Security researchers have discovered a slew of vulnerabilities affecting 4G hotspots from ZTE, and the company hasn’t provided fixes for all of the affected devices. The security flaws could allow a potential hacker to redirect traffic from the hotspot to other malicious websites, researchers said.
The vulnerabilities were disclosed on Saturday at Defcon, an annual hacking conference in Las Vegas. A Pen Test Partners researcher who goes by the handle “Dave Null” described ZTE’s security issues at length, as well as his concerns with how the Chinese phone company responded to the disclosure.
Null said that the vulnerabilities were simple to pull off — an attacker only needed the victim to visit a malicious website using one of ZTE’s hotspots. The researcher found a model of hotspots were disclosing the device’s passwords when a website’s code requested it.
“So you request a key, it returns the value,” Null said in an interview prior to Defcon. “It’s just got almost no security on it.”
Once the attacker had the password to the hotspot, there were plenty of options for further hacks. The hacker could start logging a person’s web activity, use the hotspot as a way to attack devices connected to it, and redirect web traffic to more malicious websites.
For example, the hacker could redirect victims from a legitimate banking website to a fake version of the page, where they could enter financial information without knowing they were being robbed.
ZTE released an advisory for the vulnerabilities in February, but only for its MF910 and MF65+ products. In its advisory, the company did not issue a fix, saying that it discontinued those two 4G hotspots in September 2017, but did patch the flaw on the updated MF920 and MF65M2 models.
Despite ZTE’s advisory, these discontinued models are still listed on some of the company’s website.
The vulnerabilities likely apply to more ZTE products in the “MF” line, Null said. He found that since many of its devices share the same code, they’d share the same vulnerabilities unless they’re patched. While ZTE considers the MF910 outdated, the updated MF920 model had the same problems. Null asked which other hotspots were running on the same code, but ZTE declined to provide that information.
“They don’t seem like they’re proactively looking to squash bugs,” Null said.