Let’s say you have your laptop and you need to get online, but you don’t trust a public wireless network such as at Starbucks or McDonalds and you don’t otherwise have access to an Ethernet cable; for some people, to the tune of about 100 million devices, the answer to this dilemma is to use a mobile broadband modem in the form of a USB dongle to access the Internet via a cellular network. But in the Black Hat USA presentation, “Attacking mobile broadband modems like a criminal would,” Andreas Lindh explained how easily attackers can remotely exploit multiple security vulnerabilities in many of those devices.
Most mobile broadband modems, sometimes referred to as connect cards or data cards, are made by Huawei and ZTE. Those manufacturers sell many of the devices to wireless carriers who then resell the modems to their customers. The modems usually run embedded Linux and work in manner similar to Wi-Fi routers; but unlike regular routers, these modems are meant to be plugged into a USB port and be used by a single user.
The modem has an embedded web server that is used to configure the device. Since the administration web page cannot be accessed wirelessly, not much attention has been focused on securing this server. In fact, there isn’t even a password to protect the admin page.
Although there has been research into vulnerabilities and how to exploit these devices in the past, the attacks were so complex that they required substantial skills and effort to pull off. Lindh, who works for ISecure Sweden, said there are much easier ways to profit from attacking the modems.
“Criminals like the easiest way. Their objective is to get paid. This is the path of least resistance. They’re going to take the path of least resistance,” Lindh said before adding, “And these attacks have great potential for paying off.”
One of those attacks would allow an attacker to change the settings on the modem. Although the user may not be able to see the pre-installed profile for how the device will connect, Lindh said an attacker could still change those settings. “I’m actually able to modify the network settings of the modem,” Lindh told Tech Page One. “Just by having users go into a webpage, I can alter the DNS settings. If I can do that, I can point them to my own DNS and then control where they go on the Internet.”
An attacker could use a DNS poisoning attack to direct a user toward a site that appeared to be Facebook, but wasn’t, in order to grab the victim’s credentials. Lindh said, “Or, if I want to make it really easy for myself, I can just get paid for sending people to ads.”
An attacker could create a persistent backdoor in several ways. One is by “spoofing the server that the modems use to download firmware updates” and installing malicious firmware. “Exploiting cross-site scripting (XSS) vulnerabilities in the modems’ administrative interfaces” would allow malicious code to be stored in the modem’s configuration to provide an attacker with continued access. Another way an attacker could setup a stealthy backdoor into the victim’s modem is via exploiting SMS functionality to implant malicious code.
Lindh believes that criminals will most likely attack the SMS functionality in the modem. He said, “These devices are basically just cell phones that you can’t make a call with. SMS definitely will be abused. There’s a million ways to do this.”
Attackers could exploit SMS functionality to steal personal data or to send SMS to a premium-rate number controlled by the attacker. Several years ago, F-Secure’s Mikko Hypponen explained this type of premium-rate SMS fraud in a Black Hat presentation titled, “You will be billed $90,000 for this call.”
Lindh advised people not to underestimate these risks because, bottom line, a criminal wants paid and will take the easiest path to that pay day. “The update model is utterly broken for these modems,” he said. “The vendors have to do one patch for each carrier, then the carrier has to decide whether to send it to their users and the users have to decide whether to install it. Most of these devices will never be patched.”
On the same day of Lindh’s Black Hat presentation, Huawei released a security advisory and updated software fixes for Huawei HiLink E3236 and E3276 as the devices are vulnerable to cross-site request forgery (CSFR) attacks.
Attackers can create a website that contains malicious scripts and lure E3236 and E3276 users to the website. After users visit the website and execute the malicious scripts, the malicious scripts can send illegitimate posts from the computers of the users to change the configurations or use the functions of the E3236 and E3276.
After crediting Lindh for finding the vulnerability, Huawei said it “is not aware of any malicious use of the vulnerability described in this advisory.” There is no temporary fix, so customers are advised to contact Huawei to request the upgraded software that contains the fix.