SECURITY VULNERABILTIES in 3G and 4G USB modems can be exploited by hackers to nick personal information such as login details, a security expert has warned.
Swedish security analyst and engineer Andreas Lindh has demonstrated on his blog how certain vulnerabilities on USB modems can be exploited to perform Cross Site Request Forgery (CSRF) attacks, which force end users to execute unwanted actions in a web application for which they are authenticated.
A CSRF attack could also see an attacker trick the users of a web application into executing actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation for normal users. If the targeted end user is an administrator account, this can compromise the entire web application.
Lindh explained that because most USB modems have a network setup similar to that of a standard WiFi router, they can create an internal C-network, which assigns the client an IP address within the network and sets itself as the default gateway and domain name server (DNS).
"This is also where the web interface that the user interacts with resides. The modem itself also has an external interface which receives its network configuration from the internet provider," Lindh explained.
"I fairly quickly found a CSRF vulnerability that would allow me to make the modem send a text message to any number of my choosing, simply by having the user go to a website under my control. Unlike WiFi routers, there is no login functionality for USB modems so I didn't have to worry about bypassing authentication."
While this would mean profit to an attacker by sending a text message to a high charge text message service under the attacker's control, Lindh started thinking about how the vulnerability could be used in other ways.
For experiment's sake, Lindh then created a fake Facebook login website in addition to logging the victim into the real Facebook at the same time, which in turn stole the user's login credentials. He then showed how combining this attack with an CSRF attack could mean his fake Facebook login website could send him the stolen credentials in a text message, making it a targeted phishing attack aimed only at users of USB modems.
All that is needed to perform this is an email address or some other way to distribute the URL, and a pre-paid phone to receive the text messages.
"After that I added my steal_credentials() function to the functions to be executed after the user tries to login."
He demonstrates on his blog that this attack works flawlessly.
Though Lindh admits the attack is rather farfetched, he advises that users should use a plugin like Noscript to protect themselves from such attacks, while remaining vigilant about what the browser address bar actually says.
"Another useful thing would be a plugin that would block requests to internal addresses (192.168.x.x, 10.x.x.x, etc) initiated by external or other untrusted websites, but I haven't seen one so far," he added. µ