COX Communications Exposes Security Vulnerability in Subscriber Modems
COX Communications, the third largest cable television provider and one of the largest broadband access operators in the US with 6.5 million subscribers, recently conducted experiments on their internal web APIs. These APIs, used for supporting subscriber modems and user base, were found to be accessible for external requests. The results revealed that with just the MAC address of a subscriber device, full control over the modem could be obtained, allowing for settings changes and execution of commands.
What is concerning is that the MAC address of the subscriber device can be obtained without authentication through the public Web API, by simply searching for the subscriber using email or account number. This allows access to not only the MAC address, but also other sensitive information such as address, phone number, name and email. This information is not only retrievable, but also editable, making it a serious security risk as all this data is available without authentication.
The publicly accessible API has over 700 handlers, many of which are involved in administrative operations. This means that through these APIs, an attacker could potentially gain access to the modem, similar to the access that the service support team has.
Despite using encrypted data sets to transmit commands and settings to user modems, a flaw was found in the encryption functions within a JavaScript script provided by Webcdn-business.cox.com. The encryption key used was determined by intercepting the stop point in the Browser JavaScript during registration on Myaccount-business.cox.com. The key was generated using the MAC address, device identifier, user account number, device model and access type, along with other auxiliary parameters.