Reverse-Engineering 4g Hotspots for Fun, Bugs and Net Financial Loss

The speaker discusses his experience finding vulnerabilities in embedded devices and the lack of response from vendors to fix them.

• The speaker found vulnerabilities in Netgear and TP-Link devices
• Vendors are often unresponsive to bug reports and do not take proactive measures to prevent vulnerabilities
• Shared code and development stacks can lead to vulnerabilities in multiple devices
• The speaker encourages others to explore hacking embedded devices to learn how they work

The speaker sent a proof of concept to Netgear, but they did not consider it a vulnerability because they had not installed the necessary software on another device. The speaker also notes that it has been six months since reporting the vulnerabilities and Netgear has done nothing to fix them.

“5G is coming” (apparently). That probably means, over the next few years, more and more people are going to be using more and more cellular-connected devices for their day-to-day TCP/IP activities. The problem is, a lot of existing 4G modems and routers are pretty insecure. We found critical remotely-exploitable flaws in a selection of devices from variety of vendors, without having to do too much work. Plus, there’s only a small pool of OEMs working seriously with cellular technologies, and their hardware (& software dependencies) can be found running in all sorts of places. Their old 4G, 3G and even 2G-era code is going to be running in these 5G-capable devices. With a small sample of consumer 4G routers as examples, we’re going to talk about how malleable, frustrating, and insecure these devices are. We’ll run through a few examples of existing 4G routers, from low-end bargain-basement end-of-life-never-to-be-fixed to higher-end devices. root is a means to an end, rather than the goal.