Securing a T-Mobile Z915 Hotspot

I picked up a T-Mobile Z915 hotspot for international travel. Within the US, I’m sticking with Verizon for their coverage, but the difficulty and cost of international roaming is a bit much.

General Thoughts

The Z915 is made by ZTE. The default configuration is pretty secure as follows:

  • Wi-Fi Security: WAP2 Personal
  • Password: 8 digits (last 8 digits of the IMEI)
  • Network Name (SSID): T-Mobile Broadband<last 2 digits of the IMEI>
  • Admin Interface: http://mobile.hotspot
  • Admin password: admin

While the admin password is weak and the admin interface is unencrypted, it should only be available to users that have already authenticated to the Wi-Fi.

Increasing Security

Fortunately all of the settings are configurable (except encryption of the admin interface) by following these steps:

  1. Connect your computer/tablet/phone to the Wi-Fi network created by the hotspot.
  2. Point your browser to http://mobile.hotspot or http://192.168.0.1
    On many devices, you will need to enter "http://" to prevent them from performing a search.
    You will need to enter the IP address if your device does not get its DNS settings from DHCP.
  3. Login by by entering the password.
  4. Click Settings
  5. Change Wi-Fi SSID to your own custom network name.
  6. (optinal) Disable SSID broadcast. I see this as a courtesy at hotels and airports, not to increase security.
  7. Change Wi-Fi Password. Click Apply.
    I set mine to a 32 character alpha-numeric password.
    You will be disconnected from the network when you apply these settings.
  8. Reconnect to Wi-Fi with the new settings.
  9. Login again.
  10. Click Settings and then click Device Settings.
  11. Change Admin Password. Click Apply.
  12. Set Wi-Fi Performance Settings to Economy mode. Click Apply.
    This should help increase battery life, and I was able to maintain a connection 60 feet away and 2 interior walls between.
  13. (optional) Disable SSID/WEB Password Display.
    By default the hotspot displays its passwords on its screen. Since you should have physical control of the hotspot, this shouldn’t matter either way.

Performance

Internationally, T-Mobile includes free roaming on their postpaid plans. This is limited to 2G/3G speeds, but it’s enough to check email and get directions.

So far, I’ve observed the following speeds:

  • Brussels Airport: 50 kbps
  • London Heathrow Airport: 70 kbps
  • Phoenix Sky Harbor: 12.3 mbps

Complaints

Overall, my complaints are very minor.

I wish the hotspot had a more mobile friendly UI. As it is, it requires a lot of zooming and scrolling to get to the different links.

I also wish the hotspot supported https for the UI. I don’t think most people will allow untrusted clients to connect, so this is a minor security concern.