Aug 22, 2013, 11:00 am EST
The Indian security expert ‘Rahul Sasi’ found a USB Internet Modems vulnerability that could allow gaining Meterpreter shell or full access to the victim just sending an SMS.
The Indian Security expert ‘Rahul Sasi‘ announced to have found a USB Internet Modems vulnerability that could allow an attacker to execute malicious code remotely simply sending an SMS to the victim.
The USB Internet Modems belong to a category of modem that allows to the Internet, through a connection to a GSM/CDMA network, via USB Port creating a PPPoE (Point to Point protocol over Ethernet) interface to the user’s PC.
The researcher reported to the “The Hacker News” team that exploiting the USB Internet Modems vulnerability he could hack computers remotely to gain the Meterpreter shell or full access to the victim’s computer.
The Indian researcher revealed that the USB Internet Modems vulnerability could be used on large scale considering that modems respond to a phone number which lies in a particular series. Each series of modems is equipped with a specific version of the USB modem software.
All local Indian modem vendors (e.g. Idea, Reliance, Tata) are exposed to the risk of exploiting for the USB Internet Modems vulnerability, no patch has yet released to fix it.
How is it possible an attack with SMSs?
Rahul Sasi explained in his post that USB Internet Modems have a built-in dialer software that has an interface to read and send SMSs.
“These devices are supplied with dialer software either written by the hardware manufacture or by the mobile supplier. They also come bundled with device driver. One of the interesting features that are added to these dialer software’s is an interface to read/sent SMS from your computer directly. This is mainly done for sending promotion offers and advertising. These SMS modules added to the dialers, simply check the connected USB modem for incoming SMS messages, and if any new message is found it’s parsed and moved to a local sqlite database, which is further used to populate the SMS viewer. The device driver, which comes default with these devices [devices are in CDFS file systems that has the software in it] are installed on the host system, they usually provide interrupt handling for asynchronous hardware interface.” Sasi explained.
This type of attack could not be detected by defense mechanisms such as a firewall because the SMS is received over a direct connection based on GSM/CDMA.
Proof of concept – code execution via SMS payloads
When SMS is received by the modem, the parser on dialer software read that content of message parsing it as privileged user storing output in local database; an attacker could exploit the process to execute malicious payloads sent via SMS.
According the attack scheme the victims could be hit simply being on-line when it receives a malicious payloadvulnerability
The researcher also highlighted the possibility to saturate parser capability for SMS analysis sending huge quantities of malformed SMS and causing a DDoS, every time the dialer software receives the message it crashes interrupting the Internet connection.
“One such attack would of great fun and profit. Imagine someone sending 1000 users ranging from mobile no 9xxxxxx000 – 9xxxxxx999 with a malformed SMS, in one such case u could knock all the online users’ offline instantly. Since the guaranteed bandwidth is shared among multiple users you now have the advantage of less users using the Internet, so probably better speed for us [evil].”
The phishing variant
Of course there is also the possibility to conduct a phishing attack exploiting the USB Internet Modems vulnerability as described by the researcher:
“These device parse display HTML hyperlinks in sms contents, so phishing based attacks can also be triggered via sms. So there are chances you can see Phishing attacks that might come in the form of an SMS asking users to download a malware to their computer, the following video will explain one such attack.”
All local Indian vendors of USB Internet Modems i.e. Idea, Reliance, Tata etc. are also vulnerable to this attack. Millions of such active Modems / systems are vulnerable to cyber-attack, since vendors never provided any patch for users via “Online Update” option available in the software.
Rahul Sasi has already reported to vendors and manufactures the details on the flaw, its impact could be devastating.
(Source: CDM, Pierluigi Paganini, Editor and Chief )