Lack of auth in 3G/4G USB modems exposes control panels to hackers
Andreas Lindh has discovered serious vulnerabilities in an unknown number of 3G/4G USB modems that can be exploited by attackers for spear phishing attacks.
The researcher Andreas Lindh has discovered serious vulnerabilities in an unknown number of 3G and 4G USB modems that can be exploited by attackers to steal user’s credential. The expert has found a Cross Site Request Forgery (CSRF) vulnerability, a flaw that is very diffused within the network devices on the market. Almost every device in fact is configurable via a built-in web server, this is the interface that most of all is exploited by hackers, like happened in the case of TP-LINK routers recently discovered vulnerable.
In this case, the USM modem could be easily hacked exploiting the CSRF when the user visits a malicious website, the attacker could automatically gain the access to the USB modem control-panel web page and tamper with the device.
Using the above attack scheme, a cybercriminal could send text messages to premium-rate numbers, to monetize the hack, or could be used for cyber espionage purpose, in this last case it is enough that attacker setup a malicious web page to deceive the user proposing a fake login page for a legitimate application (e.g.Facebook or Twitter) and capture victims’ credential.
Let’s review the details for each of the above opportunities offered to the attackers by the hack
SMS by CSRF As anticipated, Lindh exploited a CSRF vulnerability to send a text message from the interface of the modem, the attack is facilitated by the fact that unlike WiFi routers, USB modems lack for authentication mechanism to complete the operation.
It must be considered also that the attack technique is very effective because the web interface for each affected device can be used to configure roaming, set a SIM PIN and of course to silently send and receive text messages from the USB modem.
“I fairly quickly found a CSRF vulnerability that would allow me to make the modem send a text message to any number of my choosing, simply by having the user go to a website under my control,” “Unlike Wi-Fi routers, there is no login functionality for USB modems so I didn’t have to worry about bypassing authentication.” said Lindh.
This is the POST request used to send the SMS, modifying the msg_content parameter, that is the content of the message encoded
Phishing
Lindh also demonstrated a phishing attack scenario, providing the code for the fake Facebook login page in a data URI hidden behind a TinyURL link, which could be sent to a victim by email or sharing it on a social network. Be aware the attack doesn’t need a web server to host the bogus page, the hack exploit the URI loading it in the browser address bar. When the user open the data URI renders the fake Facebook page, and once submitted his credentials, a JavaScript sends them to the attacker via the USB modem, for example exploiting the above flaw in SMS send function.
“As an exercise, I created a fake Facebook login site which in addition to logging the victim into the real Facebook at the same time also steals the users login credentials. I then proceeded to turning the HTML file into a data URI using this online tool, and then used TinyUrl to shorten the extremely long data URI to a real HTTP address which would then resolve to the data URI.” said Lindh
That technique illustrated appeared very intriguing because they allow an attacker to conduct a spear phishing offensive against a limited number of users of (certain) USB modems, consider also that, as remarked by the author of the post, an attack can reach the target completely without infrastructure requirements (no web server to host the spoofed website, no server to post the stolen credentials).
“All that is needed is an email address or some other way to distribute the URL, and a pre-paid phone to receive the text messages.”
In my opinion, once again we are faced with a problem caused by the lack of security by design, a problem very common for good intended to large consume. The 3G/4G USM modems suffer a lack of authentication, easy to fix, but that evidently hasn’t never been analyzed by the manufacturer.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.
