Apparently, the average person in Australia carries 2.6 devices. For me, the 0.6 is my Telstra Pre-Paid 4G WiFi modem. All the main Aussie telcos have offerings in this space (Telstra/Optus/Vodafone/Virgin Mobile), and the devices provided usually are Huawei, ZTE or Sierra Wireless wifi modems.
I’ve been using this ZTE MF91 device as sold by Telstra for a couple of years now. Several months ago, I decided to give my MF91 a shakedown in the security space – and a bunch of bugs bubbled to the surface fairly quickly.
I wrote a basic script (zteeek) that exploits some of the vulnerabilities described below- it’s available here (I’m not a coder, you’ve been warned, and so on). And here’s a video:
The fact that you already need to be connected to the wireless network to exploit makes these far less sexy, but nevertheless it’s a good example of the kind of vulnerabilities that are common in embedded systems. Either a WPS attack or a plain old brute force wireless run against the MF91 would be your best way on to its wireless network – then you can have fun with zteeek. Here’s a quick description of the vulnerability/exploit pairs:
Unauthenticated cookie value disclosure
The core cookie value for authenticated sessions, MF91_Telstra_luck_num can be retrieved via an unauthenticated GET request, after which an attacker can create their own valid admin session cookie to bypass authentication.
Unauthenticated SSID modification
The wireless SSID can be changed by tampering with the ssid parameter without authentication.
Unauthenticated disabling of AP isolation mode
Access point isolation mode can be disabled without authentication, exposing isolated clients.
Unauthenticated denial of service (force client disconnect)
A denial of service attack causing the forced disconnection of all clients is possible via a GET request to dhcp_list_cmd without authentication.
Unauthenticated administrator password change
The administrator password for the ZTE MF91 can be change via a GET request to upd_pwd without authentication.
Thank you CrikeyCon!
I was kindly invited to talk about the process around my dealings with the ZTE MF91 at CrikeyCon 2015 in Brisbane, which was a lot of fun. Many thanks to the CrikeyCon staff for entertaining a bunch of Aussie hackers on a very wet day in Brisbane, and thanks also to the fabulous and receptive people in attendance.