In his view, "many 4G modems on the market are sold withrouterVery insecure, once used by criminals, it is easy to cause personal information to be leaked or subjected to command execution attacks. ”
"We found key remote vulnerabilities that could be exploited in a range of devices from multiple vendors, and it took a lot of effort for someone who knows the technology," Richter explained. "Know that the OEMs who engage in such wireless communication technologies are the same in the world, and their hardware and software will appear in everyone's daily life."
The most frightening thing is that these vulnerabilities exist in almost all kinds of price products, regardless of consumer routing or enterprise products.
Fortunately, Richter notified the vendors in time after they found the problem, and most of these vulnerabilities were fixed before the results of their research were published. However, some manufacturers are not well-informed.
ZTE Router Vulnerability
In Richter's view, the most troublesome of the various routing vendors is ZTE. After learning the vulnerability information, they were too lazy to fix it. They placed the MF910 and MF65+ routing products directly in the “End of Life Period” column and refused to provide technical support. However, there is no news on the company's website that “discards” the MF910.
Later, Richter tested another ZTE router called the MF920, which shared the same code base with the previous generation, and exposed almost the same vulnerability. This time, ZTE can only choose to repair.
If you are using the MF910 and MF65+, you can only ask for more than the following problems.
1. The administrator password may be compromised (pre-authentication).
2. The troubleshooting endpoint is very vulnerable to command injection attacks (post-authentication).
3. There will still be cross-site scripting attacks on the "test page" that is not used at all.
"If you connect these vulnerabilities, you can execute arbitrary code on the router by tricking users into visiting malicious web pages," Richter added.To learn more about the vulnerability analysis of the MF910, visit the HERE website.
As for the MF920 issue, you can query the following two CVEs:
• CVE-2019-3411 – Information Disclosure
• CVE-2019-3412 – arbitrary command execution
NETGEAR and TP-LINK did not run
NETGEAR and TP-LINK's 4G routing did not escape the eyes of Pen Test Partners researchers, who have been opened with 4 CVEs.
Take the NETGEAR Nighthawk M1 mobile routing, if you do not set a complex password, it will not only be subject to cross-site forgery request attack (CVE-2019-14526), but also post-authentication command injection attack (CVE-2019-14527) )danger.
The hacking method is similar to the above, and it also induces users to access malicious pages. In addition, Richter details how to break the NETGEAR firmware encryption.
TP-LINK's M7350 4G LTE mobile routing is also problematic. It is more vulnerable to command injection attacks. For this reason, the following two CVEs have been opened:
• CVE-2019-12103 – Pre-authentication command injection
• CVE-2019-12104 – Post-authentication command injection
“With the continuous advancement of wireless networks, many users who have less bandwidth requirements have already started full 4G life,” Richter said. “However, the manufacturers that sell 4G routers are really less focused. What to do after the 5G era.”