View RSS Feed

Fb1h2s aka Rahul Sasi's Blog

Sms to Shell fuzzing USB internet modems

Rate this Entry
Attachment 639

Offensively focused research is of high importance mainly because of the increase in no of targeted attacks. This blog focus on an innovative new attacks surface [USB Data Modems] that could possibly be a potential target to attacks in the future.

We would not be releasing the POC exploit we have found on various modem devices for another 3 months, mainly because there is no autoupdate mechanism available on these modems. Even though I was not able to make a highly sophisticated exploit I have come up with POC codes to demonstrate the damages. And a highly skilled exploit writer could make all the devices out there vulnerable to this attacks. So once this blog is published am gone ask all the device vendors to enable/add an auto update mechanism on these device and push the patches to there costumers.

Attachment 659

I have added another blog post with analysis to the auto update feature of each vendors in India:

But if you wann discuss something about this with me catch me up on twitter and the same is my gmail.

In-order to explain the attack surface to a wider range of readers am splitting this blog into two sections one section for technical people and another for non technical guys. So we will highlight the many things you can do attacking USB modems in a less technical way , and a detail technical overview of the attacks could be read form the slides. The technical slides explains fuzzing approaches and code execution on computers via USB modems.

Detail Technical Slides : Fuzzing usb modems rahu_sasi

Or a Quick Preview Video here:

This was my talk at CanSecWest [Canada] and Nullcon[Goa] .

So you can view the Nullcon Talk video here:

A Less technical Explanation of attack possibility here:

USB Data Modems:

A USB modem used for mobile broadband Internet, referred to as a dongle is widely used these days. USB wireless modems use the USB port on the laptop to make it connect to a GSM/CDMA network there by creating a PPPoE(Point to Point protocol over Ethernet) interface to your computer. These devices are supplied with dialer software either written by the hardware manufacture or by the mobile supplier. They also come bundled with device driver. One of the interesting features that are added to these dialer software’s is an interface to read/sent SMS from your computer directly. This is mainly done for sending promotion offers and advertising. These SMS modules added to the dialers, simply check the connected USB modem for incoming SMS messages, and if any new message is found it’s parsed and moved to a local sqlite database, which is further used to populate the SMS viewer. The device driver, which comes default with these devices [devices are in CDFS file systems that has the software in it] are installed on the host system, they usually provide interrupt handling for asynchronous hardware interface.

Attacking by SMS:

“You can run, you can hide but u can’t escape these exploits”.

There is already a lot of research done on SMS attacks on mobile phones by Collin mullier, Charlie Miller, Nico Golde.
Based on their research it was easy to find SMS payloads that crashed the phones but reliable code execution was hard on the mobile platforms. As well as the limitation of character that could be send over SMS was an issue.

Same disadvantage is there with USB modem exploitations as it is not that easy to write a reliable exploit even though finding a security crash is easy. An advantage is no user interaction is required, as soon as SMS is received on modem the parser [dialer] tries to read the data. And parse it and move it to the local database. And parser runs as a privileged user.

A normal web browser or network layer attacks need either user interaction or their target to be online attacks. But SMS based exploit does not have these drawbacks, as soon as a victim gets online his service provider would forward the message to his Inbox. Mass exploitation and high reliability of targets, since these modems have a phone no which lies in a particular series, so all the phone numbers starting with xxxxxx1000 to xxxxxx2000 would be running a particular version of USB modem software so the impact is large. Moreover the applications are not compiled with ASLR|DEP instead depend on system level security mechanisms.

Phishing Attacks:

These device parse display HTML hyperlinks in sms contents, so phishing based attacks can also be triggered via sms. So there are chances you can see Phishing attacks that might come in the form of an SMS asking users to download a malware to there computer, the following video will explain one such attack.


Targeting USB Modems For Fun and Profit:

For Fun: DDOS Attacks on USB Modem Users.

The user connects to Internet using the dialer provided with the modem. So when a malformed SMS packet arrives on the modem the dialer app tries to parse the data and crashes, causing the user to get knocked of the Internet. One such attack would of great fun and profit. Imagine some one sending 1000 users ranging form mobile no 9xxxxxx000 - 9xxxxxx999 with a malformed SMS, in on such case u could knock all the online users offline instantly. Since the guaranteed bandwidth is shared among multiple users you now have the advantage of less users using the Internet, so probably better speed for us [evil].

Crashing USB modems with an SMS:

View Video:

For Profit: Easy Code execution on Computers.

Unlike mobile phones, code execution would be easy on computers. We have demonstrated poc codes to demonstrate reliable code execution on your computer via SMS payloads. We have also explained the hurdles we came across and how we tackled those situations in our technical slides, except that we have removed the bug details temporarily.

Remote Code Execution Digisol:

Fuzzing Device Drivers:

The attacks would not be complete with out reviewing the security aspects of device drivers. In the slides we have demonstrated how to fuzz these devices. We would be explaining the various device driver operations and the possible fuzz inputs that are common to these devices. We will share our Fuzz notes and tools we used to successfully test these devices in after 3 months. The review of local device driver security was done on both Windows and Mac OSX systems.

Attacks and Consequences:

These attacks would not be flagged by your firewalls, mainly because the SMS is received over a GSM/CDMA line that is connected directly to your computer. So there would be no alerting from any of your security devices on these attacks. Also maintaining anonymity over SMS based exploit is easy. But there were some issue faced when transmitting the payloads over the service providers firewalls, we would explain how we get past those hurdles.


Due to the rise in Data modem users, understanding and reviewing the security architecture of these devices is important. The talk I gave at CanSecWest [Canada] and Nullcon[Goa] focused on over the all security impact of these devices.If your still interested in technical details please go through the slides .This research would also help Antivirus, Firewall, and security appliance vendors and independent security researchers to proactively stop such attacks form happening in the future.

Read Technical slides here: ign=g4h#

Attachment 640

Attachment 641

Continue here: Fuzzing usb modems rahu_sasi



Total Trackbacks 0
Trackback URL: