back to article Hundreds of millions of Broadcom-based cable modems at risk of remote hijacking, eggheads fear

A vulnerability in Broadcom's cable modem firmware has left as many as 200 million home broadband gateways in Europe, and potentially more worldwide, at risk of remote hijackings. Four Danish researchers have demonstrated how a miscreant could exploit the hole, CVE-2019-19494, the wild: essentially, a victim is tricked into …

  1. Cronus

    Nice how they provide proof of concept code for malware authors to adapt despite their "What Should I Do?" section of the FAQ suggesting they've not made much of an attempt to get this patched first.

  2. Duncan Macdonald Silver badge

    Yet another reason for NoScript

    See title

    1. John Brown (no body) Silver badge

      Re: Yet another reason for NoScript

      Yep. Go to the provided link and....blank screen unless I allow scripts to run. Exactly the behaviour they raise as the ingress for the malware. I took a chance and enable scripts for their domain. They have a tool I can use to see if my modem has been compromised. Their link takes me to github where I'm expected to download and install some executable then download and run a Python script.

      How do I know for sure that this isn't an elaborate hoax to get be infected?

      1. LDS Silver badge

        "How do I know for sure that this isn't an elaborate hoax to get be infected?"

        I hope El Reg does some checks before publishing the links, unless it's part of the hoax too...

        1. ds6 Bronze badge

          Re: "How do I know for sure that this isn't an elaborate hoax to get be infected?"

          The aliens will probe you! Trust me, I'm still sore...

  3. Demon investors


    The obvious motivation for modem hacking that isn't mentioned is their ability to push a large amount of traffic for DDoS purposes. 1Gb/s upload in Europe is not that uncommon, so a single modem could take down some sites on its own.

    1. whitepines Silver badge

      Re: DDoS

      Question is though, what bandwidth is there upstream from the head ends? Sure, maybe each modem could peak at 1G/s up on a good day, but if you get 1000 modems all doing that I highly doubt there's a working 1T/s connection up from each head end to the next level provider (or even the next hop, often another head end, in the cable plant).

      At minimum the NOC should notice and if required throttle all those modems to get the storm under control (first network to get DDoSed in such an attack will be the network operator's, after all...)

      1. big_D Silver badge

        Re: DDoS

        DDoS generally uses magnification attacks, they send a small packet upstream, which causes the recipient to send a lot of data to the spoofed IP address.

        You send a simple request of a few bytes up to, for example, an NTP server, asking for a list of information and you provide it with a spoofed answer address. Your few bytes upstream turn into anything up to megabytes in return information aimed at the site you are DDoSing. Therefore 200 million modems with limited upstream capability can still cause terabyte sized DDoS attacks.

        1. whitepines Silver badge

          Re: DDoS

          Fair enough, though a decent NOC should still be able to see the abnormal flow on their network (200 million modems doing constant NTP or DNS lookups with no return flow *should* throw a few alarms).

          As to how to mitigate that, I'm not sure. You can't just cut off NTP or DNS, and rate limiting is not going to help much due to the amplification. Any of the obvious solutions (redirect to ISP servers only, block outgoing, blocking IPs with outgoing requests but no incoming data) will either create massive privacy and security problems or result in the helldesk phones ringing off the hook with justified "can't browse" complaints.

          It's almost like trusting a third party to develop business critical software might be a bad idea, no?

  4. Pascal Monett Silver badge

    "but could for example, also be done through ads on a trusted website"

    Sorry, even if I trust a website, I am trusting no ads.

    I run NoScript and UBlock Origin, and I'm not about to change my mind.

    1. chivo243 Silver badge

      Re: "but could for example, also be done through ads on a trusted website"

      I'll add the ever famous Pi-Hole to the list, as well as stop social, ghostery and NoRef for your browsing pleasure.

      I was really put off the other day when I visited a website, by a knowledgable IT guy now has some shitty overlay on his website that complains about your adblockers, and wants you to click on an ad to get access to his site, which is really sad, as his mojo saved me hours of mindless searching. I get it that he needs to keep his site running and that cost money. Unfortunately, ad slingers could care less about your computer security, and I won't take the chance.

      1. Snowy Silver badge

        Re: "but could for example, also be done through ads on a trusted website"

        It is "could not care less" using "could care less" means they have to care some amount to be able to care less.

        1. Carpet Deal 'em Bronze badge

          Re: "but could for example, also be done through ads on a trusted website"

          idiom noun

          id·​i·​om | \ ˈi-dē-əm


          plural idioms

          Definition of idiom

          1 : an expression in the usage of a language that is peculiar to itself either in having a meaning that cannot be derived from the conjoined meanings of its elements (such as up in the air for "undecided") or in its grammatically atypical use of words (such as give way)

          Emphasis mine.

          1. Martin an gof Silver badge

            Re: "but could for example, also be done through ads on a trusted website"

            Does not explain "could care less", which I only noticed for the first time three or four years ago, I think originally in US-based sources. The actual expression has been around for a very, very long time, though it is usually shown as "couldn't" rather than "could not". I imagine "couldn't" --> "could" is simply the sort of lazy-stop that often cuts off the ends of words.


            1. Trixr

              Re: "but could for example, also be done through ads on a trusted website"

              That's exactly the reason. It's even - gasp! - irony. Like "they couldn't care less" so much that they couldn't be bothered with the "-n't".

              People criticising slang idioms in different versions of English is tedious in the extreme. FWIW, Americans use both, and there are plenty of Americans who also criticise the "could care less" version among their own. Again, slang, who cares?

