MiFi Attack Exploits GPS To Reveal User's Location 62
An anonymous reader writes "Security researcher Adam Baldwin has identified that the Sprint and Verizon MiFi devices are vulnerable to a multitude of attacks. Combining these attacks together, an attacker can gain the GPS location of the MiFi device without the user becoming immediately aware. The attack can be successfully executed without authentication and even if the GPS has been disabled by the administrator." There's a video, but a handy text summary, too. Upshot: "Any MiFi user that visits a specially crafted page will give up their GPS location to the attacker."
Re:Why does it have a GPS? (Score:2, Informative)
The reason for having a GPS in these things is the same as having one in a phone: so all the stuff built for phones that depends on location will work on whatever you connect to the MiFi.
A router that sits in your house has no need for GPS. One that is designed to be out and about with you needs one as much as your phone does.
Even if the GPS is disabled... (Score:2, Informative)
Well, then the attack enables it. Duh. It's a cross-site request forgery, i.e. an attack where the web browser "reflects" a request so that it appears to originate on the inside, where the configuration interface is available. Combine this with the lack of an authentication requirement, the attacker can simply enable the GPS and get the coordinates.
Here's the relevant text from the unavailable web page:
1. Authentication not required.
The MiFi does not require a valid session to commit changes to configuration settings. This makes exploiting the below issues a lot easier when you don't have to require that the victim have a valid session.
2. Enable GPS without the users knowledge.
The GPS on a MiFi can be enabled by visiting the following URL. Depending on the situation the victim may get a alert that says "Login Required" but if they are like the typical user they will simply click on it and forget it ever happened.
3. Cross-Site Request Forgery (CSRF)
The web interface does not validate referrer or use any magical tokens to protect against CSRF. This means that we can have a victim visit our malicious website and do evil things like change the wireless settings of the MiFi.
4. Output Encoding
In multiple locations of the MiFi web interface user input is not properly encoded when output back to the user. One interesting location is the key field for the wifi settings. I'm wondering why the hell somebody thought it was a good idea to print the wifi key in clear text back to the user, and in this case it's not properly encoded either giving us a nice 63 character persistent injection point for script.
Re:Why does it have a GPS? (Score:1, Informative)
Uh.. except for the fact that the phones hosting the apps needing to know location.. will be on phones that have GPS receivers and can thus determine location. The router doesn't need to know shit except that there is an 802.11 device locally and a cellular network regionally.
Apps aren't running on the MiFi router any more than a web browser runs on a home router.
Re:Why does it have a GPS? (Score:3, Informative)
There is a big difference between a device that in effect acts as a cell site (broadcasting) versus a subscriber handset.
But the MiFi doesn't act at all like a cell site - from the carrier's perspective, it's no different from any other cell phone (except it doesn't make or receive voice calls).
It's just a 3G modem attached to a wifi router. The 3G part uses the carrier's licensed spectrum in the same way that a smartphone does, and the wifi part uses unlicensed spectrum.
Re:Why does it have a GPS? (Score:3, Informative)
MiFi accepts 3G connections from handsets. The same as a cell site.
No, it doesn't accept 3G connections from handsets! Where on earth did you get that idea?
The MiFi [verizonwireless.com] is quite simply a wifi router that gets its internet connection from 3G instead of a cable or DSL modem.
You seem to be thinking of some kind of nano-cell device that does the opposite of what MiFi does.
You are apparently just disagreeing with me for the point of disagreeing.
That's rich, considering the load of misinformation you just dropped. It turns out the reason I'm disagreeing with you is that you're spouting off about something you don't understand.