Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

3G and 4G USB Modems Are Security Threat, Black Hat Presenter Says

Soulskill posted about a year ago | from the concrete-blocks-are-a-security-threat dept.

Networking 50

alphadogg writes "The vast majority of 3G and 4G USB modems handed out by mobile operators to their customers are manufactured by a handful of companies and run insecure software, according to two security researchers from Russia. Researchers Nikita Tarakanov and Oleg Kupreev analyzed the security of 3G/4G USB modems obtained from Russian operators for the past several months. Their findings were presented this week at the Black Hat Europe 2013 security conference in Amsterdam. Most 3G/4G modems used in Russia, Europe, and probably elsewhere in the world, are made by Chinese hardware manufacturers Huawei and ZTE, and are branded with the mobile operators' logos and trademarks, Tarakanov said. Because of this, even if the research was done primarily on Huawei modems from Russian operators, the results should be relevant in other parts of the world as well, he said."

cancel ×

50 comments

Setuid (1)

Anonymous Coward | about a year ago | (#43191031)

I did a small study on a few USB modems in the US. I found several setuid vulnerabilities and a lot of strange behavior that I didn't have the time or resources to fully analyze. You may feel safe on your personal hotspot but it does open a few potential openings if not mitigated.

Re:Setuid (-1)

Anonymous Coward | about a year ago | (#43191231)

The USA has the Baby Boomers. Ancient Egypt was plagued with locusts.

Is it too late to trade?

Re:Setuid (0)

Anonymous Coward | about a year ago | (#43192327)

I had a ZTE mobile phone. When I plugged it into a windows XP system, the autorun file on the virtual NTFS memory card system, would reroute the PC routing tables so all internet traffic went through the mobile phone. On a Linux system, it would mess up the wi-fi system - traffic would just not get through even though the laptop was rebooted. This would continue for around 24 hours.

No suprise here (5, Interesting)

fustakrakich (1673220) | about a year ago | (#43191045)

Mandated backdoors aren't very well hidden. The only alternative for the authorities is to arrest the people who uncover them. Soon the 'blackhats' will have to meet in secret to protect themselves.

Tarakanov said that they weren't able to test baseband attacks against the Qualcomm chips found inside the modems because it's illegal in Russia to operate your own GSM base station if you're not an intelligence agency or a telecom operator. "We'll probably have to move to another country for a few months to do it," he said.

Re:No suprise here (3, Interesting)

Anonymous Coward | about a year ago | (#43191105)

I know.. AC here.. but I know Ericsson are performing tests on the Huawei / ZTE stuff in their labs with simulated and real GSM basestations.
Sometimes under contract from those companies themselves, sometimes for security reasons..

A couple of times the design specs Huawei sends to Ericsson when on contract are plagiarized right off their own stuff. Even so badly there are still Ericsson logos left over.

Re:No suprise here (1)

Svartalf (2997) | about a year ago | (#43191151)

Heh... Keep telling yourself this. It's less to do with what you're talking to and more of a licensing rules thing. Backdoors in GSM are already known and the "baseband" attacks these jokers allude to are actually as much bullshit as the "security risks" they're talking to on these devices.

http://www.pittnerovi.com/jiri/hobby/electronics/gsm/index.html [pittnerovi.com] is there for your reading for starters. It has nothing to do with what you claim it to be- because if that were the case, it'd be illegal pretty much everywhere and it isn't.

Re:No suprise here (2)

fustakrakich (1673220) | about a year ago | (#43191271)

it'd be illegal pretty much everywhere and it isn't.

Well, it's certainly not for the lack of trying [europa.eu] ... I would say it's pretty straight up [slashdot.org]

Re:No suprise here (0)

Anonymous Coward | about a year ago | (#43191381)

Backdoors in GSM are already known and the "baseband" attacks these jokers allude to are actually as much bullshit as the "security risks" they're talking to on these devices.

Isn't a security risk eh? Can I have a key to your house?

academic (1)

alienzed (732782) | about a year ago | (#43191469)

yeah, all those 'universities' will have to pretend they aren't studying security and privacy in modern technology....

Re:No suprise here (1)

gl4ss (559668) | about a year ago | (#43192785)

well.. of course they could try to lobby for experimental license.
because it's like that in pretty much every country in the world - it's a licensed spectrum.

doesn't mean that you can't do development in most of the world on the networks. they could operate that network in a cage for example... that's how many of the bigger operators test devices.

Re:No suprise here (1)

Titus Groan (2834723) | about a year ago | (#43193129)

is it still illegal if you do it inside a Faraday cage where it can't be detected and cannot interfere with legitimate signals?

