Like routers, most USB modems also vulnerable to drive-by hacking

Attackers can hijack DNS settings by exploiting vulnerabilities in the Web-based management interfaces of 3G/4G USB modems

Big Data

Big Data

The majority of 3G and 4G USB modems offered by mobile operators to their customers have vulnerabilities in their Web-based management interfaces that could be exploited remotely when users visit compromised websites.

The flaws could allow attackers to steal or manipulate text messages, contacts, Wi-Fi settings or the DNS (Domain Name System) configuration of affected modems, but also to execute arbitrary commands on their underlying operating systems. In some cases, the devices can be turned into malware delivery platforms, infecting any computers they're plugged into.

Russian security researchers Timur Yunusov and Kirill Nesterov presented some of the flaws and attacks that can be used against USB modems Thursday at the Hack in the Box security conference in Amsterdam.

USB modems are actually small computers, typically running Linux or Android-based operating systems, with their own storage and Wi-Fi capability. They also have a baseband radio processor that's used to access the mobile network using a SIM card.

Many modems have an embedded Web server that powers a Web-based dashboard where users can change settings, see the modem's status, send text messages and see the messages they receive. These dashboards are often customized or completely developed by the mobile operators themselves and are typically full of security holes, Yunusov and Nesterov said.

The researchers claim to have found remote code execution vulnerabilities in the Web-based management interfaces of more than 90 percent of the modems they tested. These flaws could allow attackers to execute commands on the underlying operating systems.

These interfaces can only be accessed from the computers where the modems are being used, by calling their local area network IP address. However, attackers can still exploit any vulnerabilities remotely, through a technique called cross-site request forgery (CSRF).

CSRF allows code running on a website to force a visitor's browser to make a request to another website. Therefore, users visiting a malicious Web page could unintentionally perform an action on a different website where they are authenticated, including on USB modem dashboards that are only accessible locally.

Many websites have implemented protection against CSRF attacks, but the dashboards of USB modems typically have no such protection. The researchers said that they've only seen anti-CSRF protection on some newer USB modems made by Huawei, but even in those cases, it was possible to bypass it using brute-force techniques.

Home routers have the same problem and a large-scale attack seen recently used CSRF to exploit vulnerabilities in more than 40 router models through users' browsers. The goal of the attack was to change the primary DNS servers used by the routers, allowing hackers to spoof legitimate websites or intercept traffic.

Since USB modems act in a way that's similar to routers, providing an Internet gateway for computers, attackers can hijack their DNS settings too for a similar effect.

In some cases it's also possible to get root shells on the modems or to replace their entire firmware with modified, malicious versions, the two researchers said.

Attacks can go even deeper. The researchers showed a video demonstration where they compromised a modem through a remote code execution flaw and then made it switch its device type from a network controller to a keyboard. They then used this functionality to type rogue commands on the host computer in order to install a bootkit -- a boot-level rootkit.

Using CSRF is not the only way to remotely exploit some of the vulnerabilities in USB modem dashboards. In some cases the researchers found cross-site request scripting (XSS) flaws that could be exploited via SMS.

In a demonstration, they sent a specially crafted text message to a modem, that, when viewed by the user in the dashboard, triggered a command to reset the user's service password. The new password was sent by the mobile operator back via SMS, but the rogue code injected via XSS hid the new message in the dashboard and forwarded the password to the attackers.

The researchers also mentioned other possible attacks, like locking the modem's SIM card by repeatedly entering the wrong PIN and then PUK code.

In an attempt to see how easy it would be for attackers to find vulnerable devices, the researchers set up a special modem fingerprinting script on the home page of a popular security portal in Russia. They claim to have identified over 5,000 USB modems in a week that were vulnerable to remote code execution, cross-site scripting and cross-site request forgery.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusiononline safetysecurityHITBExploits / vulnerabilitiesmalware

More about HuaweiLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place