Mobile broadband modems are small USB sticks that connect a computer to the internet through a cellular network. The great convenience of being able to stay connected outside of areas with Wi-Fi has led to over 100 million of these devices being sold. However, security flaws in these ubiquitous modems may become a boon for cybercriminals.
In a talk at the Black Hat conference, Andreas Lindh presented multiple security problems he discovered in modems produced by the two dominant manufacturers, Huawei and ZTE. He first explained that the modems work very similarly to Wi-Fi routers. As with Wi-Fi routers, the mobile broadband modems have embedded web servers that are used to configure the devices. A key difference is that as a USB device, mobile broadband modems are physically attached to a single computer. Since the administration web pages can’t be accessed wirelessly, much less attention is paid to securing this web server. There isn’t even a password protecting the administration pages.
Using cross-site request forgery (CSRF), an attacker can change settings on the modem. There are often settings that aren’t exposed to the user, but can nevertheless be changed through this attack. One example is the DNS configuration. An attacker could substitute a malicious DNS server, which could redirect the victim towards malware or advertising.
An attacker can also cause the modem to send SMS messages through similar means. This could be an avenue for stealing personal data from a compromised system, or it could be used for premium-rate SMS fraud. An attacker might change the settings for outgoing SMS messages to substitute a malicious SMSC, effectively eavesdropping on outgoing messages. Cloudmark Security Platform for Mobile Messaging provides tools that cellular carriers could use to monitor or block this kind of SMS abuse.
Finally, Andreas demonstrated that these attacks could be made persistent. Exploiting cross-site scripting vulnerabilities in the modems’ administrative interfaces, it’s possible to store malicious code in the modems’ configuration. The stored code can be presented to a web browser every time the user connects to the internet through the modem, presenting plenty of opportunities for mischief. Andreas showed that SMS messages could be used to control the implanted code, providing a stealthy backdoor into a victim’s system. Another means of persistence would be to install malicious firmware on the modem. This is unfortunately possible to do with cross-site request forgery.
Though Andreas is working with vendors on getting the vulnerabilities fixed in current products, he pointed out that the hardware is usually distributed through carriers which apply their own branding. Because users can’t get security patches directly from the vendors, there’s little hope of most vulnerable devices in the field ever being fixed. Users of these modems should be especially careful to avoid suspicious web sites that might try to carry out the attacks.