According to a report released today by security researcher Andreas Linh, many popular 3G and 4G USb modems used by telecoms such as AT&T and Verizon have been compromised to allow anyone with the keycode the opportunity to freely collect user credentials, passwords, and even the content of your computer’s hard drive all from over a cellular network.
By redirecting users from malicious websites, the crack is able to utilize the modem as a hotspot for sending text messages to premium services, redirecting web traffic to spoofed servers designed for phishing attempts, and even create fake Twitter and Facebook pages that could be used to collect information without the owner of the modem being any the wiser.
“I fairly quickly found a CSRF vulnerability that would allow me to make the modem send a text message to any number of my choosing, simply by having the user go to a website under my control,” Lindh claimed. “Unlike Wi-Fi routers, there is no login functionality for USB modems so I didn’t have to worry about bypassing authentication.”
Other researchers in the case fear that the hack could fill out far more nefarious purposes, as the majority of customers who utilize the hardware necessary for it to work are generally employed by large businesses and corporate customers who may have valuable information stored on their central servers.
“[The virus] can also be used in a rather cunning spear-phishing attack, which would be especially useful given that these modems are mostly used by corporate customers.”
Mobile systems security professor at Oxford David Rogers has told those concerned about the safety of their laptops and mobile devices that while the virus is nothing to scoff at, it primarily functions in the same way that many router control panel cracks work, and can be avoided and prevented accordingly.
The companies whose modems were cracked have been contacted, and broad statements from each suggest they are currently working on firmware updates that will address any issues that were raised by Linh and his team.