USB modem network setup
Most USB modems have a network setup similar to that of your standard WiFi router; it creates an internal C-network, assigns the client an IP address within the network and sets itself as the default gateway and DNS. This is also where the web interface that the user interacts with resides. The modem itself also has an external interface which receives its network configuration from the internet provider.
Modem features
In the modems web interface, the user is able to perform a number of configuration tasks such as setting a pin, changing the pin, disabling or enabling the pin, disabling or enabling roaming, adding a profile, and so on. Most of these functions would at best be mildly interesting to an attacker, after all; where is the profit in locking out someone’s SIM card? Luckily these devices all have another more interesting feature too, namely the ability to send and receive text messages.
SMS by CSRF
I fairly quickly found a CSRF vulnerability that would allow me to make the modem send a text message to any number of my choosing, simply by having the user go to a website under my control. Unlike WiFi routers, there is no login functionality for USB modems so I didn’t have to worry about bypassing authentication.
