Hacking Hotspots: Pre-Auth Remote Code Execution, Arbitrary SMS & Adjacent Attacks on 5G and 4G/LTE Routers

Presented at DEF CON 33 (2025), Aug. 9, 2025, 5:30 p.m. (20 minutes).

This research examines security oversights in a range of modern 4G/5G routers used in small businesses, industrial IoT, and everyday mobile deployments. Several of these routers contain vulnerabilities reminiscent of older security flaws, such as weak default credentials, inadequate authentication checks, and command injection pathways. By reverse-engineering firmware and testing for insecure endpoints, it was possible to demonstrate remote code execution, arbitrary SMS sending, and other serious exploits affecting Tuoshi and KuWFi devices. Through practical examples, including Burp Suite requests and Ghidra disassembly, the talk highlights how these weaknesses can grant attackers root access, allow fraudulent activity, or compromise entire networks. In each case, mitigation strategies and best practices—like robust authentication, regular firmware updates, and network segmentation—are emphasized. Ultimately, this presentation underscores the importance of continuous security scrutiny, even for modern hardware, and encourages the community to stay vigilant and collaborate in uncovering and addressing such pervasive vulnerabilities. References: - Grichter, “Reverse Engineering 4G Hotspots for Fun, Bugs & Net Financial Loss,” DEF CON 27 Presentation, 2019. [link](https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-grichter-Reverse-Engineering-4G-Hotspots-For-Fun-Bugs-Net-Financial-Loss.pdf) - Gao Shupeng, Huang Zheng, Xie Haikou, Zhang Ye, “All the 4G Modules Could Be Hacked,” DEF CON 27 Presentation, 2019. [link](https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Xiaohuihui-All-The-4G-Modules-Could-Be-Hacked.pdf)

Presenters:

• Edward "Actuator" Warren
  Edward Warren is an Information Security Analyst and Independent Security Researcher specializing in IoT and mobile application security. Over the past few years he has discovered critical (CVSS) 0-day vulnerabilities. Edward also earned a Hall of Fame acknowledgement from the Google Play Security Reward Program (GPSRP) and attribution in numerous CVE publications. He has presented his work at conferences such as BSides and ShmooCon. When not tracking down digital bugs, Edward can be found hiking rugged trails or exploring the seas through his newfound fascination for scuba diving.

Similar Presentations:

• Black Hat USA 2019 / All the 4G Modules Could be Hacked
• DEF CON 27 (2019) / Reverse-Engineering 4g Hotspots for Fun, Bugs and Net Financial Loss
• DEF CON 27 (2019) / All the 4G modules Could be Hacked