A 4G HotSpot From ZTE Would Bring A Fatal Flaw

According to a recent security report, there is a large number of vulnerabilities which affect 4G hotspots from ZTE. However, the corporation has not provided any fixes for any affected device. Researchers said that a potential hacker could take advantage of security vulnerabilities to redirect web traffic from the 4G hotspots to other harmful websites.

On Saturday, the flaws were disclosed at the annual hacking conference called Defcon. A researcher from Pen Test Partners, who is known as "Dave Null", described in the security issues of the Chinese mobile phone company in detail and also expressed his concerns about how ZTE would respond to the disclosure of the flaws.

According to Null, it was easy to pull off those vulnerabilities. A hacker just needs users to visit a harmful site via ZTE's 4G hotspots. When the site requests for the passwords of the device by releasing a code, a hotspot model will disclose it.

There were several additional hacking options once the hacker owned the hotspot’s password. The attacker could begin to log the web activity of a person and make use of it to attack other devices which are connected to the hotspot and redirect traffic to more harmful websites.

In Feb, there was an advisory for security vulnerabilities, but ZTE only released it for MF65+ and MF910 models. In the advisory, the company gave no fix and ZTE also said that it stopped using MF65+ and MF910 hotspots in Sep 2017; however, it patched the flaws on the MF65M2 and MF920 models, which were newly updated.

However, those discontinued hotspots are still available on some websites of the company.

Null also said that the vulnerabilities seem to apply to more devices in the “MF” products line. He found out that if many ZTE’s devices are not patched, they have the same security flaws, considering that even though the MF 910 was an outdated product, the updated model MF920 also shares the same flaws. ZTE refused to give any further information.