Need help?

Chat with a Tech Pro about services & pricing.

Special Offer: All students, parents, & educators get 50% off tech support for the entire school year. Select the Support - Annual plan and enter code “EdTech50” during checkout.

Cable Haunt - Remote Access Exploit Affects Hundreds of Millions of Cable Modems

Authored by:
Support.com Tech Pro Team
This Guided Path® was written and reviewed by Support.com’s Tech Pro team. With decades of experience, our Tech Pros are passionate about making technology work for you. We love feedback! Let us know what you think about this Guided Path® by rating it at the end.

1 Cable Haunt Information

A new attack has been made public. Known as "Cable Haunt", rather than targeting your computer or smartphone, this targets your cable modem — the box gives your whole home access to the Internet.

This guide will help you understand the problem, and more importantly, what you can do to help avoid being affected.
Cable Haunt

Fast Facts

Affected Modems
This is not an all-inclusive list — most modems are vulnerable. For a more complete list, visit the Cable Haunt website.

Confirmed by ISPs or security researchers:

  • Sagemcom F@st 3890
  • Sagemcom F@st 3686
  • Technicolor TC7230
  • Netgear C6250EMR
  • Netgear CG3700EMR
  • COMPAL 7284E
  • COMPAL 7486E
  • Netgear CG3700EMR

Confirmed by members of the community:

  • Arris Surfboard CM8200A
  • Arris Surfboard SB6183
  • Arris Surfboard SB8200
  • Netgear CM500
  • Netgear CM600
  • Netgear CM1000
  • Netgear CM1150
  • Technicolor TC4400
  • Technicolor TC7210
  • Technicolor TC7650
  • Zoom 5370
  • Cisco / Technicolor DPC3216
Cable Haunt - Further Information
For more information about the exploit, the researchers have setup the following page.

2 What is a Cable Modem?

A Cable Modem

In order to understand Cable Haunt, it's best to have a bit of understanding of how your home network functions.

If you have a cable Internet provider, such as Cox, Comcast, or Charter, there is a small box, usually black in color setup in your home that has a coax cable going into it. This is the device all your computers and other devices attach to. If it's just a modem, it will then connect with an Ethernet cable to a router. If it's a Wireless Gateway, the modem and router are combined into one device, and you may just use Wi-Fi to connect with no further wires.

You can think of this modem as a 'translator'. It takes in the 'language' that's being spoken over your cable provider's network, and turns it into something your computer can use and vice-versa. This is necessary, because there's dozens, if not hundreds of customers on the cable provider's side, and you pay for a single connection, not separately for each device in your home.

3 What is Cable Haunt?

Simplified diagram of a buffer overflow.

Cable Haunt is what's known as a buffer overflow attack. This means it floods a specific part of the cable modem with information, to make it 'error out' unsafely, and simply allow full and complete access to malicious code being added that does what an attacker wants, either instead of, or in addition to what you want the device to do.

Cable Haunt is performed on your computer, by a malicious webpage. The basic steps of the exploit are:

  1. You visit a compromised or malicious website.
  2. The malicious website sends the code to your computer as a script.
  3. Your computer runs this code, but is otherwise unaffected.
  4. Your computer connects to your cable modem, and the small script 'breaks into' it with the buffer overflow attack.
  5. The script then loads whatever malicious code the attacker wants to your cable modem, or disables it entirely.

Your computer isn't affected, nor is it infected. Instead the modem is the target of the attack, so most security software on your computer will not recognize this as 'bad'; because it isn't bad to your computer, but to your modem instead.

After ther script runs on the modem, the attackers could do anything from simply changing the DNS to push more advertising pop-ups to you to try to make money, to sit between you and the Internet and steal information, participate in other coordinated attacks at the behest of the attacker, or any other malicious activity.

4 Can Cable Haunt be detected?

Exploit Research

It is difficult to determine if a modem has been affected by Cable Haunt. Because of the nature of cable modems, you tend not to have direct access to the firmware, nor are you directly and constantly monitoring this part of your Internet security, as you do with your computer using anti-virus software.

Since modem firmware is controlled by your ISP, there's not much you can do to monitor or patch this yourself. This is squarely on your ISP to provide a solution.

5 What can I do to help guard against Cable Haunt?

At the time of writing, no known public exploits have been made, only in the lab and in example code published recently.

On the Modem Itself

  • If you are using a separate modem and router, rather than a Wireless Gateway (modem and router all-in-one), you have some increased security against this. Because your network (your home computer, smartphone, and other devices) is separate from the modem itself by your router, there's less risk while manufacturers and ISPs work to patch this exploit.
  • If you have a Wireless Gateway, unfortunately, the primary attacks that could be performed are on the same device, and you simply need to wait till this is patched.

On Your Computer

  • If you are using security software that monitors websites such as an anti-virus suite, make sure it's up-to-date so you won't be infected that way in the first place.
  • Contact your ISP. Right now, the researchers who originally published this research have been quietly working behind the scenes for over a year concerning this, and have unfortunately gotten very little traction, which is why they have made the exploit public. They hope that, by putting this out publicly, before it is seen in-the-wild, companies will work to fix the problem before it becomes a problem you have to worry about.
This isn't a fault or bug with your computer, rather this is a bug in the modem itself that is vulnerable to attack.
This announcement has been made rather publicly, so most ISPs have started serious work to patch modems in use. Because, as a user, you are affected by this but unable to do much to solve it, it is also your ISPs responsibility to keep you informed on their patching efforts. Details your ISP may need are provided on the Cable Haunt page.
Further Information
For more information about the exploit, the researchers have setup the following page.

