Corporate USB modems open to SMS attack
By Darren Pauli on Jan 30, 2014 5:59PM
Attackers rack up phone bills, steal login credentials
High end USB modems can be compromised by hackers who can cash in by sending SMS messages to expensive premium numbers or steal login information through targeted attacks.
The unnamed devices are used in the corporate sector and are still open to attack, according to researcher Andreas Lindh of Swedish security firm iSecure.
He said the simple holes were unsurprisingly present in each high end USB modem device he tested.
"I fairly quickly found a CSRF (Cross Site Request Forgery) vulnerability that would allow me to make the modem send a text message to any number of my choosing, simply by having the user go to a website under my control," Lindh said.
"Unlike WiFi routers, there is no login functionality for USB modems so I didn’t have to worry about bypassing authentication."
The forgery attack forces users to run an attacker's commands while they are logged into their USB modem portal.
Hackers could profit from the attacks by hacking into the devices and sending SMS messages to premium numbers they control, or could use texts to send stolen login credentials to sites such as Facebook.
The latter feat would require a phishing attack to be first launched against a target. In Lindh's example, an attacker could construct a fake Facebook page which would be sent out to the target supplemented by a lure to entice the target to open links.
Once the user logged in, the credentials would be stolen and could then be shipped out via the SMS feature of vulnerable USB modems.
Such attacks would be limited due to the requirement for a target to both fall for the phishing ruse and be operating a vulnerable USB modem.
It could be more successful in a corporation that runs a fleet of a single model of USB modem.
Moreover, properly constructed phishing campaigns have been proven to consistently net victims in the walls of even high tech savvy organisations like Twitter. Legitimate resources to construct and monitor internal phishing campaigns could be used in such attacks.
It also means hackers are not required to operate infrastructure for the attacks that use the Data URI scheme to load the required HTML from the web browser's address bar.
Lindh said this was one of the primary attractions of the scheme to would-be hackers, "mainly because this would mean an attack completely without infrastructure requirements; no web server to host the spoofed website, no server to post the stolen credentials to. All that is needed is an email address or some other way to distribute the URL, and a pre-paid phone to receive the text messages".
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.