Vulnerabilities in a number of 3G and 4G USB modems can be exploited to steal login credentials – or rack up victims' mobile bills by sending text messages to premium-rate numbers – a security researcher warns. Andreas Lindh claims that all the devices he has looked at so far are managed via their built-in web servers and – you …
Plenty of blame to go around here
The USB standards group is to blame for not having created a standard USB serial interface specification, which in turns means you can't have a serial modem dongle work out of the box.
3GPP group, and various telcos for not specifying a default internet APN (empty string perhaps?) and operators desire for complicating the setup, requiring all sorts of bundled crapware on modem dongles.
Having a web server on the dongle gets around the setup problem, but not checking the Referer in the http request header is plain stupid in this case
Re: Plenty of blame to go around here
"The USB standards group is to blame for not having created a standard USB serial interface specification, which in turns means you can't have a serial modem dongle work out of the box."
Ok, but 3G/4G devices are network interfaces, so serial is not really the right protocol anyways. Most devices that I've seen appear as an ethernet device.
Plus ca change...
I wonder how long it'll be before someone reinvents the old "modem hijacker" script that silently diverted your connection to a different - premium-rate - ISP?
Re: Plus ca change...
I'm pretty sure your ISP is locked in at the network level nowadays, you need a MAC code before your current provider will let go of your connection.
Re: Plus ca change...
"I wonder how long it'll be before someone reinvents the old "modem hijacker" script that silently diverted your connection to a different - premium-rate - ISP?"
Or as we used to call them - CompuServe CDs!
Re: A good example...
I'd disagree with this comment, I can personally think of very many legitimate business cases for a premium rate SMS, and sellers have to be free to charge what they want to for their goods and services, this is an essential component of a free market economy. Also this is a kind of victim blaming which conveniently lets the device manufacturers/providers off the hook for selling goods that are not fit for purpose. It is they who should be utterly lambasted.
The web browsers are partly to blame here as well. At least one of my desktop browsers (Opera I think) displays a warning if an external web page attempts to redirect you to an internal IP address. If they all did this (and for ajax calls as well of course) then this would at least make this type of attack harder to pull off purely with remote code. Of course this doesn't remove the responsibility of the device designers to actually think and prevent this type of attack as well.
Can anyone point to a list of vulnerable devices?
Could be a useful list [cough cough] both coming and going.
Re: Can anyone point to a list of vulnerable devices?
Indeed, this is the kicker for me. I have a TP-Link M5350, and want to know if it's pwnable. I changed the login creds. This one is wi-fi only, no USB.
Also: USB modems with web interfaces, eh? I'm trying to get a new Samsung LTE dongle that simulates an Ethernet interface configured without using the crapware. I've successfully pulled out the drivers for my platform (OS X) and have the interface up (and also, it seems, a serial interface). But there isn't an answer to the DHCP client. Ultimately I'd like to plug it into a Draytek 2860, and have for this purpose probed it under Linux with usb_modeswitch, successfully. Not sure what to do from here; guess I'll have to guess some values, or get someone with sight to help me configure it using the bundled crapware. :(
To the poster who said it, they're absolutely correct that the entire mobile industry--from electronics makers with their zero-CD and locking shite to "Carriers" with their private deals with the electronics makers for implementing such restrictions as tethering and 4G limitation to the 3GPP and related (sub)standard bodies who bless this tripe--are a bunch of criminals who have committed great atrocities against the people.
Why does a plug in dongle require web setup anyway?
It should be a dumb (from the users point of view) device that just requires a 2 way initialisation conversation to get it going as per old style dial up modems which would prevent any web related attacks. Obviously .exe malware could reset it but thats a whole different ball game.
WAN .NE. LAN
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Review Tough Banana Pi: a Raspberry Pi for colour-blind diehards
- Product round-up Ten Mac freeware apps for your new Apple baby
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'