this post was submitted on 04 Jun 2024
118 points (98.4% liked)

Technology

58303 readers
11 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

This article is a great example why you should use your own router instead of ISP provided one

top 9 comments
sorted by: hot top controversial new old
[–] [email protected] 25 points 5 months ago (1 children)

If this request worked, it meant that I could use an “encryptedValue” parameter in the API that didn’t have to have a matching account ID.

I sent the request and saw the exact same HTTP response as above! This confirmed that we didn’t need any extra parameters, we could just query any hardware device arbitrarily by just knowing the MAC address (something that we could retrieve by querying a customer by name, fetching their account UUID, then fetching all of their connected devices via their UUID). We now had essentially a full kill chain.

I formed the following HTTP request to update my own device MAC addresses SSID as a proof of concept to update my own hardware:

...

Did it work? It had only given me a blank 200 OK response. I tried re-sending the HTTP request, but the request timed out. My network was offline. The update request must've reset my device.

About 5 minutes later, my network rebooted. The SSID name had been updated to “Curry”. I could write and read from anyone's device using this exploit.

This demonstrated that the API calls to update the device configuration worked. This meant that an attacker could've accessed this API to overwrite configuration settings, access the router, and execute commands on the device. At this point, we had a similar set of permissions as the ISP tech support and could've used this access to exploit any of the millions of Cox devices that were accessible through these APIs.

Blows me a away that an unauthenticated API with sensitive controls and data was publicly facing. Corporations these days want all your data but wonder why some customers are worry about how it is protected, it let alone if it's being sold. Why should I allow you to control my hardware when you can't protect yourself.

[–] [email protected] 10 points 5 months ago (1 children)

Why should I allow you to control my hardware when you can't protect yourself

Correction, they can protect themselves, but they chose not to devote the time, money and effort it would take to make sure they're secure. They just slap it together asap, say good enough, and start charging millions of dollars for customers to use it

[–] [email protected] 8 points 5 months ago (1 children)

There should be laws and fines for this.

Here in France you can technically be fined for not securing properly your wifi. It was put in place by something called HADOPI which tries to catch movies shared on torrents. Unsurprisingly, the lobby of record labels managed to even make sure you couldn't pretend someone hacked your wifi and downloaded illegally. But I'm sure the same bill but applied to businesses wouldn't ever pass.

Businesses could leak all your sensitive data and they won't get anything beside bad PR but a single french citizen not proficient enough to secure his wifi may get in trouble.

[–] [email protected] 2 points 5 months ago

Man… kinda jealous.

Look up the equifax breach - basically all us Americans got from that was “lol sorry”

[–] [email protected] 8 points 5 months ago

This was a really interesting read , Thanks for sharing

[–] [email protected] 5 points 5 months ago

lol holy shit

The only thing in the above parameter that was valid was the device serial number. If this request worked, it meant that I could use an “encryptedValue” parameter in the API that didn’t have to have a matching account ID.

I sent the request and saw the exact same HTTP response as above! This confirmed that we didn’t need any extra parameters, we could just query any hardware device arbitrarily by just knowing the MAC address (something that we could retrieve by querying a customer by name, fetching their account UUID, then fetching all of their connected devices via their UUID). We now had essentially a full kill chain.

And then he proceeds to make arbitrary changes to his own modem via this exploit as a final proof. Jesus tapdancing christ.

[–] [email protected] 2 points 5 months ago (1 children)

I’m not a programmer but is it normal that the login page contains the whole main JavaScript code of a logged in user?

Also, what’s the point of having this kind of client side api? Because you can never trust the client shouldn’t be everything server side and only return a html page with the data related to your account?

[–] [email protected] 2 points 5 months ago

It doesn't matter that website loads javascript code for logged in user, as you need a token (which server will give you after a successful login) to authenticate to apis, it is pretty common to do that way

There wasn't a client side API, but the API was missing crucial validation of user input (eg only checking the mac address but didn't check who is actually authenticated)

[–] Hammerheart 1 points 5 months ago

What a great read! Thanks so much for sharing this.