Cellular modems from four vendors have been popped by security researchers, who have documented cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution (RCE) and integrity attacks on the products.
The research published by Positive Technologies and carried out by the SCADA Strangelove team looked at modems from Huawei, Gemtek, Quanta and ZTE.
The tests tell some old, old stories: for example, code appearing in multiple devices suggests too many vendors base their firmware on silicon vendors' reference designs without doing enough work themselves.
The researchers say all of the devices they tested – two from Gemtek, two from Quanta (one of which was a rebadged ZTE), and three from Huawei – are vulnerable to remote code execution, and all except the Huawei devices are vulnerable to malicious firmware.
For example, it was common for firmware to be encrypted using buggy home-grown RC4 implementations and signed with SHA1/RSA – neither of which is ideal.
Because so many of the vulnerabilities – whether it's via firmware or XSS/CSRF forgery attacks – allow remote code execution, the paper states, it's easy to track devices. An attacker can read out the Cell ID or the connected WiFi base station.
Fail everywhere: why bother at all? Source: SCADA Strangelove's slideshow
The vulnerabilities also enabled a range of traffic interception attacks:
- Devices could have their DNS redirected to an attacker-controlled domain.
- Attackers can plant their own certificates into the devices' trusted root list.
- Some devices allow command-line access (via AT commands) to SMSs.
Other possibilities the research explored included using devices as PC attack vectors, attacks on SIM cards via binary SMS messages, and even upstream attacks directed at carrier networks.
The researchers conclude that the Huawei kit they tested was the least-worst.
The SCADA Strangelove group has published a slideshow here. ®