Hacking millions of modems and investigating who hacked my modem

Original Article ↗ Hacker News Discussion ↗

Overall reaction to the write-up and Cox’s response

  • Many found the article unusually clear, engaging, and “fun” to follow, even for non-security readers.
  • Cox is widely praised for fast, serious handling: hotfix in ~1 day, communication with the researcher, and no visible “shoot the messenger” reaction.
  • Some skepticism remains over claims that the vulnerable service had never been abused; critics note limited logging or potential incentives not to disclose past abuse.

Bug bounties, ethics, and “extortion” debate

  • Strong disagreement over whether companies “owe” money to unsolicited researchers.
  • One camp: large, profitable ISPs should pay meaningful bounties; otherwise researchers may rationally sell exploits elsewhere.
  • Opposing camp: absent a formal program, companies owe nothing; implying “pay me or I’ll sell this” is framed by some as extortion.
  • Others distinguish between:
    • Ethical consulting-style offers vs.
    • Explicit or implicit threats (“pay or I sell/use it”).
  • Several note that bounties also reduce spammy low‑value reports and encourage safe disclosure.

Nature of the vulnerabilities and intermittent auth

  • Strong curiosity about the underlying bug that let unauthenticated API calls randomly succeed.
  • Hypotheses include: misconfigured load‑balanced backend; subset of origin servers skipping auth; caching mistakes; per-request auth state accidentally made global (singleton) and shared across users.
  • Commenters note similar bugs in other systems where authentication context “bleeds” between requests.

ISP equipment, remote management, and BYOD

  • Many advocate using ISP gear only as a bridge and putting a personally controlled router/firewall behind it.
  • In some countries (e.g., Germany), ISPs must allow user‑owned modems; this is seen as a major security and control win.
  • Others argue ISP-managed CPE can improve security by ensuring firmware updates, though many ISPs are criticized for not patching in practice.

Support channels and disclosure friction

  • Recurrent theme: frontline ISP support is overwhelmed by false “I’ve been hacked” reports and is structurally bad at escalating real vulnerabilities.
  • Some defend tight triage as necessary “friction”; others see it as an organizational failure that buries critical signals.
  • Responsible disclosure portals and direct security contacts are viewed as far more effective than walking into a retail store.

Legal environment and chilling effects

  • Discussion notes that in some jurisdictions (especially Germany) security research can easily trigger criminal charges, even when reported responsibly.
  • Several argue this drives researchers either to silence or to underground markets and call for laws that explicitly protect good‑faith research while penalizing negligent vendors when exploits are abused.

Why the attacker replayed HTTP traffic (speculation)

  • Multiple theories: limited visibility on-device so replays from attacker infrastructure to observe responses; hunting for high‑value endpoints (esp. non‑TLS or test systems); misconfigured C2 tooling; or attempts to mask traffic origins as residential.
  • Consensus: exact motive and mechanism remain unclear from the available information.