High-end USB modems can be compromised by hackers who can cash in by sending SMS messages to expensive premium numbers or steal login information in targeted attacks.
The unnamed devices were used in the corporate sector and were still open to attack, according to researcher Andreas Lindh of Swedish security firm iSecure.
He said the simple holes were unsurprisingly present in each high-end USB modem device he tested.
"I fairly quickly found a CSRF (Cross Site Request Forgery) vulnerability that would allow me to make the modem send a text message to any number of my choosing, simply by having the user go to a website under my control," Lindh said.
"Unlike WiFi routers, there is no login functionality for USB modems so I didn’t have to worry about bypassing authentication."
The forgery attack forces users to run an attacker's commands while they were logged into their USB modem portal.
Hackers could profit from the attacks by hacking into the devices and sending SMS messages to premium numbers they control, or could use texts to send stolen login credentials to sites such as Facebook.
The latter feat would require a phishing attack to be first launched against a target. In Lindh's example, an attacker could construct a fake Facebook page, which would be sent out to the target supplemented by a lure to entice the target to open links.
Once the user logged in, the credentials would be stolen and could then be shipped out via the SMS feature of vulnerable USB modems.
Such attacks would be limited due to the requirement for a target to both fall for the phishing ruse and be operating a vulnerable USB modem.
It could be more successful in a corporation that runs a fleet of a single model of USB modem.
Moreover, a properly constructed phishing campaign has been proven to consistently net victims in the walls of even high tech savvy organisations such as Twitter. Legitimate resources to construct and monitor internal phishing campaigns could be used in such attacks.
It also means hackers do not require to operate infrastructure for the attacks which use the Data URI scheme, which loads the required HTML from the web browser's address bar.
It is mainly because this would mean an attack completely without infrastructure requirements; no web server to host the spoofed website, no server to post the stolen credentials to. All that is needed is an email address or some other way to distribute the URL, and a pre-paid phone to receive the text messages.