About

“Create your own personal hotspot on the go with the T-Mobile 4G Mobile Hotspot—get high-speed Internet on up to five Wi-Fi devices, using a single mobile broadband connection.”

Link to Product on T-Mobile’s Website

Timeline

Reported to T-Mobile and ZTE on 4/14/12.

Received notification from T-Mobile on 4/17/12 that the vulnerabilities would be forwarded to their security team for review.

Received no meaningful response from ZTE.

No fixes provided, disclosure 2/21/13

Device: T-Mobile 4G Mobile Hotspot ZTE MF61

The access point broadcasts as ‘T-Mobile Broadband#’ where # changes per device.

Vulnerability #1: Authentication Bypass

The internal administrative web interface is served up with the GoAhead Embedded Web Server (which probably has to be the most vulnerable web server I’ve ever seen in my life — google it) This particular issue with the web server was already reported a long long time ago (CVE-2002-2427) but I’m reporting it here nonetheless.

Authentication to the administrative interface can be bypassed by adding an extra ‘/’ character after any page. This leads to:

Exposure of administrative settings

Exposure of WiFi Password

Vulnerability #2: Unauthenticated Text Message Disclosure

You can send and receive text messages using the hotspot (although I don’t know why or who would actually use this functionality). All of the text messages are stored in an XML file with the messages being encoded with UTF-16

The messages are accessible, unauthenticated at

That’s all for now. I’m sure there are still several unreported goodies to find.

Please fix these T-Mobile.

Dustin Schultz