Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Popular Mobile Modems Plagued by Zero-Day Flaws

Researchers have conducted an analysis of popular mobile broadband modems and routers from various vendors and discovered that the devices are plagued by serious vulnerabilities that can be leveraged in malicious attacks.

Researchers have conducted an analysis of popular mobile broadband modems and routers from various vendors and discovered that the devices are plagued by serious vulnerabilities that can be leveraged in malicious attacks.

The analysis was conducted by Positive Technologies, a company that provides compliance management, vulnerability assessment, and threat analysis solutions. Experts tested eight 3G/4G devices from Huawei, Gemtek, Quanta and ZTE, including ones running custom firmware installed by an Internet service provider.Huawei 3G Modem

According to the security firm, five of the tested modems and routers are vulnerable to remote code execution. Huawei is the only vendor that released firmware updates to address these vulnerabilities.

Experts determined that six of the verified devices lacked proper integrity protection, allowing attackers to make modifications to their firmware. The modems that offer the best protection against such attacks are designed to receive firmware updates only via the carrier’s network.

Five of the devices also lack cross-site request forgery (CSRF) protection, allowing attackers to remotely upload modified firmware and inject arbitrary code. Cross-site scripting (XSS) vulnerabilities have also been identified in four devices.

For malicious actors to exploit these vulnerabilities, they would first have to identify the model of the targeted modem or router. Positive Technologies has created a script that can be used for this purpose – the company said it managed to identify all modems using this method.

Once the targeted device is identified, the attacker can exploit RCE vulnerabilities or upload modified firmware for arbitrary code injection. Some of the analyzed modems used encryption to protect the firmware, but researchers demonstrated that the encryption can be cracked.

After gaining the ability to execute arbitrary code on a device, attackers can start intercepting data. Hackers can do this by changing the modem’s DNS settings or by configuring the device to connect to an attacker-controlled access point after determining the victim’s location based on the base station identifier or by scanning nearby Wi-Fi networks. HTTPS data can also be intercepted by adding a rogue certificate to the Trusted Root Certification Authorities store and conducting man-in-the-middle (MitM) attacks.

In the case of modems with SMS support, researchers showed that attackers can read and send SMS messages. SIM card cloning and 2G traffic interception are also possible, experts noted.

Positive Technologies says attackers can also use their access to a modem to infect the PC it’s connected to, allowing them to steal and intercept data. Furthermore, having access to both the modem and the computer can be leveraged to achieve persistence.

Experts believe these vulnerabilities can be exploited to create an extensive surveillance network.

“All in all, we have a full infection cycle of devices and related PCs. Using the infected devices, we can determine location, intercept and send SMS messages and USSD requests, read HTTP and HTTPS traffic (by replacing SSL certificates), attack SIM cards via binary SMS messages, and intercept 2G traffic,” Positive Technologies wrote in a blog post. “Further infection can continue through the operator’s networks, popular websites or equipment infected by worms (when connecting a new device).”

Data collected by Positive Technologies over a one-week period in early 2015 showed that there had been thousands of vulnerable devices visible on the Web. Three months after the vulnerabilities were reported to vendors, many of the security holes remained unfixed, researchers said.

The security firm says Huawei modems running the latest firmware version are the most secure against attacks.

Last year, Positive Technologies’ SCADA Strangelove team conducted an analysis of cellular communications equipment which, as researchers pointed out at the time, is also integrated into industrial control systems (ICS).

Related Reading: Reuse of Cryptographic Keys Exposes Millions of IoT Devices

Related Reading: Unpatched Flaws Allow Hackers to Compromise Belkin Routers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...