Cybersecurity researcher Sam Curry has recently uncovered a series of critical vulnerabilities in the systems of Cox Communications, a major telecommunications provider. These vulnerabilities could have allowed malicious actors to remotely take control of millions of modems used by Cox’s customers, posing a significant risk to their privacy and security.
Bypassing Authorization and Gaining Elevated Privileges
Curry’s analysis revealed an API vulnerability that allowed bypassing authorization checks, potentially enabling an unauthenticated attacker to gain the same privileges as Cox’s technical support team. This exploit could have allowed attackers to overwrite configuration settings, access the routers, and execute commands on the affected devices.
According to the researcher, “This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could’ve executed commands and modified the settings of millions of modems, accessed any business customer’s PII, and gained essentially the same permissions of an ISP support team.”
Potential Attack Scenarios and Risks
In a theoretical attack scenario outlined by Curry, a malicious actor could have searched for a targeted Cox business user through the exposed API using personal information such as their name, email address, phone number, or account number. Once identified, the attacker could have obtained additional information from the targeted user’s account, including their Wi-Fi password.
With this access, the attacker could have executed arbitrary commands, updated device settings, or take over accounts, potentially compromising sensitive data and personal information.
Responsible Disclosure and Prompt Patching
Curry responsibly reported the vulnerabilities to Cox Communications on March 4, and the company took swift action to prevent exploitation by the next day. Cox also informed the researcher that it conducted a comprehensive security review following the report.
Notably, Cox found no evidence of the vulnerability being exploited in the wild for malicious purposes, indicating that the potential risks were mitigated before any significant damage occurred.
Origins of the Attack and Unanswered Questions
The origin of the attack on Curry’s modem appears to be from an IP address (159.65.76.209) previously used for phishing campaigns, including targeting a South American cybersecurity company. When Curry tried to get a replacement modem from Cox, they required him to turn in the potentially compromised device, preventing further analysis.
Curry’s traffic was being intercepted and replayed, suggesting the attacker had access to his home network, though the motive for replaying traffic is unclear. The vulnerabilities found in Cox’s systems included lack of authentication checks, allowing arbitrary API requests by simply replaying them. Over 700 APIs were exposed.
Cox patched the issues after disclosure but found no evidence the specific attack vector was exploited maliciously before 2023, despite Curry’s modem being compromised in 2021. The blog aims to highlight supply chain risks between ISPs and customer devices, though Curry’s modem may have been hacked through another unrelated method locally.