulnerabilities in Wireless Gateways Exposed: DEF CON
The DEF CON 25 security conference in Las Vegas this year witnessed cyber security researchers exposing vulnerabilities in wireless gateways provided by internet service providers (ISPs) and cable television operators. The researchers dubbed these flaws as ‘CableTap’ and listed 26 different vulnerabilities that risk millions of ISP customers. Major ISPs and vendors including Comcast, Time Warner, Motorola, Cisco, and Arris have been affected.
The ISP customers vulnerability has been listed with ID: CVE-2017-9475 with the description “Comcast XFINITY WiFi Home Hotspot devices allow remote attackers to spoof the identities of Comcast customers via a forged MAC address.”
CableTap vulnerabilities could provide complete control of the compromised devices – set top boxes and wireless gateways to the attackers. Researchers assert that these vulnerabilities must be addressed immediately – appropriate patches must be installed immediately or all of the impacted devices will be at risk. The vendors had been alerted beforehand about these vulnerabilities, and only then have they been publicly declared. This was to allow vendors sufficient time to fix those vulnerabilities and release patches.
The Root of CableTap Vulnerability
The Reference Development Kit (RDK) is an open-source library that ISPs utilize for building gateways and firmware of set-top boxes. Numerous vulnerabilities have been discovered in this library, and patches have been released from time to time. However, the proper roll out of all patches to all devices has not been ensured. This could allow exploiting of the CableTap vulnerability.
The Impersonation Vulnerability
The CableTap CVE-2017-9475 vulnerability is a flaw in the Comcast XFINITY WiFi Home Hotspot. A skilled hacker could steal the identity of a Comcast customer who connects to this hotspot, and impersonate the stolen identity to perform activities on the internet. Any malicious activities would now be attributed to the Comcast customer. Impersonation could have very serious consequences.
The description of the CVE-2017-9475 vulnerability states that Comcast XFINITY WiFi Home Hotspot devices allow remote attackers to spoof the identities of Comcast customers via a forged MAC address. Whenever a Comcast customer has to connect to this hotspot through an unregistered device, the customer has to initially login to their Comcast account. This account is now associated with the WiFi Media Access Control (MAC) address of the newly connected device. Further on, when the customer connects to any other “xfinitywifi” hotspot, the same WiFi MAC address is used for authentication.
A hacker can wirelessly sniff this WiFi MAC address when it is connected to a xfinitywifi hotspot and then use the acquired WiFi MAC address to configure their own device. This allows the hacker to impersonate the customer for any malicious activity.
Another vulnerability has been observed in Time Warner gateways that allow a hacker to connect to the customer’s internet when the customer has been using the default WiFi credentials for the gateway. Default credentials must always be changed. Some vulnerabilities were also observed when vendors used a combination of the FastCGI protocol and the PHP programming language.
The CableTap CVE-2017-9475 vulnerability is still awaiting analysis. To stay protected customers must ensure that their device is updated with the latest version of its firmware and any other necessary software. Effective patch updation is a must which must be ensured through a robust patch management system.