I’ve been extremely happy with the Mifi 2352 (and the Sprint version I used at CES) We voted it mobile gadget of the year and have previously highlighted it for ease of use and its ability to improve security over open hotspots. Unfortunately we’re going to have to retract the latter statement because of a serious security issue based around multiple vulnerabilities. The latest update highlights the ultimate danger.
@aramosf posted to twitter that the MiFi’s config can be directly accessed without authentication. If you combine his attack with the above attacks it turns out that an attacker can download the entire device configuration, including clear text credentials!
The hack has been proven on the Verizon version of the Mifi but we’d recommend caution for all Mifi users. Keep your Mifi out of view when in use and hide the SSD if possible.
Combined with further software installed on the application processor version of the MiFi, the 2352, it’s not difficult to imagine a situation where the MiFi is turned into a traffic logger.
We’ve contacted Novatel for a statement and will update you here on the latest.
Latest from Novatel:
MiFi has CGI parameters that are intentionally programmable so that developers can read or change MiFi settings and build browser based widgets. Most of these are openly published by Novatel. There are other CGI settings not published for MiFi that are accessible only when a user surfs to a malicious web site and stays connected to that site. The nature of the threat is better characterized by the ability of the hacker to change MiFi settings, only when connected to the malicious site, and does not provide access to the user’s personal data. The exception to this is location data such as GPS. In this instance, the user location data is visible only when the user is connected to the malicious site and GPS is activated. No malware remains on MiFi when the user disconnects from the malicious site. Any data received or sent through MiFi is secure. Novatel will provide a patch going forward.