Andreas Lindh has discovered serious vulnerabilities in an unknown number of 3G/4G USB modems that can be exploited by attackers for spear phishing attacks.
The researcher Andreas Lindh has discovered serious vulnerabilities in an unknown number of 3G and 4G USB modems that can be exploited by attackers to steal user’s credential. The expert has found a Cross Site Request Forgery (CSRF) vulnerability, a flaw that is very diffused within the network devices on the market. Almost every device in fact is configurable via a built-in web server, this is the interface that most of all is exploited by hackers, like happened in the case of TP-LINK routers recently discovered vulnerable.
In this case, the USM modem could be easily hacked exploiting the CSRF when the user visits a malicious website, the attacker could automatically gain the access to the USB modem control-panel web page and tamper with the device.
Using the above attack scheme, a cybercriminal could send text messages to premium-rate numbers, to monetize the hack, or could be used for cyber espionage purpose, in this last case it is enough that attacker setup a malicious web page to deceive the user proposing a fake login page for a legitimate application (e.g.Facebook or Twitter) and capture victims’ credential.
Let’s review the details for each of the above opportunities offered to the attackers by the hack
SMS by CSRF As anticipated, Lindh exploited a CSRF vulnerability to send a text message from the interface of the modem, the attack is facilitated by the fact that unlike WiFi routers, USB modems lack for authentication mechanism to complete the operation.
It must be considered also that the attack technique is very effective because the web interface for each affected device can be used to configure roaming, set a SIM PIN and of course to silently send and receive text messages from the USB modem.
“I fairly quickly found a CSRF vulnerability that would allow me to make the modem send a text message to any number of my choosing, simply by having the user go to a website under my control,” “Unlike Wi-Fi routers, there is no login functionality for USB modems so I didn’t have to worry about bypassing authentication.” said Lindh.
This is the POST request used to send the SMS, modifying the msg_content parameter, that is the content of the message encoded
Phishing
Lindh also demonstrated a phishing attack scenario, providing the code for the fake Facebook login page in a data URI hidden behind a TinyURL link, which could be sent to a victim by email or sharing it on a social network. Be aware the attack doesn’t need a web server to host the bogus page, the hack exploit the URI loading it in the browser address bar. When the user open the data URI renders the fake Facebook page, and once submitted his credentials, a JavaScript sends them to the attacker via the USB modem, for example exploiting the above flaw in SMS send function.
“As an exercise, I created a fake Facebook login site which in addition to logging the victim into the real Facebook at the same time also steals the users login credentials. I then proceeded to turning the HTML file into a data URI using this online tool, and then used TinyUrl to shorten the extremely long data URI to a real HTTP address which would then resolve to the data URI.” said Lindh
That technique illustrated appeared very intriguing because they allow an attacker to conduct a spear phishing offensive against a limited number of users of (certain) USB modems, consider also that, as remarked by the author of the post, an attack can reach the target completely without infrastructure requirements (no web server to host the spoofed website, no server to post the stolen credentials).
“All that is needed is an email address or some other way to distribute the URL, and a pre-paid phone to receive the text messages.”
In my opinion, once again we are faced with a problem caused by the lack of security by design, a problem very common for good intended to large consume. The 3G/4G USM modems suffer a lack of authentication, easy to fix, but that evidently hasn’t never been analyzed by the manufacturer.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Pierluigi Paganini
January 31, 2014
