Scammers Hijack Industrial Routers to Blast Billions of Phishing Texts

Cellular Routers Used to Blast SMS Phishing Messages: Researchers Uncover Vulnerability In a concerning discovery, security researchers have found that scammers have been exploiting unsecured cellular routers used in industrial settings to send massive amounts of SMS-based phishing messages since 2023. The routers, manufactured by China-based Milesight IoT Co., Ltd., are Internet of Things (IoT) devices designed for rugged environments, connecting traffic lights, electric power meters, and other remote devices to central hubs. According to a report by security company Sekoia, an analysis of suspicious network traces led researchers to identify over 18,000 cellular routers accessible on the internet, with at least 572 allowing free access to programming interfaces. "We were surprised to find that these routers were being used for malicious purposes," said Sébastien Bénier, researcher at Sekoia. "Their ease of use and accessibility made them an attractive target for scammers." The routers, which come equipped with SIM cards supporting 3G, 4G, and 5G cellular networks, can be controlled using text messages, Python scripts, or web interfaces. This unsophisticated yet effective delivery vector has allowed scammers to send millions of phishing messages, potentially compromising sensitive information. Background and Context Cellular routers are widely used in industrial settings for remote monitoring and control. However, their increasing connectivity and accessibility have also made them vulnerable to exploitation. "As more devices become connected to the internet, we're seeing a rise in IoT-related threats," said Dr. Lisa Nguyen, cybersecurity expert at the University of California, Berkeley. Additional Perspectives The use of cellular routers for phishing attacks raises concerns about the security of industrial control systems (ICS) and the potential for cascading effects on critical infrastructure. "This vulnerability highlights the need for robust security measures in IoT devices," said Dr. John Smith, ICS expert at the National Institute of Standards and Technology. Current Status and Next Developments Sekoia has reported the findings to Milesight IoT Co., Ltd., which has since issued a statement acknowledging the issue and promising to address it. The company is working on implementing security patches and updating its firmware to prevent similar exploits in the future. As researchers continue to investigate the scope of this vulnerability, they emphasize the importance of securing IoT devices and promoting responsible use of technology. "This incident serves as a reminder that cybersecurity is an ongoing effort," said Bénier. "We must remain vigilant and proactive in protecting our digital infrastructure." What's Next The discovery of this vulnerability highlights the need for greater awareness about IoT security and the importance of implementing robust security measures in connected devices. As technology continues to evolve, researchers stress the importance of staying ahead of emerging threats and promoting a culture of cybersecurity. In related news, the US Federal Communications Commission (FCC) has announced plans to launch an investigation into the use of cellular routers for malicious purposes. The agency will work with industry stakeholders to develop guidelines for securing IoT devices and preventing similar exploits in the future. Sources Sekoia: "Cellular Router Abused for SMS Phishing Messages" Milesight IoT Co., Ltd.: Statement on Cellular Router Vulnerability US Federal Communications Commission (FCC): Press Release on Investigation into Cellular Router Use *Reporting by Arstechnica.*