Some USB modems can be leveraged to send malicious SMS messages and even carry out spear-phishing attacks – sometimes in conjunction with each other – thanks to a cross-site request forgery vulnerability present in the device’s web interfaces.
According to Swedish security researcher Andreas Lindh, who wrote about his findings on 3VILDATA, an information security blog he shares with a fellow Swede, the problem is present in 3G and 4G modems that plug into machines and connect to the Internet through a built-in SIM card.
Lindh claims he hasn’t had time to notify the vendor yet so has held off on naming the specific USB modem used in his exploit but does claim it’s a “high-end one” that is “quite expensive” and “mostly used by corporate custumers.”
The web interface of the USB modem in question allows for configuration. Lindh notes that he can set a PIN, change it, enable it, re-enable it, add a profile, etc. The CSRF vulnerability he found also grants him the ability to send text messages through the modem, using its Web interface, to any phone number. This is done by getting the user to go to a website under his control that he can easily obfuscate the URL.
The vulnerability lets Lindh edit the HTTP POST request method without having to worry about bypassing authentication because there isn’t any–the functionality doesn’t exist.
In the code Lindh posted, the International Mobile Subscriber Identity (IMSI) – or phone number – is blacked out but the msg_content parameter, the function Lindh realized he could supply with text message content and send to users, can be seen:
Lindh also realized that he could employ the same exploit in a phishing attack.
Using a data URI scheme, Lindh was able to put together a fake Facebook login site. Data URI schemes, supported on most browsers (Chrome, Firefox, Safari, etc.) basically give web developers a way to create the illusion of a legitimate web site; the site data is displayed inline as if it’s coming from external sources but it’s not. Lindh’s scheme has all of its HTML loaded into the address bar – in this case the fake Facebook mockup – and doesn’t have to rely on being attached to a domain or hosted on a server.
Lindh then rigged a way for the fake site to steal user credentials from the log-in form fields after they’re entered and have that information passed along to him in a text message.
To test his exploit he obscured the fake Facebook site’s long URL with TinyURL and sent it along to dummy email account. From there, after clicking through and logging in, the login information was sent to his phone via the modem SMS vulnerability.
Lindh notes in the blogpost that it’s an “attack completely without infrastructure requirements; no web server to host the spoofed website, no server to post the stolen credentials to,” writing that all that’s needed is an “email address or some other way to distribute the URL, and a pre-paid phone to receive the text messages.”
Lindh acknowledges to get the trick to really work, it’d have to be a highly targeted attack but insists it may not be “as unlikely as it may seem at first.”