The majority of 3G and 4G USB modems offered by mobile operators to their customers have vulnerabilities in their Web-based management interfaces that could be exploited remotely when users visit compromised websites.
The flaws could allow attackers to steal or manipulate text messages, contacts, Wi-Fi settings or the DNS (Domain Name System) configuration of affected modems, but also to execute arbitrary commands on their underlying operating systems. In some cases, the devices can be turned into malware delivery platforms, infecting any computers they're plugged into.
Russian security researchers Timur Yunusov and Kirill Nesterov presented some of the flaws and attacks that can be used against USB modems Thursday at the Hack in the Box security conference in Amsterdam.
USB modems are actually small computers, typically running Linux or Android-based operating systems, with their own storage and Wi-Fi capability. They also have a baseband radio processor that's used to access the mobile network using a SIM card.
Many modems have an embedded Web server that powers a Web-based dashboard where users can change settings, see the modem's status, send text messages and see the messages they receive. These dashboards are often customized or completely developed by the mobile operators themselves and are typically full of security holes, Yunusov and Nesterov said.
The researchers claim to have found remote code execution vulnerabilities in the Web-based management interfaces of more than 90 percent of the modems they tested. These flaws could allow attackers to execute commands on the underlying operating systems.
These interfaces can only be accessed from the computers where the modems are being used, by calling their local area network IP address. However, attackers can still exploit any vulnerabilities remotely, through a technique called cross-site request forgery (CSRF).
CSRF allows code running on a website to force a visitor's browser to make a request to another website. Therefore, users visiting a malicious Web page could unintentionally perform an action on a different website where they are authenticated, including on USB modem dashboards that are only accessible locally.
Many websites have implemented protection against CSRF attacks, but the dashboards of USB modems typically have no such protection. The researchers said that they've only seen anti-CSRF protection on some newer USB modems made by Huawei, but even in those cases, it was possible to bypass it using brute-force techniques.
Home routers have the same problem and a large-scale attack seen recently used CSRF to exploit vulnerabilities in more than 40 router models through users' browsers. The goal of the attack was to change the primary DNS servers used by the routers, allowing hackers to spoof legitimate websites or intercept traffic.
Since USB modems act in a way that's similar to routers, providing an Internet gateway for computers, attackers can hijack their DNS settings too for a similar effect.
Sign up for Computerworld eNewsletters.