We're here to help!

chat
Connect to a Tech Pro

Call or chat with a Tech Pro 24/7.

A new attack has been made public. Known as "Cable Haunt", rather than targeting your computer or smartphone, this targets your cable modem — the box gives your whole home access to the Internet.

This guide will help you understand the problem, and more importantly, what you can do to help avoid being affected.
Cable Haunt

Fast Facts

Affected Modems
This is not an all-inclusive list — most modems are vulnerable. For a more complete list, visit the Cable Haunt website.

Confirmed by ISPs or security researchers:

  • Sagemcom F@st 3890
  • Sagemcom F@st 3686
  • Technicolor TC7230
  • Netgear C6250EMR
  • Netgear CG3700EMR
  • COMPAL 7284E
  • COMPAL 7486E
  • Netgear CG3700EMR

Confirmed by members of the community:

  • Arris Surfboard CM8200A
  • Arris Surfboard SB6183
  • Arris Surfboard SB8200
  • Netgear CM500
  • Netgear CM600
  • Netgear CM1000
  • Netgear CM1150
  • Technicolor TC4400
  • Technicolor TC7210
  • Technicolor TC7650
  • Zoom 5370
  • Cisco / Technicolor DPC3216
Cable Haunt - Further Information
For more information about the exploit, the researchers have setup the following page.
A Cable Modem

In order to understand Cable Haunt, it's best to have a bit of understanding of how your home network functions.

If you have a cable Internet provider, such as Cox, Comcast, or Charter, there is a small box, usually black in color setup in your home that has a coax cable going into it. This is the device all your computers and other devices attach to. If it's just a modem, it will then connect with an Ethernet cable to a router. If it's a Wireless Gateway, the modem and router are combined into one device, and you may just use Wi-Fi to connect with no further wires.

You can think of this modem as a 'translator'. It takes in the 'language' that's being spoken over your cable provider's network, and turns it into something your computer can use and vice-versa. This is necessary, because there's dozens, if not hundreds of customers on the cable provider's side, and you pay for a single connection, not separately for each device in your home.

Simplified diagram of a buffer overflow.

Cable Haunt is what's known as a buffer overflow attack. This means it floods a specific part of the cable modem with information, to make it 'error out' unsafely, and simply allow full and complete access to malicious code being added that does what an attacker wants, either instead of, or in addition to what you want the device to do.

Cable Haunt is performed on your computer, by a malicious webpage. The basic steps of the exploit are:

  1. You visit a compromised or malicious website.
  2. The malicious website sends the code to your computer as a script.
  3. Your computer runs this code, but is otherwise unaffected.
  4. Your computer connects to your cable modem, and the small script 'breaks into' it with the buffer overflow attack.
  5. The script then loads whatever malicious code the attacker wants to your cable modem, or disables it entirely.

Your computer isn't affected, nor is it infected. Instead the modem is the target of the attack, so most security software on your computer will not recognize this as 'bad'; because it isn't bad to your computer, but to your modem instead.

After ther script runs on the modem, the attackers could do anything from simply changing the DNS to push more advertising pop-ups to you to try to make money, to sit between you and the Internet and steal information, participate in other coordinated attacks at the behest of the attacker, or any other malicious activity.

Exploit Research

It is difficult to determine if a modem has been affected by Cable Haunt. Because of the nature of cable modems, you tend not to have direct access to the firmware, nor are you directly and constantly monitoring this part of your Internet security, as you do with your computer using anti-virus software.

Since modem firmware is controlled by your ISP, there's not much you can do to monitor or patch this yourself. This is squarely on your ISP to provide a solution.
At the time of writing, no known public exploits have been made, only in the lab and in example code published recently.

On the Modem Itself

  • If you are using a separate modem and router, rather than a Wireless Gateway (modem and router all-in-one), you have some increased security against this. Because your network (your home computer, smartphone, and other devices) is separate from the modem itself by your router, there's less risk while manufacturers and ISPs work to patch this exploit.
  • If you have a Wireless Gateway, unfortunately, the primary attacks that could be performed are on the same device, and you simply need to wait till this is patched.

On Your Computer

  • If you are using security software that monitors websites such as an anti-virus suite, make sure it's up-to-date so you won't be infected that way in the first place.
  • Contact your ISP. Right now, the researchers who originally published this research have been quietly working behind the scenes for over a year concerning this, and have unfortunately gotten very little traction, which is why they have made the exploit public. They hope that, by putting this out publicly, before it is seen in-the-wild, companies will work to fix the problem before it becomes a problem you have to worry about.
This isn't a fault or bug with your computer, rather this is a bug in the modem itself that is vulnerable to attack.
This announcement has been made rather publicly, so most ISPs have started serious work to patch modems in use. Because, as a user, you are affected by this but unable to do much to solve it, it is also your ISPs responsibility to keep you informed on their patching efforts. Details your ISP may need are provided on the Cable Haunt page.
Further Information
For more information about the exploit, the researchers have setup the following page.