Like routers, most USB modems also vulnerable to drive-by hacking

28.05.2015
The majority of 3G and 4G USB modems offered by mobile operators to their customers have vulnerabilities in their Web-based management interfaces that could be exploited remotely when users visit compromised websites.

The flaws could allow attackers to steal or manipulate text messages, contacts, Wi-Fi settings or the DNS (Domain Name System) configuration of affected modems, but also to execute arbitrary commands on their underlying operating systems. In some cases, the devices can be turned into malware delivery platforms, infecting any computers they're plugged into.

Russian security researchers Timur Yunusov and Kirill Nesterov presented some of the flaws and attacks that can be used against USB modems Thursday at the Hack in the Box security conference in Amsterdam.

USB modems are actually small computers, typically running Linux or Android-based operating systems, with their own storage and Wi-Fi capability. They also have a baseband radio processor that's used to access the mobile network using a SIM card.

Many modems have an embedded Web server that powers a Web-based dashboard where users can change settings, see the modem's status, send text messages and see the messages they receive. These dashboards are often customized or completely developed by the mobile operators themselves and are typically full of security holes, Yunusov and Nesterov said.

The researchers claim to have found remote code execution vulnerabilities in the Web-based management interfaces of more than 90 percent of the modems they tested. These flaws could allow attackers to execute commands on the underlying operating systems.

These interfaces can only be accessed from the computers where the modems are being used, by calling their local area network IP address. However, attackers can still exploit any vulnerabilities remotely, through a technique called cross-site request forgery (CSRF).

CSRF allows code running on a website to force a visitor's browser to make a request to another website. Therefore, users visiting a malicious Web page could unintentionally perform an action on a different website where they are authenticated, including on USB modem dashboards that are only accessible locally.

Many websites have implemented protection against CSRF attacks, but the dashboards of USB modems typically have no such protection. The researchers said that they've only seen anti-CSRF protection on some newer USB modems made by Huawei, but even in those cases, it was possible to bypass it using brute-force techniques.

Home routers have the same problem and a large-scale attack seen recently used CSRF to exploit vulnerabilities in more than 40 router models through users' browsers. The goal of the attack was to change the primary DNS servers used by the routers, allowing hackers to spoof legitimate websites or intercept traffic.

Since USB modems act in a way that's similar to routers, providing an Internet gateway for computers, attackers can hijack their DNS settings too for a similar effect.

In some cases it's also possible to get root shells on the modems or to replace their entire firmware with modified, malicious versions, the two researchers said.

Attacks can go even deeper. The researchers showed a video demonstration where they compromised a modem through a remote code execution flaw and then made it switch its device type from a network controller to a keyboard. They then used this functionality to type rogue commands on the host computer in order to install a bootkit -- a boot-level rootkit.

Using CSRF is not the only way to remotely exploit some of the vulnerabilities in USB modem dashboards. In some cases the researchers found cross-site request scripting (XSS) flaws that could be exploited via SMS.

In a demonstration, they sent a specially crafted text message to a modem, that, when viewed by the user in the dashboard, triggered a command to reset the user's service password. The new password was sent by the mobile operator back via SMS, but the rogue code injected via XSS hid the new message in the dashboard and forwarded the password to the attackers.

The researchers also mentioned other possible attacks, like locking the modem's SIM card by repeatedly entering the wrong PIN and then PUK code.

In an attempt to see how easy it would be for attackers to find vulnerable devices, the researchers set up a special modem fingerprinting script on the home page of a popular security portal in Russia. They claim to have identified over 5,000 USB modems in a week that were vulnerable to remote code execution, cross-site scripting and cross-site request forgery.

Lucian Constantin