Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Popular Mobile Modems Plagued by Zero-Day Flaws

Researchers have conducted an analysis of popular mobile broadband modems and routers from various vendors and discovered that the devices are plagued by serious vulnerabilities that can be leveraged in malicious attacks.

Researchers have conducted an analysis of popular mobile broadband modems and routers from various vendors and discovered that the devices are plagued by serious vulnerabilities that can be leveraged in malicious attacks.

The analysis was conducted by Positive Technologies, a company that provides compliance management, vulnerability assessment, and threat analysis solutions. Experts tested eight 3G/4G devices from Huawei, Gemtek, Quanta and ZTE, including ones running custom firmware installed by an Internet service provider.Huawei 3G Modem

According to the security firm, five of the tested modems and routers are vulnerable to remote code execution. Huawei is the only vendor that released firmware updates to address these vulnerabilities.

Experts determined that six of the verified devices lacked proper integrity protection, allowing attackers to make modifications to their firmware. The modems that offer the best protection against such attacks are designed to receive firmware updates only via the carrier’s network.

Five of the devices also lack cross-site request forgery (CSRF) protection, allowing attackers to remotely upload modified firmware and inject arbitrary code. Cross-site scripting (XSS) vulnerabilities have also been identified in four devices.

For malicious actors to exploit these vulnerabilities, they would first have to identify the model of the targeted modem or router. Positive Technologies has created a script that can be used for this purpose – the company said it managed to identify all modems using this method.

Once the targeted device is identified, the attacker can exploit RCE vulnerabilities or upload modified firmware for arbitrary code injection. Some of the analyzed modems used encryption to protect the firmware, but researchers demonstrated that the encryption can be cracked.

After gaining the ability to execute arbitrary code on a device, attackers can start intercepting data. Hackers can do this by changing the modem’s DNS settings or by configuring the device to connect to an attacker-controlled access point after determining the victim’s location based on the base station identifier or by scanning nearby Wi-Fi networks. HTTPS data can also be intercepted by adding a rogue certificate to the Trusted Root Certification Authorities store and conducting man-in-the-middle (MitM) attacks.

In the case of modems with SMS support, researchers showed that attackers can read and send SMS messages. SIM card cloning and 2G traffic interception are also possible, experts noted.

Advertisement. Scroll to continue reading.

Positive Technologies says attackers can also use their access to a modem to infect the PC it’s connected to, allowing them to steal and intercept data. Furthermore, having access to both the modem and the computer can be leveraged to achieve persistence.

Experts believe these vulnerabilities can be exploited to create an extensive surveillance network.

“All in all, we have a full infection cycle of devices and related PCs. Using the infected devices, we can determine location, intercept and send SMS messages and USSD requests, read HTTP and HTTPS traffic (by replacing SSL certificates), attack SIM cards via binary SMS messages, and intercept 2G traffic,” Positive Technologies wrote in a blog post. “Further infection can continue through the operator’s networks, popular websites or equipment infected by worms (when connecting a new device).”

Data collected by Positive Technologies over a one-week period in early 2015 showed that there had been thousands of vulnerable devices visible on the Web. Three months after the vulnerabilities were reported to vendors, many of the security holes remained unfixed, researchers said.

The security firm says Huawei modems running the latest firmware version are the most secure against attacks.

Last year, Positive Technologies’ SCADA Strangelove team conducted an analysis of cellular communications equipment which, as researchers pointed out at the time, is also integrated into industrial control systems (ICS).

Related Reading: Reuse of Cryptographic Keys Exposes Millions of IoT Devices

Related Reading: Unpatched Flaws Allow Hackers to Compromise Belkin Routers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.