Re:No suprise here (-1, Troll)

fipifuro (2867541) | about a year ago | (#43193191)

http://www.cloud65.com/ [cloud65.com] Sydney. if you, thought Jason`s storry is exceptional, on monday I got a great Audi Quattro since I been bringin in $9520 this-past/4 weeks and just a little over 10k last munth. this is definitely the coolest work Ive ever done. I actually started three months/ago and right away startad bringin home more than $84, per hour. I use this here great link,,

Re:No suprise here (0)

Anonymous Coward | about a year ago | (#43193449)

Just get a basestation test set form someone like Rohde & Schwarz etc. and connect the modem via a cable, standard equipment for anyone doing baseband development

So it's a "security threat"... (1)

John Hasler (414242) | about a year ago | (#43191079)

...for the owner of a piece of hardware to be able to reprogram it?

I suppose it is, when the owner is running Windows.

Re:So it's a "security threat"... (1)

Anonymous Coward | about a year ago | (#43191111)

The researchers also found a possible mass attack vector. Once installed on a computer, the modem application -- at least the one from Huawei -- checks periodically for updates from a single server, Tarakanov said. Software branded for a specific operator searchers for updates in a server directory specific to that operator.

An attacker who manages to compromise this update server, can launch mass attacks against users from many operators, Tarakanov said. Huawei 3G modems from several different Russian operators used the same server, but there might be other update servers for other countries, he said.

Re:So it's a "security threat"... (1)

Anonymous Coward | about a year ago | (#43191503)

It would be a whole lot easier than that. Just a little DNS poisoning or a rogue DNS server and spoofing the update server directory structure. Poof! Instant zombie army. No phishing required.

Re:So it's a "security threat"... (2, Insightful)

Anonymous Coward | about a year ago | (#43193213)

An attacker who manages to compromise this update server, can launch mass attacks against users from many operators

This attack is possible for any kind of software that uses an update server.

Re:So it's a "security threat"... (0)

Anonymous Coward | about a year ago | (#43196043)

Not where there is sufficient code signing and transport encryption

In Soviet Russia (0)

Anonymous Coward | about a year ago | (#43191107)

Modem modulates YOU!

Security Threat? (4, Interesting)

Svartalf (2997) | about a year ago | (#43191121)

Seriously... I'm beginning to wonder about the quality of presentations at Black Hat if this was even there .

The modems themselves aren't a threat. It's the fact that many of them cart around drivers and "manager" applications which could provide storage based attack vectors or through compromised versions of the driver or manager that you have any problems... Unsurprising and already well known by most security researchers.

1) For many of those "security threat" modems, Linux works wonders as does *BSD as they support the devices out of box with OS provided support.
2) There's a panopoly of devices that don't expose the machines to any of these vectors that runs $50-150 provided by vendors such as Zoom and Cradlepoint (in fact, it's what I use since it allows the LTE dongle (that doesn't have these "risks" by the way...) be able to switch between 3G and 4G seamlessly (Linux supports both, but NetworkManager doesn't support switching gears between the differing ways both modes are accessed yet...). The devices either have their own battery or not but allow multiple (more than a MiFi type device does...) devices on the connection.
3) If you're wanting something with a few less moving parts and slightly more compact, you can always get a MiFi (which is what the Telcos are now leaning towards because it allows things like your Nook or Kindle to link up to the Internet as well as your notebook...).

I'd be ashamed of myself if I were to try to have ran this "issue" up the flagpole at BlackHat or DEFCON. Really, guys?

Re:Security Threat? (1)

Anonymous Coward | about a year ago | (#43191373)

> The modems themselves aren't a threat. It's the fact that many of them cart around drivers and "manager" applications

Right. Guns aren't the threat, it's *triggers* that are the threat. If they just didn't come with triggers, we'd all be safe. This is already known by most gun users.

Black Hat is not just for "l33t haxorz trix" to show off to the other "l33t haxoz" It's also fun to see just how widespread a problem, to see if it's a genuine and widespread threat, and to educate people who haven't explored every nook or cranny of security issues of some of the more interesting issues. This is a good one: there are very few manufacturers, their security practices are poor, the devices have become ubiquitous. A good test of the extent, and level of thtreat, of such commodity hardware is a *great* BlackHat topic.

And that Zoom LTE devices are crap. The one I tested was fragile, the dongle connector breaks if you breathe on it, and the bundle of software with it is useless. And having ones own battery is not the point, the Windows interfaces to manage it don't work with the most recent Cisco VPN tools, and oh yes as you said, it doesn't work well under NetworkManager, and Zoom and my local computer store tried to play "returns are not my problem" ping pong. Buying "secure" hardware that doesn't work right is not a solution to anyone's security problem.

