In some cases it's also possible to get root shells on the modems or to replace their entire firmware with modified, malicious versions, the two researchers said.
Attacks can go even deeper. The researchers showed a video demonstration where they compromised a modem through a remote code execution flaw and then made it switch its device type from a network controller to a keyboard. They then used this functionality to type rogue commands on the host computer in order to install a bootkit — a boot-level rootkit.
Using CSRF is not the only way to remotely exploit some of the vulnerabilities in USB modem dashboards. In some cases the researchers found cross-site request scripting (XSS) flaws that could be exploited via SMS.
In a demonstration, they sent a specially crafted text message to a modem, that, when viewed by the user in the dashboard, triggered a command to reset the user's service password. The new password was sent by the mobile operator back via SMS, but the rogue code injected via XSS hid the new message in the dashboard and forwarded the password to the attackers.
The researchers also mentioned other possible attacks, like locking the modem's SIM card by repeatedly entering the wrong PIN and then PUK code.
In an attempt to see how easy it would be for attackers to find vulnerable devices, the researchers set up a special modem fingerprinting script on the home page of a popular security portal in Russia. They claim to have identified over 5,000 USB modems in a week that were vulnerable to remote code execution, cross-site scripting and cross-site request forgery.
Sign up for Computerworld eNewsletters.