researcher accidentally finds 0-day affecting his entire internet service provider
Summary
TLDRIn this cybersecurity video, the presenter recounts a startling incident where a security researcher discovered a vulnerability that allowed him to hack not only his own modem but any within his ISP's network. The story unfolds as the researcher investigates unexpected HTTP traffic replays, eventually uncovering a potential breach in the Cox Panoramic Wi-Fi Gateway. Through diligent research and responsible disclosure, he identifies a series of API vulnerabilities that could give an attacker ISP-like control over devices, leading to a rapid resolution by Cox.
Takeaways
- π² A security researcher discovered a vulnerability that allowed him to hack into any modem within his ISP's network, including his own.
- π The researcher initially thought his computer or iPhone had been hacked due to suspicious HTTP traffic replays from an unknown IP address.
- π€ After ruling out AWS and GCP as sources of the issue, the researcher suspected his ISP's modem might have been compromised.
- π΅οΈββοΈ The unknown IP address was traced back to Digital Ocean and had a history of hosting phishing infrastructure and a potential CNC server for router malware.
- π‘ The compromised device was identified as a Cox Panoramic Wi-Fi Gateway, which was likely hacked to intercept and replay HTTP traffic.
- π The researcher was unable to keep the compromised modem for further investigation due to ISP policies, despite uncovering a potential malware campaign.
- π Three years later, the researcher and friends discovered a domain generation algorithm used by malware operators for obfuscation, indicating a possible CNC server was replaying his traffic.
- π οΈ The TR-69 protocol, which allows ISPs to remotely manage devices, was suspected as a potential vector for the modem compromise.
- π The researcher found that the Cox Business portal had extensive API access to device management, which included the ability to update settings and view connected devices.
- π An authorization bypass vulnerability in the Cox backend API allowed unauthorized access to customer data and device management functionalities.
- π₯ The vulnerabilities could have been exploited to gain remote code execution capabilities on millions of modems, accessing any business customer's PII, and essentially granting ISP support team-level access.
Q & A
What was the unexpected event that occurred when the security researcher was testing his home network?
-While testing his home network, the security researcher noticed that an unknown IP address had replayed the exact same HTTP request he had just sent to his server, which was unexpected as the traffic should not have been accessible.
What did the security researcher initially suspect when he saw the unexpected HTTP request?
-He initially suspected that his computer had been hacked and that the hacker was actively monitoring his traffic, as the unknown IP address had replayed his HTTP requests.
Why did the security researcher consider that his ISP's network might be compromised?
-The security researcher considered that his ISP's network might be compromised because the unexpected replay of HTTP requests occurred not only from his computer but also from his iPhone, indicating that the issue was not device-specific and was likely related to the network.
What did the security researcher do to confirm that the issue was not related to AWS or GCP?
-To confirm that the issue was not related to AWS or GCP, the security researcher spun up a new AWS box running a different engine and observed the same unknown IP address replaying his HTTP requests. He also spun up a box on GCP and saw the same behavior, indicating that the issue was not with the cloud providers.
What was the significance of the IP address belonging to Digital Ocean in the investigation?
-The IP address belonging to Digital Ocean was significant because it suggested that the attacker was not the ISP, as initially suspected. It was later found that this IP address had been used to host phishing infrastructure and possibly a CNC server for router malware.
What was the Cox panoramic Wi-Fi Gateway, and why was it suspected to be compromised?
-The Cox panoramic Wi-Fi Gateway was the modem provided by the ISP. It was suspected to be compromised because after the security researcher replaced it with a new one, the unexpected replay of HTTP requests stopped, indicating that the old modem might have been hacked.
Why was the security researcher unable to keep the potentially compromised modem for further investigation?
-The security researcher was unable to keep the potentially compromised modem because it was the property of the ISP, and he was required to return it when he requested a new one.
What was the TR-069 protocol, and how did it potentially play a role in the compromise of the modem?
-The TR-069 protocol is a protocol implemented in 2004 that allows ISPs to manage devices within their network via port 7547. It was suspected that if not implemented correctly, this protocol could be exploited to remotely control the modem, potentially leading to its compromise.
What was the significance of discovering the Swagger UI in the investigation?
-The discovery of the Swagger UI was significant because it exposed all the API endpoints used by the Cox Business Network, allowing the security researcher to enumerate and test the functionality of these endpoints, eventually leading to the discovery of vulnerabilities.
How did the security researcher demonstrate the ability to change settings on a modem using the exposed API?
-The security researcher demonstrated the ability to change settings on a modem by successfully changing the SSID of one of his own devices to 'Curry' using the exposed API, showing that an attacker could potentially modify the settings of any modem accessible through the API.
What was the final outcome of the security researcher's findings, and how did Cox respond?
-After responsibly disclosing the vulnerabilities to Cox, the ISP investigated and found no history of abuse. They fixed the issues within a matter of months, demonstrating a quick and responsible response to the security concerns raised.
Outlines
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowMindmap
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowKeywords
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowHighlights
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowTranscripts
This section is available to paid users only. Please upgrade to access this part.
Upgrade Now5.0 / 5 (0 votes)