LAS VEGAS–Mobile broadband modems can be a great alternative if you can’t find a WiFi network or don’t trust the ones you can find. But many of the models sold by the major manufacturers contain bugs and functionality that a remote attacker can exploit without much difficulty.
Much of the market for these devices is dominated by two manufacturers, Huawei and ZTE. And many of them are sold directly to carriers, who resell them to end users. The modems themselves typically run embedded Linux, and because they’re meant to be single-user devices, they usually don’t require any authentication to use. Security researcher Andreas Lindh identified several different attacks that work against models from both Huawei and ZTE, none of which is too difficult to pull off, he said.
“Criminals like the easiest way. This is the path of least resistance,” Lindh said during a talk at the Black Hat USA conference here Wednesday. “And these attacks have great potential for paying off.”
One method Lindh found was a DNS poisoning attack. Mobile broadband modems typically come with a pre-installed profile that defines how it will connect, which DNS servers it will use and a few other parameters. The profiles aren’t visible to the end user and they’re usually not modifiable. But there’s a Web interface that users can visit in order to set up a new connection profile and Lindh found that by using a CSRF (cross-site request forgery) attack, he could inject a new profile into a device, adding his own DNS servers as the default. He then removed the original profile and renamed his new one with the same name as the original one. With the user’s traffic flowing through the DNS servers he controls, he then has the ability to gather whatever sensitive data he finds.
“There could be credentials, anything you can think of in there,” he said.
Lindh also described a related attack that would involve spoofing the server that the modems use to download firmware updates and sending a malicious update. The update could include a backdoor for persistent access to the device.
But likely the most fertile ground for future attacks is the SMS functionality contained in the modems.
“These devices are basically just cell phones that you can’t make a call with,” Lindh said.
Each modem has its own phone number and the user has the ability to send and receive SMS messages from the modem through a Web interface. Lindh described several different attacks he discovered that involve the SMS functionality. For example, he said that by using a CSRF attack through the Web interface, an attacker could force a modem to send texts to any number, such as a premium rate number the attacker controls. The attacker could then potentially identify the user through the phone number of the modem and conduct targeted phishing attacks later on.
“SMS definitely will be abused. There’s a million ways to do this,” he said.
Lindh has notified the manufacturers of the vulnerabilities he identified, and he said that Huawei is in the process of building fixes for their modems. However, he doubts that many modems will be patched.
“The update model is utterly broken for these modems. The vendors have to do one patch for each carrier, then the carrier has to decide whether to send it to their users and the users have to decide whether to install it,” he said. “Most of these devices will never be patched.”