My local public library system will soon start lending to its patrons mobile hotspot devices. This growing trend seems to me extremely risky.
I am especially concerned that a hacker who borrows such a device from the library could install malware on the device with a software or firmware modification.
Are my fears misplaced?
Those devices are small computers running some flavor of Linux, and just like any consumer-grade router their firmware is horrendous and outdated, so malware on it is definitely possible and likely.
However the malware, if any, would most likely be a generic DoS or spam bot designed to attack the open internet rather than attacking the devices behind it. Most traffic nowadays is protected by HTTPS and client devices are relatively up to date, which means an attacker using router malware to compromise client devices would get a very low return on investment compared to other methods (drive-by downloads, maladvertising, Flash exploits, etc).
So while I wouldn't use one myself, the risk for your client computer seems pretty low even if you do.
One factor working in favor of security is the company that sells the hotspots has a vested interest in their security. They may worry someone could hack into the devices and bypass whatever restrictions they've put in them to prevent their customers from violating terms of service rules, such as data caps, slowdowns, or number of simultaneous connections.
While it's a legitimate concern, such compromises haven't made big headlines. Yet.