Pierluigi Paganini August 13, 2019

Security expert discovered multiple flaws in 4G routers manufactured by several companies, some of them could allow attackers to take over the devices.

G Richter, a security researcher at Pen Test Partners discovered multiple vulnerabilities 4G routers manufactured by different vendors.

The issue includes information leak flaws and code execution vulnerabilities. The expert presented the vulnerabilities in a talk at the DEF CON hacking conference, demonstrating that many existing 4G modems and routers are insecure.

“The problem is, a lot of existing 4G modems and routers are pretty insecure. We found critical remotely-exploitable flaws in a selection of devices from variety of vendors, without having to do too much work.” Richter explained. “Plus, there’s only a small pool of OEMs working seriously with cellular technologies, and their hardware (& software dependencies) can be found running in all sorts of places.”  

The experts analyzed a set of 4G routers that included both consumer-grade devices and enterprise equipment.

“In our little research project, we focused mainly on attacking services on the IP layer. We’ve reported everything we found to vendors, who have mainly fixed the issues (except when they haven’t – and by now they’ve had more than long enough!).” states the post published by the experts.

“In increasing numbers, lots of less-bandwidth-demanding consumers are inevitably going to start using cellular for their full-time Internet access,”

Discovered issues were reported to the vendors, fortunately, most of them quickly fixed the vulnerabilities.

The experts criticized the approach of ZTE that refused to address the vulnerabilities discovered in the MF910 and MF65+ routers because they are end-of-life products.

The vulnerabilities include the leak of the administrator password, a command injection issue and a Cross-Site Scripting in an unused “test” page.

“The ZTE MF910 is a really interesting router for reversing, mainly because it’s full of nice debug calls, and underused functionality. Also, it’s never going to get patched, and it’s really cheap. So it’s a great 4G router to start messing around with.” reads the post published by Pen Test Partners.

“This post gives a bit of a rundown of the debug functionality and bugs we found in the ZTE MF910. The same (or similar) API calls might be found in other ZTE MF* series routers. We’re not entirely sure, because ZTE aren’t exactly proactive at fixing issues reported to them.”

ZTE only addressed the flaws in the MF920 routers that shared the same with the above devices. The experts explained that the vulnerabilities could be chained to gain arbitrary code execution on vulnerable devices.

Below two vulnerabilities discovered in the MF920 ZTE 4G router:

• CVE-2019-3411 – Information Leak (7.5 high severity CVSS v3.0 base score) 
• CVE-2019-3412 – Arbitrary Command Execution (9.8 critical severity CVSS v3.0 base score) 

The researcher also found security vulnerabilities in 4G routers manufactured by Netgear and TP-LINK. The flaws include a cross-site request forgery bypass in the Netgear Nighthawk M1 Mobile router CVE-2019-14526) and a post-authentication command injection (CVE-2019-14527) that could be exploited by an attacker to execute arbitrary code on the vulnerable device in case the web interface isn’t protected with a strong password.

Experts also discovered security flaws in TP-LINK’s M7350 4G LTE Mobile wireless router, including command injection flaws (CVE-2019-12103, CVE-2019-12104).

“Those manufacturers who are going to be selling 5G routers are currently selling 3G and 4G routers. Which – and I really cannot stress this enough – are mainly bad.”

Other details are included in the analysis published by the experts.

Pierluigi Paganini

(SecurityAffairs – 4g routers, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]