MTS Mblaze Ultra Wi-Fi product made by ZTE with model number AC3633 and hardware version V.MTS.AC3633.A, houses bugs that can disrupt the Internet services, damage the device and also expose the user credentials such as address, phone number, e-mail and much more.

Since last year I have been using the MTS Mblaze Wi-Fi product, it doesn’t cost much and offers a great on the go connectivity in most of the areas. There is a WebUI residing on the device that allows you to control the device, set Wi-Fi password, enable/disable the same, receive notifications, connect/disconnect and several others. The WebUI is accessible whenever you hit the IP 192.168.1.1 and with the chosen username/password combination – you can control almost everything on the user end.

Every time you connect to the Internet, the service assigns you a public IP (IPv6 and IPv4) that is visible to the websites you are visiting. You can either look up that by asking Google, “What is my IP” and also by finding this line in the WebUI source code :- net: {ip:”x.x.x.x”, mask:”255.255.255.255″, gateway:”x.x.x.x”, instead of “x” you will have your IP.

Finding:

Now, next thing you do is ping that IP for any incoming responses, and check if the default HTTP port is active. If it is, the IP gives you an answer, and when you hit that in the browser, you will be able to see the WebUI opening up for you. This is not your LOCAL IP and can be accessed at any instance, from any location, and from any network.

The device probably has an Embedded Linux OS with kernel 2.6 or above and running on ZTE Server 1.0, which is probably based on OpenEmbedded server. As I looked more among the files, the functions have a connectivity to the local DB storing the credentials. There can be a further discussion about it, but would unwrap things that shouldn’t.

Moving forward, after you hit the IP in the address bar of your browser, you will be greeted with the same old WebUI from where you can control the device by entering your password and username. Now, by sending a ping to all of the IP addresses in your IP range, you will be able to identify alive hosts whose WebUI is accessible via the IP. Now, if you are an MTS Mblaze user, you might have changed the default username and password, but most people don’t and default username and password were found in the wild. Hit the IP, login with the default username and password, and you will end up controlling the victim’s Internet connection.

See the notifications, disconnect the Internet, check statistics and more. I will be discussing it in a bit.

So how’s all of this is happening, it is because the device is acting as a server to the rest of the world and you. What you thought is limited to your local network is reachable by almost every other person who knows your IP.

So let’s get on to the list of things you can do, once in the Web UI.

  1. If the default username and password doesn’t work, one thing you can do is DoS or DDoS attack on the device, which will make it not work for a time being, or behave abruptly. Mine was restarting within a period of ten seconds.
  2. You can change the default login info to the WebUI, which can only be modified after a hard reset.
  3. Change the Wi-Fi password
  4. Disconnect the user
  5. Acquire the MAC address of the device and other clients connected to the MTS Mblaze

Next big thing you can do is learn the personal details of the users by resetting the MTS Self Care Portal Password.

MTS has provided this new portal for the users to pay the bills, see the history of usage and few other details. In that, there is a My Account section holding the details of the user.

To reset the password all you need to do is copy the Mobile Number given in the WebUI and paste it into the Reset Password section of the Self Care Portal. This attack only applicable to those who have already registered for the Self Care Portal.

mts-mblaze-ultra-wifi-zte-3633r-users-security-risk3

On every associated email and phone number, including that of the MTS product, the Self Care would send a message containing a link to reset the password — I guess that’s all you need to retrieve the details.

The best thing to do right now is change the WebUI password to strong one by hitting the IP 192.168.1.1, then going to Settings tab > on the left side click on Security > go to User setting > and then type in the new Username and Password of your desire. It should consist characters, special symbols, and numbers.

Is it fixed?

One of the most interesting parts of this entire finding was that MTS didn’t even bother to reply me over this issue. Despite the fact that I contacted almost every MTS personnel on the LinkedIn, sent e-mails to the customer care and Appellate Department, and on Facebook, what I kept getting was an automated reply. It went worse when on Facebook, the MTS account started ignoring my messages.

First thing I did was a call to the MTS, from there I got redirected to a senior executive who told me to send an email to the Appellate Department. I got an automated e-mail saying I will have a reply in 24 hrs or 48 hours. Well, that expired too fast, and I started contacting people on the LinkedIn, no response from there as well. Later, when I contacted on the MTS on Facebook, and I got the same response, 24-48 hours wait.

The company left me no choice, and I decided to make it public. I have been paying my bills very well, however, was relying on a service that has several loopholes. Also in the emails I kept receiving automated replies asking for the Number, which shouldn’t really happen.

mts-mblaze-ultra-wifi-zte-3633r-users-security-risk2

Apart from this, while I was going through one of the policies, it was clearly written that NEITHER COMPANY, NOR ITS PARENTS, AFFILIATES, MEMBERS, EMPLOYEES, OR AGENTS SHALL BE LIABLE OR SHALL HAVE RESPONSIBILITY OF ANY KIND WHATSOEVER TO ANY USERS OR THIRD PARTY, FOR ANY LOSS, HARM OR DAMAGE THAT RESULTS OR OCCURS FROM

(VII) ANY SECURITY BREACH, OR ANY VIRUS, BUG, TAMPERING, UNAUTHORIZED INTERVENTION, FRAUD, ERROR, INACCURACY, DEFECT OR TECHNICAL MALFUNCTIONS;

mts-mblaze-ultra-wifi-zte-3633r-users-security-risk

Disclaimer: This post is only intended for educational purposes, neither me, edbinx.com and the websites reproducing the content with prior consents from Edbinx.com shall be held responsible for any damage you do. Please read the website policy carefully.