4G Router Vulnerabilities Let Attackers Take Full Control


Security researchers found multiple vulnerabilities in 4 G routers produced by several businesses, with faults exposing users to data leaks and command execution assaults.

The researcher from Pen Test Partners ‘ G Richter’ reported that “many existing 4 G modems and routers are quite insecure” on 4 G phones during the DEF CON hacking conference this year.

“We found critical remotely-exploitable flaws in a selection of devices from variety of vendors, without having to do too much work,” Richter said.

“In addition, there is only a small pool of OEMs who work hard with cellular technologies and their hardware (& software dependencies) can be found in any kind of place.” The worst part is that after examination of a limited set of 4 G routers covering the entire price range, from consumer-grade routers and dongles up to extremely pricey appliances for the use was discovered.

All the safety flaws identified have been reported to sellers who remedied most of the problems identified before publishing the Pen Test Partners report, but unfortunately the disclosure process was not as smooth as expected.

Vulnerabilities of the ZTE router.

ZTE, who brushed away the vulnerabilities identified in the MF910 and MF65 + routers when they involved end-of-life products, really stood out in the eyes of researchers. However, in the case of a MF910 it was still available on the company’s website without any indices of being out of support (consultation available HERE).

The investigator then tested another ZTE router, the MF920, which shared the same codebase and thus almost the same faults. This moment, ZTE decided to correct the reported defects, which also had CVE IDs allocated.

When examining the MF910 and MF65 routers, the following problems were found that the provider will not patch:

• The administrator password can be leaked (pre-authentication).
• One of the (post-authentication) debug endpoints is vulnerable to command injection.
• There’s also a Cross-Site Scripting point in a totally unused “test” page.

“These issues could be chained together to allow arbitrary code to be executed on the router, just by a user visiting a malicious webpage,” added Richter. More details on the MF910 security analysis can be found here.

Two of the vulnerabilities found in the other ZTE 4 G router, the MF920, have been identified by the following CVEs – a HERE notification is accessible from the seller:

CVE-2019-3411 – Information Leak (7.5 high severity CVSS v3.0 base score)
CVE-2019-3412 – Arbitrary Command Execution (9.8 critical severity CVSS v3.0 base score)

Netgear and TP-LINK 4 G routers have security faults.

Security problems were also detected by the Pen Test Partners researchers in 4 G routers produced by Netgear and TP-LINK, with at least four of them assigned CVEs.

With Netgear Nighthawk M1, a cross-site forgery bypass (tracked as CVE-2019-14526) and an injection after-authentication order (CVE-2019-14527) could allow prospective attackers to exercise arbitrary code on the device if “the user did not set up a strong password on the internet interface.”  In addition, the investigator gives more information about the CSRF bypass defect and how Netgear Nighthawk M1 can be broken by firmware encryption.

TP-LINK’s M7350 4 G LTE Wireless Router M7350 was also discovered susceptible to the following injection faults that also have their own CVEs after they have been revealed to the seller:

CVE-2019-12103 – Pre-Authentication Command Execution
CVE-2019-12104 – Post-Authentication Command Execution

“In increasing numbers, lots of less-bandwidth-demanding consumers are inevitably going to start using cellular for their full-time Internet access,” added the Pen Test Partners researcher.

“Those manufacturers who are going to be selling 5G routers are currently selling 3G and 4G routers. Which – and I really cannot stress this enough – are mainly bad.”

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.