Nullcon Russian security tester Timur Yunusov has found critical vulnerabilities in routers and 3G and 4G modems from Huawei, ZTE, Gemtek, and Quanta. The flaws mean attackers could completely compromise machines and intercept SMS and HTTP traffic.
The research first detailed in December and showcased to hackers yesterday at the Nullcon conference in Goa revealed un-patched flaws in eight devices of which thousands were exposed over the Shodan device search engine.
Yunusov, of consultancy Positive Technologies, found some 2800 Gemtek modems and routers and 1250 from Quanta and ZTE exposed over Shodan.
“All the modem models investigated had critical vulnerabilities leading to complete system compromise,” Yunusov says.
“Virtually all the vulnerabilities could be exploited remotely.
“Not all the modems had vulnerabilities in their factory settings; some of them appeared after the firmware was customised by the service provider.”
Yunusov says almost all devices lacked cross-site request forgery protection that combined with a lack of filters meant 60 percent were exposed to remote code execution.
Three sported defences against firmware modifications but each could be compromised and undermined. Four of the eight modems and routers contain cross-site scripting vulnerabilities permitting infection of hosts and SMS interception for dedicated attackers who put in extra effort to geo-locate targets.
The penetration tester offered examples of how to exploit the vulnerable devices including how to own connected computers.
“If we penetrate a modem … infecting a PC connected to it provides us with many ways to steal and intercept the PC user's data,” he says.
Yunusov and his team have found nasty holes in popular modem kit before, including holes in Huawei devices that allow attackers to compromise connected computers.
Last year he demonstrated how an SMS could be used to manipulate rail systems and derail trains. ®