Warning: Proven Security Issue on MiFi 3G routers. (Updated with Novatel response)

Posted on 18 January 2010, Last updated on 01 April 2019 by

I’ve been extremely happy with the Mifi 2352 (and the Sprint version I used at CES) We voted it mobile gadget of the year and have previously highlighted it for ease of use and its ability to improve security over open hotspots. Unfortunately we’re going to have to retract the latter statement because of a serious security issue based around multiple vulnerabilities. The latest update highlights the ultimate danger.

http://evilpacket.net/2010/jan/14/mifi-geopwn/

1-16-2010:
@aramosf posted to twitter that the MiFi’s config can be directly accessed without authentication. If you combine his attack with the above attacks it turns out that an attacker can download the entire device configuration, including clear text credentials!

The hack has been proven on the Verizon version of the Mifi but we’d recommend caution for all Mifi users. Keep your Mifi out of view when in use and hide the SSD if possible.

Combined with further software installed on the application processor version of the MiFi, the 2352, it’s not difficult to imagine a situation where the MiFi is turned into a traffic logger.

We’ve contacted Novatel for a statement and will update you here on the latest.

Latest from Novatel:

MiFi has CGI parameters that are intentionally programmable so that developers can read or change MiFi settings and build browser based widgets.  Most of these are openly published by Novatel.  There are other CGI settings not published  for MiFi that are accessible only when a user surfs to a malicious web site and stays connected to that site.  The nature of the threat is better characterized by the ability of the hacker to change MiFi settings, only when connected to the malicious site, and does not provide access to the user’s personal data.  The exception to this is location data such as GPS.  In this instance, the user location data is visible only when the user is connected to the malicious site and GPS is activated.  No malware remains on MiFi when the user disconnects from the malicious site.  Any data received or sent through MiFi is secure.  Novatel will provide a patch going forward.

15 Comments For This Post

  1. UMPCPortal says:

    New article: Warning: Proven Security Issue on MiFi 3G routers. http://bit.ly/5v45Yx

  2. Steve 'Chippy' Paine says:

    RT @umpcportal: New article: Warning: Proven Security Issue on MiFi 3G routers. http://bit.ly/5v45Yx

  3. Christoph Derndorfer says:

    MiFi owners take note! RT @chippy: RT @umpcportal: New article: Warning: Proven Security Issue on MiFi 3G routers. http://bit.ly/5v45Yx

  4. Mike Youngs says:

    Security Vulnerability in MiFi routers: http://www.umpcportal.com/2010/01/warning-proven-security-issue-on-mifi-3g-routers/

  5. gmich says:

    Chippy,

    I’ve been loving my Mifi (use it with an Archos 5 Android and a netbook in the U.S.), so this post is an obvious concern. But I’m not nearly as savvy as you about understanding why this is happening. I’m hoping there will be a fix eventually, but what can Mifi users do in the meantime to make the device more secure?

  6. Chippy says:

    “Keep your Mifi out of view when in use and hide the SSD if possible.”

    The risk of an attack will be very small but the fact that a website can be built to exploit this means it’s remotely exploitable. Hiding your Mifi just protects you from local hacks. Just imagine if someone crafted that website and then issued an article for a ‘fix’ that needed to be accessed via the Mifi. Keep important connections secured via HTTPS and only install firmware updates from official Novatel sources. DOn’t use a password on the Mifi that you use elsewhere.

    Keep to your well-known, branded websites!

    We wait for feedback from Novatel but clearly they will have to test this out before they respond. That could take a few days.

    Steve

  7. comment says:

    Great, I just got a Sprint MiFi. Maybe I’ll exchange it for a USB modem.

  8. John Tokash says:

    If I understand correctly, the situation is less dire than they’ll have you think.

    I think your Mifi is safe if you have Wifi security set up. It’s not safe if you haven’t set up a key.

    When they say that the Mifi can be breached without authentication, they mean the Admin console can be breached without authentication. For that, the exploiter needs to be on your Wifi network.

    So, if you set up WPA on the Mifi and don’t share your key, I think your safe. Again – this is if I understand correctly.

  9. nope says:

    You just have have to go to a malicious site:
    “This means that we can have a victim visit our malicious website and do evil things like change the wireless settings of the MiFi.”

  10. John Tokash says:

    Ah, good point. Ouch.

  11. John Tokash says:

    I hope I’m right – because I love my Mifi.

  12. jpmatrix says:

    by the way, any news about a new firmware from Novatel ?

    and what about promised software developpements which would make the mifi as a web server, an email server, a gps server etc… ?

    my mifi used to hang sometimes, for unknonwn reason….

    anyway, +1 for best device of the year ;)

  13. FireDragon says:

    Lots of warmings coming from you lately. :)

  14. Chippy says:

    Recieved update from Novatel today:

    MiFi has CGI parameters that are intentionally programmable so that developers can read or change MiFi settings and build browser based widgets. Most of these are openly published by Novatel. There are other CGI settings not published for MiFi that are accessible only when a user surfs to a malicious web site and stays connected to that site. The nature of the threat is better characterized by the ability of the hacker to change MiFi settings, only when connected to the malicious site, and does not provide access to the user’s personal data. The exception to this is location data such as GPS. In this instance, the user location data is visible only when the user is connected to the malicious site and GPS is activated. No malware remains on MiFi when the user disconnects from the malicious site. Any data received or sent through MiFi is secure. Novatel will provide a patch going forward.

  15. j says:

    They didn’t mention that the hacker can remotely enable the GPS. Also, there’s no mention of the hacker being able to download the entire device configuration where your password is stored in clear text.

Find ultra mobile PCs, Ultrabooks, Netbooks and handhelds PCs quickly using the following links:

Acer C740
11.6" Intel Celeron 3205U
Acer Aspire Switch 10
10.1" Intel Atom Z3745
HP Elitebook 820 G2
12.5" Intel Core i5 5300U
Acer Aspire E11 ES1
11.6" Intel Celeron N2840
Acer C720 Chromebook
11.6" Intel Celeron 2955U
ASUS Zenbook UX305
13.3" Intel Core M 5Y10a
Dell Latitude E7440
14" Intel Core i5-4200U
Lenovo Thinkpad X220
12.5" Intel Core i5
Acer Chromebook 11 CB3-131
11.6" Intel Celeron N2807
Lenovo Ideapad Flex 10
10.1" Intel Celeron N2806