Majority of 4G USB Modems, SIM Cards Exploitable

USB Modems

Researchers at the Chaos Computer Club conference in Hamburg presented research on the woeful state of security in 4G USB modems.

Researchers say 4G USB modems contain exploitable vulnerabilities through which attackers could, and researchers have, managed to gain full control of the machines to which the devices are connected.

Researchers from Positive Technologies presented a briefing detailing how to compromise USB modems and attack SIM cards via SMS over 4G networks at the PacSec and Chaos Computer Club conferences in Tokyo and Hamburg respectively over the last month.

In addition to allowing for full machine access, the 4G modem attack also yielded access to subscriber accounts on relevant carrier portals. By sending a binary SMS, the researchers managed to lock SIM cards and sniff and decrypt device traffic. The research was carried out by a Positive Technologies team consisting of Sergey Gordeychik, Alexander Zaitsev, Kirill Nesterov, Alexey Osipov, Timur Yunusov, Dmitry Sklyarov, Gleb Gritsai, Dmitry Kurbatov, Sergey Puzankov and Pavel Novikov.

Of the six USB modems with 30 separate firmware installations tested, the researchers found that just three firmware varieties were resistant to their attacks.

They managed to find publicly available telnet access credentials via Google, but they needed http access in order to monitor communications. After connecting their USB modems to their machines and listing the devices as distinct nodes with web applications, the researchers were able to launch browser-based cross-site request forgery, cross-site scripting and remote code execution attacks. Through these attacks, researchers obtained information regarding international mobile subscriber identities, universal integrated circuit cards, international mobile station equipment identities and software versions, device names, firmware versions, WI-Fi statuses and more (see image on right).

Stolen Device Information

Stolen Device Information

In addition to information, the researchers compelled the modems to change DNS settings in order to sniff traffic, change SMS center settings in order to intercept and interfere with SMS messaging, change passwords on self-service portals, lock modems by deliberately entering wrong PIN or PUK codes, and remotely update modem firmware to vulnerable versions.

The researchers noted in a blogpost that the impact of their attack methods is not limited to consumers using affected smartphones. Any number of critical infrastructure installations, including industrial control systems (ICS) and supervisory control and data acquisition (SCADA) machines use mobile communication technology based largely or at least in part on the GSM standard. Certain ATMs also deploy these USB modem technologies to remotely transmit payment data.

Their SIM attack was slightly less effective, having only managed to exploit some 20 percent of the 100 SIM cards they tested. In fact, these attacks were more or less a matter of whether or not the researchers could brute-force the data encryption standard (DES) keys protecting the SIMs. 3DES keys take substantially longer to break.

“To brute-force DES keys, we use a set of field-programmable gate arrays (FPGA), which became trendy for Bitcoin mining a couple of years ago and got cheaper after the hype was over,” the researchers wrote. “The speed of our 8 modules *ZTEX 1.15y board with the price tag of 2,000 Euro is 245.760 Mcrypt/sec. It is enough to obtain the key within 3 days.”

That was their fastest brute-force. If they had a partially known 3DES key, they could break it in 10 days. Deploying standard processing power, like the Intel CPU (Core i7-2600k), would take roughly five years to break DES and more than 20 years to break 3DES.

Once DES or 3DES is broken, researchers said they could issue commands to toolkit applications (TAR). One such TAR was a file system storing Temporary Mobile Subscriber Identity and Ciphering Keys. This access gave researcher the ability to decrypt subscriber traffic without using brute force attacks on DES, spoof a subscriber’s identity in order to receive her calls and texts, track a subscriber’s location and cause a denial of service entering three wrong PIN codes and 10 wrong PUK codes in a row if PIN code is enabled for file system protection.

Suggested articles