When the Internet Connects to You

Sam Curry recently discovered some alarming vulnerabilities in his modem, a Cox Panoramic wifi gateway. 

It all started when he noticed an unknown IP address was copying his same HTTP requests. When he investigated the origin of the copy-cat requests, he found two phishing site domains. 

At this point, Sam did what most of us would have already done and returned the compromised modem for another one that didn’t exhibit any of the weird behavior he’d witnessed on the last one. So… case closed, right?

Three years later, some friends in cybersecurity decided to launch an investigation of their own and found over a thousand other domains linked to that original copy-cat IP address that followed the same exact naming convention. This seemed to point to a domain generation algorithm used by the phishers to throw off suspicion.

The researchers had developed a theory that whoever exploited the vulnerability did so using the same infrastructure powering the agent support tools. To test this, Sam went to the Cox Business Portal login page and opened the files that powered the app's functionality.

There were over a hundred APIs with a base path of api/cbma. By sending HTTP requests, he learnt that the api/cbma endpoint was likely a reverse proxy to another host due to the differing behavior around the response.

"This indicated that they were proxying API requests to a dedicated backend while serving the frontend files from the normal system.”

Sam then proxied the registration request for Cox Business portal and found a Spring error run by the reverse proxy. Further probing revealed a list of all the endpoints. Running an intruder script on these endpoints revealed about half of them allowed unauthorized access.

Through replaying the requests, he was able to gain access to individual user accounts and sensitive information. Then, it was time to see if he could gain access to his own individual home account.

He was able to successfully access his account and retrieve information such as the MAC addresses of the devices connected, and more. But it went even further- with some more digging, he figured out how to not only access information, but also execute functions remotely.

“This meant that an attacker could've accessed this API to overwrite configuration settings, access the router, and execute commands on the device.”

TLDR: Through some digging and probing, Sam Curry figured out how to remotely access any Cox modem without authorization which could have enabled him (or a bad actor) to execute functions across millions of devices.

He reported these vulnerabilities (approximately 700 exposed APIs) to Cox and they have since been remedied, but this is far from the end of the story.

Cox is the largest provider of internet in the United States, and among the largest providers of TV and telephone services. The fact that their API security was so poor it could be compromised is a prime example of how overlooked API security is in today’s landscape. Now more than ever, we are seeing an unprecedented level of cyber threats targeted at APIs specifically.APIs come in all shapes and sizes, with widely varying log formats across a broad range of compute infrastructure platforms, so it’s not easy to know where to run detection and response, or on what log file formats, even for big companies like Cox with extensive cybersecurity teams.

In today’s turbulent cybersecurity landscape, API security is more important than ever before. APIs are increasingly a part of any technology infrastructure - both software and hardware-based, so API supply chain attacks like this are on the rise.To learn more about API security, and see how FireTail can help with your API security posture, schedule a free 30 minute demo with us today.