Researchers expose severe security flaws in Verizon hotspot from ZTE

ZTE's 890L mobile hotspot device, marketed by Verizon Wireless (NYSE:VZ), has a host of critical security flaws, according to researchers at Lift Security.

Some of the vulnerabilities found in the 890L hotspot are so severe that Lift's researchers, Adam Baldwin and Nathan LaFreniere, said they opted to omit some of the details regarding the problems from their public advisory.

ZTE's modem was released in late May by Verizon, which branded it as the Verizon Jetpack 4G LTE Mobile Hotspot 890L. The operator is still offering the device for $19.99 with a two-year contract. The hotspot supports Verizon's CDMA and LTE networks and offers quad-band GPRS/EDGE and HSPA+ global roaming. Up to 10 devices can be connected to the hotspot via Wi-Fi.

"ZTE is investigating the report of possible security vulnerabilities in the Jetpack 4G LTE Mobile Hotspot 890L. We take the report very seriously and will evaluate any confirmed issues immediately," a ZTE spokeswoman told FierceBroadbandWireless.

A Verizon spokesperson did not reply to FierceBroadbandWireless' request for comment prior to the publication deadline.

ZTE Jet Pack

Verizon Jetpack 4G LTE Mobile Hotspot 890L

Among the problems Lift discovered is that the ZTE 890L's Web interface can be accessed via simple cookie manipulation. Called authentication bypass, this can let a malicious user gain administrator privileges and access the modem's Web interface without providing the correct authentication credentials.

In addition, Lift said the 890L's SIM card can be remotely invalidated. "An invalidated SIM must be replaced by the provider and will render the device useless," said the firm.

Another issued cited by Lift is that ZTE 890L does not implement any cross-site request forgery protection, meaning a malicious page can modify any parameter or setting on the device. "Authentication is not required to make the requests, it only requires being on the internal interface of the device. It's possible these requests are available on the public interface of the device, we were unable to confirm this," said the research firm's advisory.

This is not the first time security vulnerabilities have been identified in a ZTE device. In May, ZTE confirmed its Android-powered Score M smartphone was vulnerable to a backdoor security hole that enabled anyone with the device's hardwired password to access its root directory, thus potentially allowing cyberattackers to add, remove or copy data. Further, the password was readily available online. The company said at the time that it would produce a security patch for over-the-air delivery.

The handset is sold for $99 in the United States by MetroPCS (NYSE:PCS). Dmitri Alperovitch, co-founder and CTO of security firm CrowdStrike, said when the Score M backdoor hole was first revealed that it appeared to have been built into the phone by ZTE for unknown purposes.

For more:
- see this Lift Security advisory (PDF)
- see this PC Magazine article

Related articles:
Troubled ZTE denies it's going to cut jobs
China's Ministry of Commerce comments on ZTE probe
ZTE to grow U.S. investment 10% annually despite investigation
Huawei, ZTE probed on possible Chinese government ties, business in Iran
Sweden fears trade war if EU probes Huawei, ZTE over subsidies
ZTE warns of security vulnerability in Score Android phone
ZTE promises LTE smartphones and tablets for U.S. market in 2012