Like routers, most USB modems also vulnerable to drive-by hacking

Attackers can hijack DNS settings by exploiting vulnerabilities in the Web-based management interfaces of 3G/4G USB modems

Big Data

Big Data

The majority of 3G and 4G USB modems offered by mobile operators to their customers have vulnerabilities in their Web-based management interfaces that could be exploited remotely when users visit compromised websites.

The flaws could allow attackers to steal or manipulate text messages, contacts, Wi-Fi settings or the DNS (Domain Name System) configuration of affected modems, but also to execute arbitrary commands on their underlying operating systems. In some cases, the devices can be turned into malware delivery platforms, infecting any computers they're plugged into.

Russian security researchers Timur Yunusov and Kirill Nesterov presented some of the flaws and attacks that can be used against USB modems Thursday at the Hack in the Box security conference in Amsterdam.

USB modems are actually small computers, typically running Linux or Android-based operating systems, with their own storage and Wi-Fi capability. They also have a baseband radio processor that's used to access the mobile network using a SIM card.

Many modems have an embedded Web server that powers a Web-based dashboard where users can change settings, see the modem's status, send text messages and see the messages they receive. These dashboards are often customized or completely developed by the mobile operators themselves and are typically full of security holes, Yunusov and Nesterov said.

The researchers claim to have found remote code execution vulnerabilities in the Web-based management interfaces of more than 90 percent of the modems they tested. These flaws could allow attackers to execute commands on the underlying operating systems.

These interfaces can only be accessed from the computers where the modems are being used, by calling their local area network IP address. However, attackers can still exploit any vulnerabilities remotely, through a technique called cross-site request forgery (CSRF).

CSRF allows code running on a website to force a visitor's browser to make a request to another website. Therefore, users visiting a malicious Web page could unintentionally perform an action on a different website where they are authenticated, including on USB modem dashboards that are only accessible locally.

Many websites have implemented protection against CSRF attacks, but the dashboards of USB modems typically have no such protection. The researchers said that they've only seen anti-CSRF protection on some newer USB modems made by Huawei, but even in those cases, it was possible to bypass it using brute-force techniques.

Home routers have the same problem and a large-scale attack seen recently used CSRF to exploit vulnerabilities in more than 40 router models through users' browsers. The goal of the attack was to change the primary DNS servers used by the routers, allowing hackers to spoof legitimate websites or intercept traffic.

Since USB modems act in a way that's similar to routers, providing an Internet gateway for computers, attackers can hijack their DNS settings too for a similar effect.

In some cases it's also possible to get root shells on the modems or to replace their entire firmware with modified, malicious versions, the two researchers said.

Attacks can go even deeper. The researchers showed a video demonstration where they compromised a modem through a remote code execution flaw and then made it switch its device type from a network controller to a keyboard. They then used this functionality to type rogue commands on the host computer in order to install a bootkit -- a boot-level rootkit.

Using CSRF is not the only way to remotely exploit some of the vulnerabilities in USB modem dashboards. In some cases the researchers found cross-site request scripting (XSS) flaws that could be exploited via SMS.

In a demonstration, they sent a specially crafted text message to a modem, that, when viewed by the user in the dashboard, triggered a command to reset the user's service password. The new password was sent by the mobile operator back via SMS, but the rogue code injected via XSS hid the new message in the dashboard and forwarded the password to the attackers.

The researchers also mentioned other possible attacks, like locking the modem's SIM card by repeatedly entering the wrong PIN and then PUK code.

In an attempt to see how easy it would be for attackers to find vulnerable devices, the researchers set up a special modem fingerprinting script on the home page of a popular security portal in Russia. They claim to have identified over 5,000 USB modems in a week that were vulnerable to remote code execution, cross-site scripting and cross-site request forgery.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags intrusiononline safetysecurityHITBExploits / vulnerabilitiesmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?