Skip to main content

Broadcom modems could be at risk of hacking

(Image credit: Pixabay.com)

Some of Broadcom’s cable modems come with flawed firmware which could mean more than 200 million vulnerable homes, security researchers are claiming.

Four Danish researchers, Alexander Dalsgaard Krog, Jens Hegner Stærmose, Kasper Kohsel Terndrup (from Lyrebirds) and freelancer Simon Vandel Sillesen uncovered CVE-2019-19494, a flaw which could enable man-in-the-middle attacks, information theft, communications eavesdropping, DDoS attacks and no on.

It starts with a victim visiting a malicious JavaScript-bearing website. The JavaScript code connects to the server built into the flawed modem on the local network, changes the processor registers and redirects execution to malware.

"The attack can be executed by having the victim run malicious JavaScript," the team explained. "A common avenue of attack would be a link that is opened in a browser, but could for example, also be done through ads on a trusted website or insecure email clients."

The Register, however, believes the flaw is too complicated to pull off, and as such wouldn’t be interesting to criminals. The team, however, says the vulnerability affects Broadcom’s cable modems that run Embedded Configurable Operating System (eCos) – there are roughly 200 million of them, in operation, in Europe alone.

"The reason for this, is that the vulnerability originated in reference software, which have seemingly been copied by different cable modems manufacturers, when creating their cable modem firmware," the crew explained. "This means that we have not been able to track the exact spread of the vulnerability, and that it might present itself in slightly different ways for different manufacturers."

Broadcom is quiet for the moment.