A couple of Russian security researchers have found that the majority of 3G and 4G USB modems handed out by mobile operators to unsuspecting customers are wide open to attacks.
Macworld Australia reports the researchers tested multiple 3G and 4G sticks obtained from Russian telcos over the past few months and concluded that they pose a serious security threat. Most USB modems are produced by Chinese hardware makers Huawei and ZTE, and they are sold across the world with different mobile operators’ stickers on top.
Sadly though, researchers Nikita Tarakanov and Oleg Kupreev could not test baseband attacks against Qualcomm chips used in the modems because in Putin’s Russia it is illegal to own your own GSM base station, unless you are an intelligence agency or a telecom operator. Since practically all Russian oligarchs, politicians and crime bosses have a KGB background, we are rather surprised to see this limitation enforced.
In other words, there is still a lot of research to be done, but Tarakanov and Kupreev have already managed to demonstrate multiple ways of attacking the modems through software flaws. Since many modems are identical, their software is very similar and it is possible to make an image of the modem’s file system, modify it and save it back on the modem.
Tarakanov said this is surprisingly easy to do using free tools available from Huawei and other manufacturers.
Malware can easily detect the type of modem used and hijack it with malicious customisations of the code. The configuration files, which are also found on the modem, are in plain text and they are easy to modify. Attackers can simply reroute traffic to their servers and redefine DNS servers used for the internet connection. They can also tinker with custom configuration drives in such a way that the modems install malware instead of an antivirus program.
In addition, most modems are configured to automatically receive software updates from a single server. An attacker could potentially compromise the update server and take over heaps of modems handed out by multiple carriers.
Worse, Tarakanov said he did not even look for vulnerabilities in the actual modem drivers installed in the OS, but he is quite confident that they have vulnerabilities as well.