Customers of T-Mobile and Vodafone UK using one of the operators MiFi (2352) devices, essentially a portable battery powered wireless router that has been designed to distribute their Mobile Broadband service over a Wi-Fi link, should be aware they suffer from a security vulnerability that could allow access to a remote hacker.It's understood that an attacker could use this new vulnerability to alter the devices configuration settings, such as to enable its GPS without your permission. Luckily the UK / EU 2352 devices, as manufactured by Novatel Wireless, are "far less vulnerable" to the flaw - "if the carrier is on the 5.15 firmware or greater" - than their 2200 series USA counter parts.
Kevin Thornton from Novatel Wireless informed ISPreview:
"MiFi has CGI parameters that are intentionally programmable so that developers can read or change MiFi settings and build browser based widgets. Most of these are openly published by Novatel. There are other CGI settings not published for MiFi that are accessible only when a user surfs to a malicious web site and stays connected to that site.
The nature of the threat is better characterized by the ability of the hacker to change MiFi settings, only when connected to the malicious site, and does not provide access to the user's personal data. The exception to this is location data such as GPS.
In this instance, the user location data is visible only when the user is connected to the malicious site and GPS is activated. No malware remains on MiFi when the user disconnects from the malicious site. Any data received or sent through MiFi is secure. Novatel will provide a patch going forward."
"MiFi has CGI parameters that are intentionally programmable so that developers can read or change MiFi settings and build browser based widgets. Most of these are openly published by Novatel. There are other CGI settings not published for MiFi that are accessible only when a user surfs to a malicious web site and stays connected to that site.
The nature of the threat is better characterized by the ability of the hacker to change MiFi settings, only when connected to the malicious site, and does not provide access to the user's personal data. The exception to this is location data such as GPS.
In this instance, the user location data is visible only when the user is connected to the malicious site and GPS is activated. No malware remains on MiFi when the user disconnects from the malicious site. Any data received or sent through MiFi is secure. Novatel will provide a patch going forward."
Novatel informs us that its UK 2352 model is less vulnerable because the user must first be logged on to their admin page before being lured to a malicious website (i.e. while the devices admin session is open). If a user closes the admin page at the end of the session there is no risk. This is currently being explained to Vodafone and T-Mobile UK, carriers of the 2352 models.
UPDATE 27th January 2010
Corrected the firmware version mentioned in this news item from 7.15 to 5.15, as per an update by Novatel.
Tweet
Previous News Stories
2 September, 2010
1 September, 2010
28 August, 2010
26 August, 2010
1 September, 2010
12:10 PM - Top 9 Fastest UK Broadband ISPs Ranked by Speed for August 2010 - (0)
31 August, 201028 August, 2010
1:00 AM - YouTube UK Launch FREE Broadband Movie Streaming Service - (0)
27 August, 201026 August, 2010
7:19 AM - T-Mobile UK Slashes Pay Per Day Mobile Broadband Price - (0)
1:44 AM - UK ISP TalkTalk Launches 2010 Digital Heroes Awards - (0)
25 August, 201012:35 PM - UK ISP PlusNet CEO Departs and is Replaced by Jamie Ford - (2)
9:38 AM - Virgin Media UK Extends 2 MONTHS FREE Broadband Service Bundles - (0)
9:12 AM - WARNING New Phone SCAM Targeting UK Broadband ISP Customers - (1)
24 August, 201012:41 PM - Channel Five Rejoins UK Open Broadband TV Standard Project Canvas - (0)
9:01 AM - PCCW Backed UK Broadband Group Gives Hope to WiMAX Wireless - (7)
8:48 AM - BSkyB Mulling the Closure of Broadband ISP Sibling UK Online - (0)
Generated in 0.54284 seconds.
DB queries: 8
Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved (Terms, Privacy Policy, Links (.), Live Chat & Website Rules).