Customers of T-Mobile and Vodafone UK using one of the operators MiFi (2352) devices, essentially a portable battery powered wireless router that has been designed to distribute their Mobile Broadband service over a Wi-Fi link, should be aware they suffer from a security vulnerability that could allow access to a remote hacker.It's understood that an attacker could use this new vulnerability to alter the devices configuration settings, such as to enable its GPS without your permission. Luckily the UK / EU 2352 devices, as manufactured by Novatel Wireless, are "far less vulnerable" to the flaw - "if the carrier is on the 5.15 firmware or greater" - than their 2200 series USA counter parts.
Kevin Thornton from Novatel Wireless informed ISPreview:
"MiFi has CGI parameters that are intentionally programmable so that developers can read or change MiFi settings and build browser based widgets. Most of these are openly published by Novatel. There are other CGI settings not published for MiFi that are accessible only when a user surfs to a malicious web site and stays connected to that site.
The nature of the threat is better characterized by the ability of the hacker to change MiFi settings, only when connected to the malicious site, and does not provide access to the user's personal data. The exception to this is location data such as GPS.
In this instance, the user location data is visible only when the user is connected to the malicious site and GPS is activated. No malware remains on MiFi when the user disconnects from the malicious site. Any data received or sent through MiFi is secure. Novatel will provide a patch going forward."
"MiFi has CGI parameters that are intentionally programmable so that developers can read or change MiFi settings and build browser based widgets. Most of these are openly published by Novatel. There are other CGI settings not published for MiFi that are accessible only when a user surfs to a malicious web site and stays connected to that site.
The nature of the threat is better characterized by the ability of the hacker to change MiFi settings, only when connected to the malicious site, and does not provide access to the user's personal data. The exception to this is location data such as GPS.
In this instance, the user location data is visible only when the user is connected to the malicious site and GPS is activated. No malware remains on MiFi when the user disconnects from the malicious site. Any data received or sent through MiFi is secure. Novatel will provide a patch going forward."
Novatel informs us that its UK 2352 model is less vulnerable because the user must first be logged on to their admin page before being lured to a malicious website (i.e. while the devices admin session is open). If a user closes the admin page at the end of the session there is no risk. This is currently being explained to Vodafone and T-Mobile UK, carriers of the 2352 models.
UPDATE 27th January 2010
Corrected the firmware version mentioned in this news item from 7.15 to 5.15, as per an update by Novatel.
Tweet
Comments: 1
MercedesDillardPosted: 24 August, 2011 - 12:31 PM
Link to comment
When you are in uncomfortable position and have got no cash to get out from that point, you would need to receive the <a href="http://bestfinance-blog.com/topics/personal-loans">personal loans</a>. Because that should aid you unquestionably. I get collateral loan every year and feel OK because of it.
Generated in 0.44116 seconds.
DB queries: 8
Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved (Terms, Privacy Policy, Links (.), Live Chat & Website Rules).