Our research revealed a wide array of critical vulnerabilities in ISP-provided, RDK-based wireless gateways and set-top boxes. We demonstrated that it was possible to remotely and wirelessly tap all Internet and voice traffic passing through an affected gateway. We estimate tens of millions of ISP customers have been impacted by these findings. Many of the vulnerabilities have now been remediated.
The following devices were tested and were found to have been initially affected:
| Cisco | DPC3939 (gateway) | #18 #19 #20 #22 #23 #24 #25 #26 #27 #28 #29 #30 #31 #32 #35 | CVE-2017-9476
CVE-2017-9477 CVE-2017-9478 CVE-2017-9479 CVE-2017-9480 CVE-2017-9481 CVE-2017-9482 CVE-2017-9483 CVE-2017-9484 CVE-2017-9485 CVE-2017-9486 CVE-2017-9487 CVE-2017-9488 CVE-2017-9521 CVE-2017-9491 CVE-2017-9492 |
| Cisco | DPC3939B (gateway) | #20 #22 #23 #24 #25 #26 #29 #30 #32 #33 #35 | CVE-2017-9478
CVE-2017-9479 CVE-2017-9480 CVE-2017-9481 CVE-2017-9482 CVE-2017-9483 CVE-2017-9486 CVE-2017-9487 CVE-2017-9489 CVE-2017-9490 CVE-2017-9521 CVE-2017-9491 CVE-2017-9492 |
| Technicolor | DPC3941T (gateway) | #18 #20 #22 #23 #29 #30 #31 #32 #35 | CVE-2017-9476
CVE-2017-9478 CVE-2017-9479 CVE-2017-9480 CVE-2017-9486 CVE-2017-9487 CVE-2017-9488 CVE-2017-9521 CVE-2017-9491 CVE-2017-9492 |
| Technicolor | TC8717T (gateway) | #18 #20 #22 #23 #26 #30 #31 #32 #33 #35 | CVE-2017-9476
CVE-2017-9478 CVE-2017-9479 CVE-2017-9480 CVE-2017-9483 CVE-2017-9487 CVE-2017-9488 CVE-2017-9489 CVE-2017-9490 CVE-2017-9521 CVE-2017-9491 CVE-2017-9492 |
| Motorola | MX011ANM (set-top box) | #38 #39 #40 #41 #42 | CVE-2017-9493
CVE-2017-9494 CVE-2017-9495 CVE-2017-9496 CVE-2017-9497 CVE-2017-9498 |
| Xfinity | XR11-20 (voice remote) | #42 | CVE-2017-9493 CVE-2017-9494 CVE-2017-9495 CVE-2017-9496 CVE-2017-9497 CVE-2017-9498 |
Although the Bastille Threat Research Team endeavored to test a variety of hardware models from multiple vendors, it is not possible to acquire and test every model available on the market. There may be other models and vendors that are affected by these vulnerabilities, so the list should not be considered definitive.
The plain-text advisories can be found in the links above, and here.
Response
We have worked closely with Comcast to help remediate these vulnerabilities across the global cable Internet industry. They provided the following statement (07/07/2017):
“Nothing is more important than our customers’ safety, and we appreciate Bastille bringing these matters to our attention. We have made a number of updates to our software and systems to prevent the issues Bastille identified from impacting Comcast customers, including breaking the attack chains Bastille described in this paper.
Bastille has confirmed that these updates work, and that the attack chains the company described in this paper can no longer be used. In addition, we have further hardened our systems to address new threats related to the underlying vulnerabilities described here. As of this writing, we have completed and rolled out these changes for the vast majority of Comcast customers. We anticipate finishing those efforts before this paper is published.
We know of no situation in which these issues were ever used against Comcast customers outside of Bastille’s testing.
At Comcast, we perform security testing, both during product development and after product launch, in an ongoing effort to make our products more secure. We also work with independent security researchers who come to us with issues. When we are notified about an issue we move quickly to assess and resolve it. The work of independent security researchers plays a valuable role in our ongoing commitment to keeping our customers safe and secure.”
Remediation
Many of the vulnerabilities have been patched, so customers should be safe with respect to these specific exploits. Ensure your device is running the latest version of its firmware, and if you have further questions, please contact your ISP.
If you are concerned you may still be at risk, consider replacing any affected devices with a heterogeneous setup comprised of unaffected hardware. For example: replace your gateway with a dedicated DOCSIS modem (that is compatible with your ISP) connected to a separate gateway/router.