Warning: Proven Security Issue on MiFi 3G routers. (Updated with Novatel response)

Posted on 18 January 2010 by

I’ve been extremely happy with the Mifi 2352 (and the Sprint version I used at CES) We voted it mobile gadget of the year and have previously highlighted it for ease of use and its ability to improve security over open hotspots. Unfortunately we’re going to have to retract the latter statement because of a serious security issue based around multiple vulnerabilities. The latest update highlights the ultimate danger.

http://evilpacket.net/2010/jan/14/mifi-geopwn/

1-16-2010:
@aramosf posted to twitter that the MiFi’s config can be directly accessed without authentication. If you combine his attack with the above attacks it turns out that an attacker can download the entire device configuration, including clear text credentials!

The hack has been proven on the Verizon version of the Mifi but we’d recommend caution for all Mifi users. Keep your Mifi out of view when in use and hide the SSD if possible.

Combined with further software installed on the application processor version of the MiFi, the 2352, it’s not difficult to imagine a situation where the MiFi is turned into a traffic logger.

We’ve contacted Novatel for a statement and will update you here on the latest.

Latest from Novatel:


MiFi has CGI parameters that are intentionally programmable so that developers can read or change MiFi settings and build browser based widgets.  Most of these are openly published by Novatel.  There are other CGI settings not published  for MiFi that are accessible only when a user surfs to a malicious web site and stays connected to that site.  The nature of the threat is better characterized by the ability of the hacker to change MiFi settings, only when connected to the malicious site, and does not provide access to the user’s personal data.  The exception to this is location data such as GPS.  In this instance, the user location data is visible only when the user is connected to the malicious site and GPS is activated.  No malware remains on MiFi when the user disconnects from the malicious site.  Any data received or sent through MiFi is secure.  Novatel will provide a patch going forward.

Categorized | Security

Tags : ,

  • http://twitter.com/umpcportal/status/7903608204 UMPCPortal

    New article: Warning: Proven Security Issue on MiFi 3G routers. http://bit.ly/5v45Yx

  • http://twitter.com/chippy/status/7906055253 Steve ‘Chippy’ Paine

    RT @umpcportal: New article: Warning: Proven Security Issue on MiFi 3G routers. http://bit.ly/5v45Yx

  • http://twitter.com/random_musings/status/7906488641 Christoph Derndorfer

    MiFi owners take note! RT @chippy: RT @umpcportal: New article: Warning: Proven Security Issue on MiFi 3G routers. http://bit.ly/5v45Yx

  • http://twitter.com/flyshuffle/status/7910309537 Mike Youngs
  • gmich

    Chippy,

    I’ve been loving my Mifi (use it with an Archos 5 Android and a netbook in the U.S.), so this post is an obvious concern. But I’m not nearly as savvy as you about understanding why this is happening. I’m hoping there will be a fix eventually, but what can Mifi users do in the meantime to make the device more secure?

  • http://www.umpcportal.com Chippy

    “Keep your Mifi out of view when in use and hide the SSD if possible.”

    The risk of an attack will be very small but the fact that a website can be built to exploit this means it’s remotely exploitable. Hiding your Mifi just protects you from local hacks. Just imagine if someone crafted that website and then issued an article for a ‘fix’ that needed to be accessed via the Mifi. Keep important connections secured via HTTPS and only install firmware updates from official Novatel sources. DOn’t use a password on the Mifi that you use elsewhere.

    Keep to your well-known, branded websites!

    We wait for feedback from Novatel but clearly they will have to test this out before they respond. That could take a few days.

    Steve

  • comment

    Great, I just got a Sprint MiFi. Maybe I’ll exchange it for a USB modem.

  • http://blog.tokash.org/ John Tokash

    If I understand correctly, the situation is less dire than they’ll have you think.

    I think your Mifi is safe if you have Wifi security set up. It’s not safe if you haven’t set up a key.

    When they say that the Mifi can be breached without authentication, they mean the Admin console can be breached without authentication. For that, the exploiter needs to be on your Wifi network.

    So, if you set up WPA on the Mifi and don’t share your key, I think your safe. Again – this is if I understand correctly.

    • nope

      You just have have to go to a malicious site:
      “This means that we can have a victim visit our malicious website and do evil things like change the wireless settings of the MiFi.”

      • http://blog.tokash.org/ John Tokash

        Ah, good point. Ouch.

  • http://blog.tokash.org/ John Tokash

    I hope I’m right – because I love my Mifi.

  • jpmatrix

    by the way, any news about a new firmware from Novatel ?

    and what about promised software developpements which would make the mifi as a web server, an email server, a gps server etc… ?

    my mifi used to hang sometimes, for unknonwn reason….

    anyway, +1 for best device of the year ;)

  • http://www.hedezines.com FireDragon

    Lots of warmings coming from you lately. :)

  • http://www.umpcportal.com Chippy

    Recieved update from Novatel today:

    MiFi has CGI parameters that are intentionally programmable so that developers can read or change MiFi settings and build browser based widgets. Most of these are openly published by Novatel. There are other CGI settings not published for MiFi that are accessible only when a user surfs to a malicious web site and stays connected to that site. The nature of the threat is better characterized by the ability of the hacker to change MiFi settings, only when connected to the malicious site, and does not provide access to the user’s personal data. The exception to this is location data such as GPS. In this instance, the user location data is visible only when the user is connected to the malicious site and GPS is activated. No malware remains on MiFi when the user disconnects from the malicious site. Any data received or sent through MiFi is secure. Novatel will provide a patch going forward.

    • j

      They didn’t mention that the hacker can remotely enable the GPS. Also, there’s no mention of the hacker being able to download the entire device configuration where your password is stored in clear text.

Mobile PC Database

The mobile PC database contains all you need to find your perfect PC. Mobile PC Database  Core M PCs Broadwell PCs 10-inch Dockables Tablets with Digitizer Lightweight Chromebooks

Trending UMPCs

Acer Aspire E11 ES1
11.6" Intel Celeron N2840
Acer Aspire Switch 10
10.1" Intel Atom Z3745
HP Pavilion X2 10
10.1" Intel Atom Z3745
Asus Transformer Book T100HA
10.1" Intel Atom X5 Z8500
Acer Aspire Switch 10 E
10.1" Intel Atom Z3735F
Acer Aspire Switch 11 V
11.6" Intel Core M 5Y10c
ASUS T100
10.0" Intel Atom Z3740
Lenovo Ideapad Flex 10
10.1" Intel Celeron N2806
Dell Venue 11 Pro
10.8" Intel Atom Z3795
Teclast X98 Pro
9.7" Intel Atom X5 Z8500

Follow UMPCPortal on Twitter