When someone first approached us with the question of whether we had heard of malware sending out unsolicited SMS messages, we almost immediately replied positively – there are plenty such malicious applications on Android. The next question caught us rather by surprise: have you seen such malware on a 4G/LTE capable broadband router?

We were presented with an issue where a specific SOHO router (from a top 5 vendor) was sending messages to another country – messages which, at a quick glance, resembled match fixing. Our initial investigation quickly revealed an unpatched vulnerability in the device's firmware which made anonymous SMS sending possible, without the need for any further authentication on the device. Further monitoring of the problem slowly made us reconsider our first take on it, as a Messaging-as-a-Service (MaaS) like service started to take shape in the background.

In this talk we will explain how certain 4G/LTE capable routers could be exploited to anonymously send out thousands of short text messages for various purposes, ranging from match fixing through generating revenue with premium rate numbers to data exfiltration. We will talk about the vulnerability used, how could it survive for an extended period of time, what different types of damage it caused, and the motivation of the adversaries behind it.

Got a question about this presentation? To get in touch with the speakers, contact Gergely Eberhardt by email on [email protected] or on Twitter at @ebux25 or Robert Neumann by email on [email protected].