“Create your own personal hotspot on the go with the T-Mobile 4G Mobile Hotspot—get high-speed Internet on up to five Wi-Fi devices, using a single mobile broadband connection.”
- Reported to T-Mobile and ZTE on 4/14/12.
- Received notification from T-Mobile on 4/17/12 that the vulnerabilities would be forwarded to their security team for review.
- Received no meaningful response from ZTE.
- No fixes provided, disclosure 2/21/13
Device: T-Mobile 4G Mobile Hotspot ZTE MF61
The access point broadcasts as ‘T-Mobile Broadband#’ where # changes per device.
Vulnerability #1: Authentication Bypass
The internal administrative web interface is served up with the GoAhead Embedded Web Server (which probably has to be the most vulnerable web server I’ve ever seen in my life — google it) This particular issue with the web server was already reported a long long time ago (CVE-2002-2427) but I’m reporting it here nonetheless.
Authentication to the administrative interface can be bypassed by adding an extra ‘/’ character after any page. This leads to:
- Exposure of administrative settings
- Exposure of WiFi Password
Vulnerability #2: Unauthenticated Text Message Disclosure
You can send and receive text messages using the hotspot (although I don’t know why or who would actually use this functionality). All of the text messages are stored in an XML file with the messages being encoded with UTF-16
The messages are accessible, unauthenticated at http://mobile.hotspot/sms_xml/nv_inbox.xml