              If you see it in formal writing, sure, get up on your hind legs then (but make sure it's not a perfectly acceptable variation in their English first).

              1. Martin an gof Silver badge

                Re: "but could for example, also be done through ads on a trusted website"

                It's even - gasp! - irony

                Nah. In most cases (sweeping generalisation) it's simply ignorance. We discussed a similar case here recently, "the proof is in the pudding". I'll bet that most people who use this phrase do it entirely innocently - not ironically - having heard it somewhere else and not realising that it's a corruption of a perfectly legitimate and explainable phrase.

                In fact I'd go so far as to say that many, if not most, idioms have a rational explanation behind them. Even apparently madcap ones such as "raining cats and dogs" or the Welsh equivalent "hen wragedd â ffyn" = "old ladies with sticks". They bring to mind a particular sort of painful, lashing rain.


            2. englishr

              I could care less ... but not much.

              When I was in primary school (Wales, 1970s), it was quite common to here the expression "I could care less, but not much!" (with heavy emphasis on the "could"). I've always assumed that "I could care less" was a shortened version, with "but not much" being implied.

        2. MrDamage

          Re: "but could for example, also be done through ads on a trusted website"

          "Could not care less" is a factually incorrect statement. By saying it, it shows you care enough to at least make a statement about the topic. Ignoring the topic and talking about something else is the way you show you couldn't care less.


      2. Alumoi

        Re: "but could for example, also be done through ads on a trusted website"

        There's something of a mistery to me how one person can't keep his site running unless making money out of it.

        I pay 7 euro/year for my domain and about 75 euro/3 years for hosting. Let's make it a total of 100 euro/3 years, that's 10 euroCENTS per day.

        FFS, what's wrong with you people?

        I get it, you want to be paid for your knowledge. So set up a subscription and enjoy the income.

        1. Martin an gof Silver badge

          Re: "but could for example, also be done through ads on a trusted website"

          It depends on the site and the expectations of that sort of thing. For example, the well-regarded Phoronix is essentially a one-man-band, but it is constantly updated, read by lots of people and runs forums. Constant updates mean spending time on the site, which often means it's impossible to run the thing as a hobby alongside "real work". A large readership means typical low-end servers can't cope - for €25 a year you are getting, what, 100MB per month bandwidth, and a few GB of storage? Running forums is even more difficult as you need someone to keep an eye on things because spanners will put people off and people posting illegal content or links will eventually attract the attention of the authorities.

          Somehow that all has to be paid for and I have no problem at all with small sidebar or even in-line adverts, but I really do have a problem with ads which rely on third-party script, as nearly all of them have as their joint-primary purpose tracking you across the web. I particularly hate those which prevent the site content loading until you agree to this tracking, and "cookie consent" banners which won't go away until you have clicked "I consent" and (and I'm sure this is illegal) don't offer you an "I don't consent" option.

          I'm sure many here have sites such as doubleclick and google-analytics permanently disabled or black-holed. In my case, if that breaks a website, I make do without.

          Or I only browse from work, where I don't have control over such stuff :-)


  5. Version 1.0 Silver badge

    "That's not a bug, it's a feature" is now a malapropism

    Don't worry, the bug will be fixed, they will move it somewhere else to another feature. Software these days is all about features, not security. Software Testing? Verification? no, let's add a new feature.

    1. A.P. Veening Silver badge

      Re: "That's not a bug, it's a feature" is now a malapropism

      The one missing feature in software I truly desire is safety.

      1. ds6 Bronze badge

        Re: "That's not a bug, it's a feature" is now a malapropism

        No, TwinTurbo® SiteBoost™ is much more important.

        What does it do? Who fucking cares it's got a cool name with no spacing yeeeeah!!

  6. This post has been deleted by its author

  7. kmedcalf

    Silly Article

    The article is NOT about any problems with the Cable Modems themselves (well, there is a problem there, but it is entirely insignificant). It is about the stupidity of permitting untrustworthy third-parties unfettered access to run the crappy malicious code on your computer (hence the reference to execution of JavaScript in the browser being a necessary prerequisite). The "root cause" of the issue is permitting the unrestrained execution of untrusted code originating from unknown and/or untrustworthy parties on your computer. Fix that root cause of the problem, and it is merely another "so what? who gives a flying fuck?"

    I don't particularly care that the one-way glass on the bedroom windows is not really one way glass because I put up curtains and close them before getting my jollies on, so the local tabloid will never be publishing pictures by the peeper over-the-road on the front page of the local rag, and I do not care that a bunch of other idiots failed to hang curtains -- that is not my problem.

    1. 1752

      Re: Silly Article

      But if has a cool name, and a logo...

  8. TrumpSlurp the Troll Silver badge

    Virgin Media?

    UK publication and AFAIK VM are the main cable modem supplier.

    Would it hurt to at least check with them?

    1. John 78

      Re: Virgin Media?

      My Virgin cable modem is a Superhub 3, which has a Intel Puma chipset not Broadcom.

      So not affected.

  9. Anonymous Coward
    Anonymous Coward

    As opposed to CenturyLink...

    who sells (and rents) consumer DSL modems with the TR-069 port enabled from the factory (port 4567, for anyone interested), not disableable via the configuration pages, and world-accessible. (They don't block incoming connections from the 'net to the port!) And their tech support folks have never heard of TR-069. And the factory (Actiontec) won't provide instructions to modem owners on how to disable it, as it's a CenturyLink "feature".

    Guess why I maintain my own router behind the modem, and only use the modem's wifi as guest access?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020