A USB Internet Modems or Data card, is a type of modem that allows your computer to receive Internet access using USB Port and connect to a GSM/CDMA network there by creating a PPPoE (Point to Point protocol over Ethernet) interface to your computer.
Vulnerability can be used by a malicious attacker for Mass exploitation, since these modems have a phone number which lies in a particular series, so all the phone numbers starting with xxxxxx1000 to xxxxxx2000 would be running a particular version of the USB modem software.
USB Internet Modems are supplied with dialer software either written by the hardware manufacture or by the mobile supplier and also come bundled with device driver. The device driver, which comes default with these devices are in CDFS (CD-ROM File System) that has the Dialer software in it and they usually provide interrupt handling for an asynchronous hardware interface.
These Dialer software also provides an interface to read/send SMS from your computer directly after installation. These SMS modules added to the dialers, simply check the connected USB modem for incoming SMS messages, and if any new message is found it’s parsed and moved to a local sqlite database, which is further used to populate the SMS viewer.
Demonstration of code execution via SMS payloads:
According to Rahul, when SMS is received on the modem parser (dialer), it tries to read the data and parse it as a privileged user, to store output in local database. Now the attacker can execute the exploit by sending malicious payloads via SMS.
This way, the attacker does not require any user interaction, because once the victim will come online he will get all the SMS payloads from an attacker automatically.
Flaw also can be used to DDoS all the USB modems just by sending them malformed SMS. When payload arrives on the modem, dialer tries to parse the data and crashes, causing the user to get knocked off the Internet.
For example, Sending malformed SMS to 1000 users ranging from mobile number 9xxxxxx000 - 9xxxxxx999. In this scenario, an attacker can knock all the online users offline instantly.
Demonstration of DDoS attack:
"These attacks would not be flagged by your firewalls, mainly because the SMS is received over a GSM/CDMA line that is connected directly to your computer. So there would be no alerting from any of your security devices on these attacks. Also maintaining anonymity over SMS based exploit is easy." he said.
All local Indian vendors of USB Internet Modems i.e. Idea, Reliance, Tata etc. are also vulnerable to this attack. Millions of such active Modems / systems are vulnerable to cyber attack, since vendors never provided any patch for users via "Online Update" option available in the software.
During his talk at CanSecWest and Nullcon Conferences, he focused on -- the overall security impact of these devices. He reported the flaw to the Companies and promised to release the full POC code after 3 months.