Hacking 4G hotspots – when did you last update?

Well-known device hacking researchers at cybersecurity company Pen Test Partners have just published an article summarising the 4G hotspot hacking research they presented at last week’s DEF CON event.

Simply put, a 4G hotspot is a miniaturised, battery-powered, SIM-card-equipped equivalent to your home router.

Home routers typically plug into a mains adapter for power, plug into your phone line or a cable connection for internet connectivity, and accept Wi-Fi or wired network links from your laptops, desktops, smart TVs and so on.

In contrast, 4G hotspots are typically pocket-sized devices, often shaped like a small soap bar, that don’t plug into anything except to charge up their internal battery, usually via a 5V USB port.

Most mobile phones, in fact, include a hotspot feature so that you can share the phone’s 4G connection via the Wi-Fi card in the phone, but self-contained hotspots are still popular, not least because they make it easy to keep your voice and data charges separate.

Indeed, many mobile phone providers offer special deals with a hotspot device and a pre-paid data SIM for home users who can’t or don’t want to get a phone line or cable hookup at home.

But what about firmware upgrades? What about security? Just how safe is the average soap-bar hotspot?

After all, lots of people take hotspot devices with them on the road specifically to steer clear of unknown and untrusted access points in coffee shops, shopping malls and hotels.

In theory, getting hacked via a Wi-Fi connection you control yourself that talks back directly to the mobile network ought to be less likely than getting hacked via someone else’s Wi-Fi connection.

You can choose your own hotspot password and security settings, instead of relying on on a router behind someone else’s shop counter that was set up by who-knows-whom with a configuration of who-knows-what and last updated who-knows when.

In practice, however, your own hotspot device is only as secure as the settings you choose; only as secure as the latest firmware upgrade you installed; and ultimately only as secure as that latest firmware version itself, which is typically decided for you by your mobile provider.

How well do microrouters stack up?

Bugs in home routers and other Internet of Things (IoT) devices are, unfortunately, something we’ve written about rather frequently in the past few years.

There are lots of reasons why IoT devices don’t always have the baked-in security we might expect, including:

  • IoT devices are often built down to a price. A $20 webcam or a router that’s “free on connection” doesn’t leave a lot of money for the vendor to spend on security.
  • Ease-of-use often trumps function and security. In a competitive and crowded market, devices that force you to answer security questions before they work at all often lose out to ones that “just work”.
  • Devices made in vast numbers often sit in the supply chain some time. By the time you buy an IoT device, the built-in firmware might be many versions and numerous security fixes behind.

Unfortunately, as Pen Test Partners discovered, several hotspot vendors hadn’t got security right on their hotspots, notably in the web interface that the hotspot uses for setup and configuration (and, ironically, often for updating).

Like the average home router, portable hotspots don’t have screens or keyboards of their own, so they rely on running a small web server for their user interface, and these web servers often rely on potentially insecure ways of letting you trigger commands remotely.

Many stripped-down web servers run local operating system commands simply by taking input from a web form, such as a Wi-Fi network name or a network password, and passing that input as a text string to the operating system’s command shell.

If the web server isn’t careful about the characters it lets through, the command that runs could end up doing more than you bargained for – and those commands often need to (sometimes inadvertently) run as root, meaning that they have full-blown sysadmin-level control

For example, if you combine the input mynetwork with the Linux command iwconfig, which is short for “internet wireless configuration program”, you can set the desired network name like this:

iwconfig wlan0 essid mynetwork

But if you let the user enter a sneaky network name like net; echo 'do command of my choice' and let the semicolon character through, then the command turns into:

iwconfig wlan0 essid net; echo 'do command of my choice'

And that is just shorthand for two successive commands, because the semicolon is a special character that lets you combine two or more commands onto a single line for convenience.

Thus you are inadvertently allowing users to both specify a network name and to issue a command of their own choosing, which could do pretty much anything they like.

Above, we just used the echo command to print out a text string, but a crook could have used a command that created an extra account, fired up a server process you don’t want, zapped files you wanted to keep, removed your your firewall rules, stole passwords or other data, and much more.

Bugs found

Pen Test Partners ended up reporting bugs in a number of different devices, included named devices from ZTE, Netgear and TP-Link.

The company also wrote that it:

[didn’t] talk about quite a few other issues we found in other devices in this particular talk.

(Watch this space in case future holes come to light!)

Note that some of these bugs are what’s known as ‘post-authentication’ flaws, meaning that until you’ve logged in to the hotspot web interface yourself via its web server, the bugs can’t be triggered.

That makes them sound harmless, except that many bugs that can be activated by a link in a web page can in theory be activated by any web page that a crook can lure you to.

That’s because the URL of your router is often easy to guess, given that many devices use easy-to-remember IP numbers such as (this number is one of a range specially reserved for home and business networks).

Other routers automatically redirect server names such as http://vendorname to the router so that you can easily “find” the router on your own LAN without remembering a raw IP number. (In theory, domain names should always have at least two parts, such as example DOT com, so a domain name consisting of a single word that’s easy to remember seems fair game for “magic” redirections like this.)

In other words, crooks can very easily guess valid URLs on the local-area network side of your router (what’s known as your LAN), even if they’re sending those URLs from the wide-area network (WAN) side of your router.

If crooks can guess your router’s URL, then you are at risk of being exploited, or even made to issue legitimate router commands without realising it, whenever you’re logged into your own router.

If you forget to log out when you’re done, and leave your browser open for hours or even days on end, you might inadvertently be in a “ready to issue router commands” mode a lot of the time!

What to do?

  • Treat 4G hotspots as judiciously as you treat your phone. They may be cheaper and less powerful, with a fraction of the storage, but they are essentially phones without voice support. You need to keep them updated just as keenly as you update your phone.
  • Keep an eye out for bug reports. This means finding out which vendor actually made the hotspot device that you have. Mobile providers often brand the devices with their own logo, which can make the device model number and manufacturer hard to find. Check the manual, look through the web interface, or or search online, for exact details.
  • Log out when you have finished. This advice applies to any online service, of course, including webmail and social media. But it’s easy to forget to logout after tweaking your router settings, which could leave you at the mercy of rogue ‘router specific’ web links emebedded in otherwise innocent-looking external web pages.