Re:Security Threat? (1)

Phizzle (1109923) | about a year ago | (#43191421)

2) There's a panopoly of devices that don't expose the machines to any of these vectors that runs $50-150 provided by vendors such as Zoom and Cradlepoint (in fact, it's what I use since it allows the LTE dongle (that doesn't have these "risks" by the way...) be able to switch between 3G and 4G seamlessly (Linux supports both, but NetworkManager doesn't support switching gears between the differing ways both modes are accessed yet...). The devices either have their own battery or not but allow multiple (more than a MiFi type device does...) devices on the connection.

Svartalf, what device are you using? Thanks!!

If firmware is part of the threat... (1)

Burz (138833) | about a year ago | (#43192647)

then one could still consider the device to be a security risk. Even Linux tends to use many vendor-supplied firmwares.

Operating the devices under Qubes OS [qubes-os.org] would help greatly in reducing the risk: It can use IOMMU (if present) to operate questionable hardware and drivers within VMs and even has a GUI for managing this.

Re:If firmware is part of the threat... (1)

drinkypoo (153816) | about a year ago | (#43193109)

Linux can use the IOMMU, too. Problem is, practically nobody has a usable one, for which you need both proper CPU and chipset support. The chipsets and CPUs which have working implementations have only recently become popular. It's going to be a while before this is a reasonable suggestion for anyone. It will be nice, though. It's staggering that we haven't had them all along.

You did if you had SPARC. (0)

Anonymous Coward | about a year ago | (#43194867)

I've got sun hardware from the early to mid 90s and it ALL had IOMMUs in it. I'm not sure how they compare feature-wise to the modern implementations, but you could segregate each IO device into it's own address space in order to avoid one device taking out the system.

Re:If firmware is part of the threat... (1)

Burz (138833) | about a year ago | (#43195721)

People who are interested in security won't stop at buying just software to get it. And the hardware isn't all that hard to come by anyway; just make sure the system has Intel sandy bridge or newer and also supports vPro.

You can get the capability with AMD systems, but they are harder to come by (atthough Wikipedia is at least one place with a guide to AMD systems that support IOMMU).

Re:If firmware is part of the threat... (1)

drinkypoo (153816) | about a year ago | (#43196435)

People who are interested in security won't stop at buying just software to get it. And the hardware isn't all that hard to come by anyway; just make sure the system has Intel sandy bridge or newer and also supports vPro.

When reading up on this issue I discovered that my CPU has an IOMMU (Phenom II X6) but my motherboard has no support due to the chipset. If the situation is more straightforward on intel, more power to them.

Windoze is the only operating system in the world! (-1)

Anonymous Coward | about a year ago | (#43191165)

Remember it kids... what a useless article.

Re:Windoze is the only operating system in the wor (0, Offtopic)

rubycodez (864176) | about a year ago | (#43191329)

in round numbers it's the only consumer operating system laptops use, 93% of the global market. and the other 7% *isn't* mostly linux and open source bsd....

Re:Windoze is the only operating system in the wor (0)

Anonymous Coward | about a year ago | (#43191673)

You can disable the cdrom emulation using QPST pretty easily and use native Windows Tools to dial (And not have to hack about ejecting the cdrom). (ZTE / Huawei doesn't seem to matter they are all qualcomm iirc it is slightly more annoying to enter diag mode on a Huawei but like maybe 5 mins more effort in total.

Application-based firewall (1)

arisvega (1414195) | about a year ago | (#43191513)

.. so the 3/4G modem software cannot connect to that Chinese IP during startup.

Re:Application-based firewall (1)

Anonymous Coward | about a year ago | (#43192443)

methinks you don't understand driver models

[ WIRE ] [ DEVICE ] [ DRIVER ] [KERNEL] [FIREWALL] [APPLICATION]

sometimes firewall and kernel have swapped location depending on OS

Misleading Headline (go figure, its slashdot) (0, Flamebait)

utkonos (2104836) | about a year ago | (#43191531)

The 3G and 4G products here in the US are made by Samsung, Novatel, Sierra Wireless, and others. None that I could find were made by Chinese manufacturers Huawei and ZTE.

This article only applies to Russia where those things are even available. Headline should read "Russian Mobile Providers' 3G and 4G USB Modems Are Security Threat, Black Hat Presenter Says"

But with that headline, nobody would care or read the article.

Re:Misleading Headline (go figure, its slashdot) (0)

Anonymous Coward | about a year ago | (#43191639)

I would say that in Europe, the Huawei modems are very common. I've got four myself, from four different ISP's...

Re:Misleading Headline (go figure, its slashdot) (0)

Anonymous Coward | about a year ago | (#43192039)

In Estonia (Europe as well) pretty much all 3G modems I have seen are Huawei's.

Re:Misleading Headline (go figure, its slashdot) (0)

Anonymous Coward | about a year ago | (#43193273)

Same thing here in Finland. Greetings to Estonia, our southern strong little brother.

