Multiple vulnerabilities were found by security researchers in 4G routers manufactured by several companies, with the flaws exposing users to information leaks and command execution attacks.
Pen Test Partners researcher ‘G Richter’ shared the flaws found in 4G devices during this year’s DEF CON hacking conference, saying that “a lot of existing 4G modems and routers are pretty insecure.”
“We found critical remotely-exploitable flaws in a selection of devices from variety of vendors, without having to do too much work,” Richter said.
“Plus, there’s only a small pool of OEMs working seriously with cellular technologies, and their hardware (& software dependencies) can be found running in all sorts of places.”
The worst part is that the security flaws were discovered after examining a limited set of 4G routers, covering the entire prices spectrum, from consumer-grade routers and dongles to very pricey devices designed to be used in large enterprise networks.
All the security flaws found were reported to the vendors who fixed most of the discovered issues before the Pen Test Partners report was published but, unfortunately, the disclosure process didn’t go as smooth as expected.
ZTE Router Vulnerabilities
The vendor that really stood out in the eyes of the researchers was ZTE, who brushed off the vulnerabilities identified in the MF910 and MF65+ routers as they affected end-of-life products—even though, in the case of the MF910, it was still listed on the company’s website with no hint at it being out of support (advisory available HERE).
The researcher subsequently tested another ZTE router, the MF920, which shared the same codebase and, as a result, almost the same vulnerabilities. This time, ZTE decided to fix the reported flaws which also got assigned CVE identifiers.
The following issues were discovered while examining the MF910 and MF65 routers, issues that the vendor will not patch:
• The administrator password can be leaked (pre-authentication).
• One of the (post-authentication) debug endpoints is vulnerable to command injection.
• There’s also a Cross-Site Scripting point in a totally unused “test” page.
“These issues could be chained together to allow arbitrary code to be executed on the router, just by a user visiting a malicious webpage,” added Richter. More details on the MF910 security analysis can be found HERE.
Two of the vulnerabilities found in the other examined ZTE 4G router, the MF920, received the following CVEs—an advisory issued by the vendor is available HERE:
Security flaws found in Netgear and TP-LINK 4G routers
The Pen Test Partners researcher also found security issues in 4G routers manufactured by Netgear and TP-LINK, with at least four of them also having been assigned CVEs.
In the case of the Netgear Nighthawk M1 Mobile router, a cross-site request forgery bypass (tracked as CVE-2019-14526) and a post-authentication command injection (CVE-2019-14527) could allow potential attackers to execute arbitrary code on the vulnerable device if “the user hasn’t set a strong password on the web interface.”
This vulnerability chain could be easily exploited by an attacker by tricking the device’s users into visiting a maliciously crafted page. The researcher also provides more info on the CSRF protection bypass flaw and how one can break Netgear Nighthawk M1’s firmware encryption.
TP-LINK’s M7350 4G LTE Mobile wireless router was also found to be vulnerable, this time to the following command injection flaws which also got their own CVEs after being disclosed to the vendor:
“In increasing numbers, lots of less-bandwidth-demanding consumers are inevitably going to start using cellular for their full-time Internet access,” added the Pen Test Partners researcher.
“Those manufacturers who are going to be selling 5G routers are currently selling 3G and 4G routers. Which – and I really cannot stress this enough – are mainly bad.”