Independent security research has revealed that several 3G and 4G USB modems have security flaws which allow hackers access for phishing scams.
Andreas Lindh, from Sweden, discovered that since the modems he looked at are all managed via built-in web servers, they were vulnerable to a common hack known as a cross-site request forgery (CRSF). The result is that if a home user visited a site with malicious code embedded, a hacker could gain access to their modem controls.
Lindh explains on his blog that most of the modem’s controls would be of limited interest to a hacker, but highlighted two crucial functions. Firstly, the ability to use the modem to send SMS messages, meaning that a hacker could set up a premium-rate phone line and steal money from victims by sending multiple texts without their knowledge. He wrote that “Unlike WiFi routers, there is no login functionality for USB modems so I didn’t have to worry about bypassing authentication.”
Lindh also realised that the modems’ weaknesses could be used to direct spear-phishing attacks. Using a data URI scheme that allows for whole webpages to be loaded without needing to be actually hosted anywhere – a function which most browsers support – he created a fake Facebook login page which “in addition to logging the victim into the real Facebook...also steals the users login credentials”.
Lindh then noted the ability to manipulate SMS messages via the modem could be used to send the victims login details back to the hacker. He described the phishing attack as “far-fetched” but as Virus Bulletin points out, modems like these are often used with corporate laptops, and the potential for phishing could be huge.
Cross-site request forgeries exist when hackers take advantage of websites which allow users to post content, e.g. forums. Hackers can insert malicious code, taking advantage of the honest site’s reputable cookies to trick users into clicking on their links. Coding Horror notes that Digg, Gmail and Wikipedia have all been victims of CSRF hacks at some point or other.
Last year, Russian researchers found that many 3G and 4G modems – which often come built-in to laptops – were vulnerable to having their software re-written to hi-jack the default DNS servers used for their internet connection. This would enable hackers to direct users to rogue websites, just like Andreas Lindh’s CSRF vulnerability.