Re:Misleading Headline (go figure, its slashdot) (1)

rapiddescent (572442) | about a year ago | (#43193859)

here in Scotland, I always have a handful of Huawei USB 3g modems. Useful for home-office broadband as a backup (plugs directly into the Vigor Draytek router); I have one in a battery backed portable wifi hotspot [solwise.co.uk] (which is great for camping or whilst on the road) and usually a few in my bag when I'm out on client site. I use them with Fedora Linux; they work very well out of the box through networkmanager.

Top tip, use an external antenna [amazon.co.uk] and you'll get much better performance.

Search harder (4, Informative)

dutchwhizzman (817898) | about a year ago | (#43192037)

ZTE and Huawei products are in fact for sale in the USA and Europe as well. I don't know about South America, but I presume you can get them there as well. Maybe the major US telco's don't bundle ZTE or Huawei products with their 3G/4G offerings, but the hardware is for sale for certain. Several EU operators (notably Vodafone) bundle these products. Assuming that because you don't see the products in the USA they are only available in Russia is kind of short sighted, the world is more than just Russia and the bundled hardware you get in the USA, you know?

Re:Search harder (0)

Anonymous Coward | about a year ago | (#43196739)

T-Mobile and 3 in the UK also use ZTE and Huawei modems. Huawei's E160 is still pretty common, for instance.

Re:Misleading Headline (go figure, its slashdot) (2)

m00j (801234) | about a year ago | (#43193777)

Here in Australia Huawei and ZTE modems seem to be the only thing available from the majority of providers. Certainly the three major carriers have them (or did six months ago when I last looked), and I haven't seen a non-Huawei or ZTE modem from any of the MVNO.

Perhaps because in the USA you have different frequency bands?

you i8sensitive clod! (-1)

Anonymous Coward | about a year ago | (#43192151)

conflicts t4at

Evil modeswitching USB modems (2)

Compaqt (1758360) | about a year ago | (#43192187)

Would this be the right place to complain about evil modeswitching USB modems?

Used to be when you got a piece of hardware, you'd get a CD with the drivers on it. Later on, somebody got the idea to include USB modem drivers right on the device itself, since it's USB anyway.

The way they implement this is to make the device into a USB Storage Device upon bootup. Then, depending on circumstances, it switches the mode to a USB modem.

This is evil because the protocol isn't totally well defined, and it usually works well only on a particular version of Windows.

Linux tries to cope, but it doesn't always work.

The article which is the subject of this thread just seems to confirm that these companies just make it up as they go along, and then pump out millions of copies of the same thing.

Re:Evil modeswitching USB modems (1)

gl4ss (559668) | about a year ago | (#43192767)

hmmh? the way the dongles I used couple of years worked as both at the same time(as a modem and as a drive).

Re:Evil modeswitching USB modems (1)

Anonymous Coward | about a year ago | (#43193037)

It's why apps like usb_modeswitch [draisberghof.de] exist.

Re:Evil modeswitching USB modems (0)

Anonymous Coward | about a year ago | (#43193305)

Sorry to hear about the problems, but I'm sure that the one who designed that feature did it with good intentions after all.

Re:Evil modeswitching USB modems (1)

Sigg3.net (886486) | about a year ago | (#43201769)

I haven't had any issue with Huawei and ZTE dongles from 2006-today on Ubuntu 1204.

I support these dongles in my weekemd work @ a major ISP. Our lab has a Ubuntu machine.

(No official Linux support AFAIK, which is weird, because all our issues are Win/Mac which both struggle with these. I've had Linux calls but that's usually to ask whether it's necessary to use the ISP software.)

Any Ethernet Versions? (1)

bill_mcgonigle (4333) | about a year ago | (#43193411)

I don't really care if they spy on my modem, but I don't want their paws inside my hardware. Are there any ethernet-connected devices? I've seen some WiFi-based ones, which should be fine, but it overly complicates the matter and adds additional power requirements which wouldn't be useful.

Re:Any Ethernet Versions? (1)

geirlk (171706) | about a year ago | (#43197285)

I have this one: http://dx.com/p/hame-mpr-a1-wifi-802-11b-g-n-wireless-3g-router-white-green-127771 [dx.com]

It's the router equivalent of a swiss army knife.

Haven't tried it with any LTE USB stick yet, but I can't see why that shouldn't work.
In a pinch, you can even use it to charge your phone.

You can insert a eg. 3G stick, and access it via wifi, eth or usb (allthough, isn't usb a bit redundant?).

A bit cheap-ish build, but hey, it works!

Where's The Actual Research (0)

Anonymous Coward | about a year ago | (#43206871)

The other topics from the conference have posted their materials:
https://www.blackhat.com/eu-13/archives.html

I don't see any materials for this presentation. Does any body have the link to the actual paper/results/research?

insecure software (0)

Anonymous Coward | about a year ago | (#43207667)

is what i have in my pants

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...