[image courtesy of Amazon.com]
It is no secret that I’m loving the Novatel MiFi. It’s earned a permanent spot in my gear bag, or even in my jacket when I need to ensure a reliable WiFi connection. So, imagine my dismay at learning that a security vulnerability could open the door for someone to remotely access your MiFi, get a hold of your device’s GPS location and even change the wireless settings. Not only could this equate to someone simply piggybacking off of your wireless signal (even with the onboard security settings, like WEP or WPA), but they could easily “wipe” or reset your MiFi’s wireless settings.
Adam Baldwin ofmade the discovery, along with several other nefarious exploits:
- MiFi does not require a valid session to commit changes to its configuration settings
- GPS can be enabled without the users knowledge by visiting a malicious website. The user may be presented with a “login required” request but most users won’t bat an eye and will just click on through
- The web interface does not protect against Cross-Site Request Forgery (CSRF) so a malicious website could “do evil things like change the wireless settings of the MiFi”
- Certain portions of the web interface improperly encode data back to the data, an example is the key field for the Wi-Fi settings which exposes the clear text of the field
Adam has posted ain action on his website, and has already contacted Novatel so they can make the appropriate updates to beef up the MiFi’s security. While practically any device can certainly be hacked, will this news impact your MiFi usage until the firmware update patches these holes?