Many popular MiFi devices used as 4G hotspots are vulnerable to hacking. A DEFCON 27 talk by Pen Test Partners revealed command injection and remote code execution vulnerabilities in popular 4G hotspots and MiFi routers made by ZTE, Netgear, TP-Link, and Huawei. Affected models include the Netgear Nighthawk M1, the ZTE MF910 and the ZTE MF920, as well as TP-Link M7350. The full list of CVEs and more information from the security researchers that cracked these devices can be found at the Pen Test Partners’ blogpost on the matter titled: “Reverse Engineering 4G Hotspots for fun, bugs and net financial loss.”
The security researchers discovered and disclosed these vulnerabilities to the affected companies earlier this year and might even have more to release in the future. Though some of the affected MiFi devices have been patched, some have not and therein lies the larger security issue affecting MiFi hotspot devices. Pen Test Partners’ psuedonymous security researcher G Richter articulated the long lasting danger of these 4G hotspot vulnerabilities his DEFCON talk summary:
“[…] a lot of existing 4G modems and routers are pretty insecure. We found critical remotely-exploitable flaws in a selection of devices from variety of vendors, without having to do too much work. Plus, there’s only a small pool of OEMs working seriously with cellular technologies, and their hardware (& software dependencies) can be found running in all sorts of places. Their old 4G, 3G and even 2G-era code is going to be running in these 5G-capable devices.”
With the looming deployment of 5G everywhere, the existing companies that are deploying and maintaining 4G networks and selling the 4G routers that consumers need to use to access said network are the ones that we’re stuck with for 5G. One of the concerns is that many of the vulnerable hardware won’t ever be recalled or updated and will remain vulnerable even as it is sold to unknowing consumers. The researchers contacted ZTE about one particular model that was vulnerable and ZTE responded that since that particular model wasn’t being updated anymore. However, ZTE still sells that model (MF910) to unknowing customers.
MiFi routers are just part of 4G LTE’s security vulnerabilities
4G LTE is also vulnerable even when you aren’t using a hotspot. Earlier this year, a group of researchers from KAIST revealed dozens of security vulnerabilities that allow hackers to invade your privacy. Many of those remain unpatched. Even the batch of security vulnerabilities from 2018 that allowed for spoofing, tracking, and spamming is still not guarded against on every device. In fact, it will never be. Whether by willing negligence, as in ZTE’s case, actual legitimate end of life and support timelines, or pure user negligence to install the security updates provided by responsible hardware and software makers… there will always be users of insecure devices and insecure networks.
For pure OpSec purposes, the logical conclusion is to take matters into your own hands and use another layer of encryption and IP address obfuscation by using a VPN. If you can’t trust the network that you’re on – which these leaks show us is the case 100% of the time – then you need to take your security and privacy into your own hands by using a VPN.