Some of Broadcom’s cable modems come with flawed firmware which could mean more than 200 million vulnerable homes, security researchers are claiming.
Four Danish researchers, Alexander Dalsgaard Krog, Jens Hegner Stærmose, Kasper Kohsel Terndrup (from Lyrebirds) and freelancer Simon Vandel Sillesen uncovered CVE-2019-19494, a flaw which could enable man-in-the-middle attacks, information theft, communications eavesdropping, DDoS attacks and no on.
The Register, however, believes the flaw is too complicated to pull off, and as such wouldn’t be interesting to criminals. The team, however, says the vulnerability affects Broadcom’s cable modems that run Embedded Configurable Operating System (eCos) – there are roughly 200 million of them, in operation, in Europe alone.
"The reason for this, is that the vulnerability originated in reference software, which have seemingly been copied by different cable modems manufacturers, when creating their cable modem firmware," the crew explained. "This means that we have not been able to track the exact spread of the vulnerability, and that it might present itself in slightly different ways for different manufacturers."
Broadcom is quiet for the moment.