CableTap Affected Devices

 Our research revealed a wide array of critical vulnerabilities in ISP-provided, RDK-based wireless gateways and set-top boxes. We demonstrated that it was possible to remotely and wirelessly tap all Internet and voice traffic passing through an affected gateway. We estimate tens of millions of ISP customers have been impacted by these findings. Many of the vulnerabilities have now been remediated. 

The following devices were tested and were found to have been initially affected:

Vendor Affected Devices Advisory
(w/Tracking #)
CVE#
Cisco

DPC3939 (gateway)

#18

#19

#20

#22

#23

#24

#25

#26

#27

#28

#29

#30

#31

#32

#35

CVE-2017-9476


CVE-2017-9477


CVE-2017-9478


CVE-2017-9479


CVE-2017-9480


CVE-2017-9481


CVE-2017-9482


CVE-2017-9483


CVE-2017-9484


CVE-2017-9485


CVE-2017-9486


CVE-2017-9487


CVE-2017-9488


CVE-2017-9521


CVE-2017-9491


CVE-2017-9492

Cisco DPC3939B (gateway)

#20

#22

#23

#24

#25

#26

#29

#30

#32

#33

#35

CVE-2017-9478


CVE-2017-9479


CVE-2017-9480


CVE-2017-9481


CVE-2017-9482


CVE-2017-9483


CVE-2017-9486


CVE-2017-9487


CVE-2017-9489


CVE-2017-9490


CVE-2017-9521


CVE-2017-9491


CVE-2017-9492

Technicolor

DPC3941T (gateway)

#18

#20

#22

#23

#29

#30

#31

#32

#35

CVE-2017-9476


CVE-2017-9478


CVE-2017-9479


CVE-2017-9480


CVE-2017-9486


CVE-2017-9487


CVE-2017-9488


CVE-2017-9521


CVE-2017-9491


CVE-2017-9492

Technicolor

TC8717T (gateway)

#18

#20

#22

#23

#26

#30

#31

#32

#33

#35

CVE-2017-9476


CVE-2017-9478


CVE-2017-9479


CVE-2017-9480


CVE-2017-9483


CVE-2017-9487


CVE-2017-9488


CVE-2017-9489


CVE-2017-9490


CVE-2017-9521


CVE-2017-9491


CVE-2017-9492

Motorola

MX011ANM (set-top box)

#38

#39

#40

#41

#42

CVE-2017-9493


CVE-2017-9494


CVE-2017-9495


CVE-2017-9496


CVE-2017-9497


CVE-2017-9498

Xfinity

XR11-20 (voice remote)

#42

CVE-2017-9493


CVE-2017-9494


CVE-2017-9495


CVE-2017-9496


CVE-2017-9497


CVE-2017-9498

Although the Bastille Threat Research Team endeavored to test a variety of hardware models from multiple vendors, it is not possible to acquire and test every model available on the market. There may be other models and vendors that are affected by these vulnerabilities, so the list should not be considered definitive.

The plain-text advisories can be found in the links above, and here.

Response

We have worked closely with Comcast to help remediate these vulnerabilities across the global cable Internet industry. They provided the following statement (07/07/2017):

“Nothing is more important than our customers’ safety, and we appreciate Bastille bringing these matters to our attention. We have made a number of updates to our software and systems to prevent the issues Bastille identified from impacting Comcast customers, including breaking the attack chains Bastille described in this paper.

Bastille has confirmed that these updates work, and that the attack chains the company described in this paper can no longer be used. In addition, we have further hardened our systems to address new threats related to the underlying vulnerabilities described here. As of this writing, we have completed and rolled out these changes for the vast majority of Comcast customers. We anticipate finishing those efforts before this paper is published.

We know of no situation in which these issues were ever used against Comcast customers outside of Bastille’s testing.

At Comcast, we perform security testing, both during product development and after product launch, in an ongoing effort to make our products more secure. We also work with independent security researchers who come to us with issues. When we are notified about an issue we move quickly to assess and resolve it. The work of independent security researchers plays a valuable role in our ongoing commitment to keeping our customers safe and secure.”

Remediation

Many of the vulnerabilities have been patched, so customers should be safe with respect to these specific exploits. Ensure your device is running the latest version of its firmware, and if you have further questions, please contact your ISP.

If you are concerned you may still be at risk, consider replacing any affected devices with a heterogeneous setup comprised of unaffected hardware. For example: replace your gateway with a dedicated DOCSIS modem (that is compatible with your ISP) connected to a separate gateway/router.