You might be here because you saw our talk at Defcon 27. You might want to watch that for the full rundown!
We found multiple vulnerabilities in several well known vendors Mi-Fi devices, including pre- and post-auth command injection and code execution
The vendors involved were generally poor at responding to disclosure attempts
One vendor (ZTE) tried to tell us that the product was end of life, so wouldnāt be fixedā¦ yet they were still selling it from their own online store!
This year weāve been looking at quite a few consumer-grade (non-phone) cellular devices - in particular cellular dongles and routers. Most major networking device manufacturers sell them, and theyāre usually (relatively) low-cost, since theyāre more for personal, sporadic use than for ongoing large-scale Internet access.
But, since ā5G is comingā (as Iām sure it will be for quite a while), devices like this are probably going to pick up in popularity. Data costs are continuing to go down. In increasing numbers, lots of less-bandwidth-demanding consumers are inevitably going to start using cellular for their full-time Internet access.
Those manufacturers who are going to be selling 5G routers are currently selling 3G and 4G routers. Which - and I really cannot stress this enough - are mainly bad.
Thereās quite a lot going on in a router. Most of them are running some flavour of embedded Linux. In cellular routers, thereās also a baseband to worry about. Thereās the IP interface (TCP/UDP IP) youād expect from any ātraditionalā router, but thereās also a cellular interface (SMS, MMS, voice, etc) ā and sometimes even Bluetooth or another āsurpriseā protocol strapped on.
In our little research project, we focused mainly on attacking services on the IP layer. Weāve reported everything we found to vendors, who have mainly fixed the issues (except when they havenāt ā and by now theyāve had more than long enough!).
Weāve also put together a series of blog posts about some of the more interesting things we found, and how easy they were to find. Hopefully this will give others a nice easy introduction to cellular devices, and the kinds of strategies you can use to start reverse-engineering and poking at them.
Hereās a TL;DR for each of the devices, including a rundown of how the disclosure went (spoiler: it was usually bad), a few of the āfunā things we found, the bugs we found, plus a link to more detailed posts we wrote for each:
ZTE
The disclosure process
We had a look at a few different ZTE hotspots. Initially we looked at the MF910, and tried to disclose. The process went a lot like this:
Fun stuff
Bugs
In the MF910, none of these are going to get fixed. We found a few really similar issues in the MF920, but those have apparently been fixed since we reported them.
For the ZTE MF910, weāve written up a short post detailing some of the more āinterestingā endpoints we found.
Two CVEs were assigned by ZTE for issues we found in the MF920:
Netgear
The disclosure process
Fun stuff
Bugs
We wrote two posts about this - one covering the firmware decryption journey, and another about how simple the CSRF protection bypass is:
Two CVEs were assigned for the issues we found in the Nighthawk M1:
**Others **
We donāt talk about quite a few other issues we found in other devices in this particular talk. We found things like a post-authentication DoS in a Huawei dongle, and a few command injections in a TP-Link router. Thereās also quite a few more devices more on the backburner - so you may well see some more content in the coming months.
Anyway, we wrote up the TP-Link command injection here, along with enough steps to help budding reverse engineering get used to Ghidra:
Two CVEs were assigned for the issues we found in the TP-Link: