The researcher Andreas Lindh has discovered serious vulnerabilities in an unknown number of 3G and 4G USB modems that can be exploited by attackers to steal user’s credential. The expert has found a Cross Site Request Forgery (CSRF) vulnerability, a flaw that is very diffused within the network devices on the market. Almost every device in fact is configurable via a built-in web server, this is the interface that most of all is exploited by hackers, like happened in the case of TP-LINK routers recently discovered vulnerable.
In this case, the USM modem could be easily hacked exploiting the CSRF when the user visits a malicious website, the attacker could automatically gain the access to the USB modem control-panel web page and tamper with the device.
Using the above attack scheme, a cybercriminal could send text messages to premium-rate numbers, to monetize the hack, or could be used for cyber espionage purpose, in this last case it is enough that attacker setup a malicious web page to deceive the user proposing a fake login page for a legitimate application (e.g. Facebook or Twitter) and capture victims’ credential.
Let’s review the details for each of the above opportunities offered to the attackers by the hack
SMS by CSRF
As anticipated, Lindh exploited a CSRF vulnerability to send a text message from the interface of the modem, the attack is facilitated by the fact that unlike WiFi routers, USB modems lack for authentication mechanism to complete the operation.
It must be considered also that the attack technique is very effective because the web interface for each affected device can be used to configure roaming, set a SIM PIN and of course to silently send and receive text messages from the USB modem.
“I fairly quickly found a CSRF vulnerability that would allow me to make the modem send a text message to any number of my choosing, simply by having the user go to a website under my control,” “Unlike Wi-Fi routers, there is no login functionality for USB modems so I didn’t have to worry about bypassing authentication.” said Lindh.
This is the POST request used to send the SMS, modifying the msg_content parameter, that is the content of the message encoded
Phishing
Lindh also demonstrated a phishing attack scenario, providing the code for the fake Facebook login page in a data URI hidden behind a TinyURL link, which could be sent to a victim by email or sharing it on a social network. Be aware the attack doesn’t need a web server to host the bogus page, the hack exploit the URI loading it in the browser address bar. When the user open the data URI renders the fake Facebook page, and once submitted his credentials, a JavaScript sends them to the attacker via the USB modem, for example exploiting the above flaw in SMS send function.
“As an exercise, I created a fake Facebook login site which in addition to logging the victim into the real Facebook at the same time also steals the users login credentials. I then proceeded to turning the HTML file into a data URI using this online tool, and then used TinyUrl to shorten the extremely long data URI to a real HTTP address which would then resolve to the data URI.” said Lindh
That technique illustrated appeared very intriguing because they allow an attacker to conduct a spear phishing offensive against a limited number of users of (certain) USB modems, consider also that, as remarked by the author of the post, an attack can reach the target completely without infrastructure requirements (no web server to host the spoofed website, no server to post the stolen credentials).
“All that is needed is an email address or some other way to distribute the URL, and a pre-paid phone to receive the text messages.”
In my opinion, once again we are faced with a problem caused by the lack of security by design, a problem very common for good intended to large consume. The 3G/4G USM modems suffer a lack of authentication, easy to fix, but that evidently hasn’t never been analyzed by the manufacturer.
(Security Affairs – USB modem, hacking)