14 DAY TRIAL // Unfixed vulnerabilities in eight modem and router models used in Russia and around the world allow attackers to compromise the modem/router itself and PCs on the modem's network.
Security experts from Positive Research expanded the work of SCADA Strangelove (#root via SMS) into modem and router vulnerabilities but extended their research to analyze more devices and more attack points.
The Positive Research team analyzed a ZTE modem, two Quanta modems, two Huawei modems and a Huawei router, and a Gemtek modem and a Gemtek router. All of these modems are distributed by various telcos to their customers. We will be using the term "modem" to refer to both modems and routers for the sake of readability.
Devices vulnerable to XSS, CSRF, RCE, and firmware attacks
According to researchers, the devices mentioned above have all huge security gaps in their firmware that allow attackers to carry out a broad spectrum of attack types against the equipment and its users.
Detected vulnerabilities include remote code execution [RCE] (on 5 modems), firmware integrity attacks (on 6 modems), cross-site request forgery [CSRF] (on 5 modems), and cross-site scripting [XSS] (on four modems).
In the case of the remote code execution vulnerabilities, except for problems with Huawei modems already reported by other security researchers, all of the other flaws were zero-day bugs (unknown, undisclosed vulnerabilities).
Attackers could compromise both modem and PCs beyond them
Armed with these flaws, researchers were able to carry out a series of attacks, reporting total compromise of the modems and even computers beyond them.
Researchers were able to rewrite the modem's firmware (in some cases, without affecting data integrity checks), detect the modem's geographical location, intercept Web traffic (HTTP and HTTPS), intercept and send SMS messages (for modems that support this feature), intercept 2G traffic, attack SIM cards (via binary SMS messages), and infect user PCs (by hosting exploits via the modem).
If an attacker is motivated enough, they could easily use only the vulnerabilities of these devices and create a world-spanning botnet capable of launching powerful DDoS attacks, or just push various types of malware to all of the modem's end users.
No fixes have been issued by manufacturers yet
"All in all, we have a full infection cycle of devices and related PCs," says the research team. "What can we recommend to those clients who constantly work with such devices? Huawei modems with the latest firmware updates are the most protected."
Positive Research informed all the modem manufacturers of their security lapses, but after six months, no updates have been issued for the detected vulnerabilities. It also appears that some of the modem's firmware was also modified by the telecommunications companies that distributed the modems to their customers.
