3G/4G cellular USB modems are full of critical security flaws, many 0-days

An analysis of popular 3G and 4G cellural USB modems and routers used around the world revealed a myriad of serious vulnerabilities in each of them.

The SCADA Strange Love team – a group of security researchers focused on ICS/SCADA – has tested eight devices sold by Huawei, Gemtek, Quanta and ZTE, and found:

• Remote Code Execution (RCE) flaws in five of them
• Vulnerabilities that can be exploited to modify firmware in six of them
• Cross-Site Request Forgery (CSRF) flaws in five
• Cross-Site Scripting (XSS) in four.

“The research covers a full range of attacks against carrier customers using these types of modems — device identification, code injection, PC infection, SIM card cloning, data interception, determining subscriber location, getting access to user accounts on the operator’s website, and APT attacks,” Positive Technology explained in a blog post detailing the results, which are summarised in this table (click on the screenshot to enlarge it):



“Not all the modems had vulnerabilities in their factory settings; some of them appeared after the firmware was customized by the service provider,” the researchers explained. Protection against some of these attacks (e.g. integrity attacks) has been provided by some of the manufacturers, but it ended up being not enough.

The researchers notified the vendors about the flaws, but even though 90 days have passed since then, many of the flaws are still unfixed. If pressed to choose one of the tested hardware, the researchers would go for those produced by Huawei.

“Huawei modems with the latest firmware updates are the most protected,” they noted. “It is the only company that delivers firmware (the operators are only allowed to add some visual elements and enable/disable certain functions) and fixes vulnerabilities detected in its software.”