The Russian security tester Timur Yunusov has discovered critical vulnerabilities affecting routers and 3G and 4G mobile modems from Huawei, ZTE, Gemtek, and Quanta. The security holes could be exploited by remote attackers to completely compromise machines and intercept HTTP traffic and also SMSs.
Yunusov, a security expert at the Positive Technologies, presented the discovery at the Nullcon conference held in Goa. He discovered the flaws in at least eight different devices. A rapid query on the Shodan search engine allowed him to find more than 42,000 vulnerable devices exposed on the web.
The results include roughly 2800 Gemtek modems and routers and 1250 from Quanta and ZTE.
“All the modem models investigated had critical vulnerabilities leading to complete system compromise,” Yunusov says. “Virtually all the vulnerabilities could be exploited remotely.”
The penetration tester explained that in some cases the vulnerabilities are introduced by the service providers likely to personalize the firmware running on the device. The vulnerabilities are critical because an attacker can remotely trigger them to compromise connected devices, including connected computers.
“Not all the modems had vulnerabilities in their factory settings; some of them appeared after the firmware was customised by the service provider.” he says “If we penetrate a modem … infecting a PC connected to it provides us with many ways to steal and intercept the PC user’s data,”
Almost all devices tested by Yunusov are affected by cross-site request forgery vulnerabilities and lack of input validation, this means that 60 percent of the equipment was exposed to remote code execution.
The Gemtekm Huawei and Quanta devices resulted vulnerable to firmware modifications, in some cases, the expert noticed that it was possible to upload arbitrary firmware on the units allowing to completely compromise them. Four of the eight modems and routers are affected by cross-site scripting vulnerabilities that could be exploited by a remote attacker to infect the host and intercept SMS for dedicated attackers who want to geo-locate targets.
Timur Yunusov, Kirill Nesterov and their colleagues at Positive Technologies have already conducted a similar study in the past, in October they have found since-patched remote execution and denial of service vulnerabilities in the popular Huawei 4G USB Huawei E3272 modem that can allow hackers to hijack connected computers.
In December, a team of researchers at Positive Technologies conducted a study on how to compromise USB modems and attack SIM cards via SMS over 4G networks.
The team consisting of Sergey Gordeychik, Alexander Zaitsev, Kirill Nesterov, Alexey Osipov, Timur Yunusov, Dmitry Sklyarov, Gleb Gritsai, Dmitry Kurbatov, Sergey Puzankov and Pavel Novikov discovered that 4G USB modems are affected by vulnerabilities that could be exploited by threat actors to gain full control of the machines to which the devices are connected.
(Security Affairs – hacking, mobile modems)