Forgot your password?
typodupeerror
Privacy Security Wireless Networking Your Rights Online

MiFi Attack Exploits GPS To Reveal User's Location 62

Posted by timothy
from the wish-it-was-easy-for-non-attackers dept.
An anonymous reader writes "Security researcher Adam Baldwin has identified that the Sprint and Verizon MiFi devices are vulnerable to a multitude of attacks. Combining these attacks together, an attacker can gain the GPS location of the MiFi device without the user becoming immediately aware. The attack can be successfully executed without authentication and even if the GPS has been disabled by the administrator." There's a video, but a handy text summary, too. Upshot: "Any MiFi user that visits a specially crafted page will give up their GPS location to the attacker."
This discussion has been archived. No new comments can be posted.

MiFi Attack Exploits GPS To Reveal User's Location

Comments Filter:
  • by Darkness404 (1287218) on Saturday January 16, 2010 @04:24PM (#30792814)
    I think the main question is why would a glorified router have a GPS built-in? I can see no real reason for a GPS being in a router. Phones? Perhaps. Router? No.
    • Re: (Score:2, Informative)

      by ceoyoyo (59147)

      The reason for having a GPS in these things is the same as having one in a phone: so all the stuff built for phones that depends on location will work on whatever you connect to the MiFi.

      A router that sits in your house has no need for GPS. One that is designed to be out and about with you needs one as much as your phone does.

      • Re: (Score:1, Informative)

        by Anonymous Coward

        Uh.. except for the fact that the phones hosting the apps needing to know location.. will be on phones that have GPS receivers and can thus determine location. The router doesn't need to know shit except that there is an 802.11 device locally and a cellular network regionally.

        Apps aren't running on the MiFi router any more than a web browser runs on a home router.

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Or more "paranoidally" put, they like to know where a hotspot is at any given time. For whatever reason.

      That it works even with GPS mode turned OFF on the phone is DIRECT evidence of poor security design.

      Who knows how much intel you're pinging away on that IP-phone? More than any of us are cleared to know.

      I trust cell phone companies with my voice, only... and they often screw even that up.

      And my confirmation captcha is "phones"... as if I needed more proof they were listening!

      • by dgatwood (11270) on Saturday January 16, 2010 @05:53PM (#30793436) Journal

        That it works even with GPS mode turned OFF on the phone is DIRECT evidence of poor security design.

        No, the fact that third parties *found* the back door is direct evidence of poor security design. The fact that the backdoor was there is at least as likely to be an intentional measure for law enforcement purposes as it is to be a mistake. Odds are, when they "fix" this bug, the backdoor will still be there, just hidden a little better.

        • The distinction isn't really relevant, as we've seen when even Google's law enforcement backdoor is the weakest link in their security system.

    • Because you're on a cellular network and the company providing service wants to know where its users are using them so they can plan the network. Furthermore, if you are missing and need to be rescued, your MiFi giving out your location might be a good thing.

      • Re: (Score:3, Insightful)

        by John Hasler (414242)

        > Because you're on a cellular network and the company providing service wants
        > to know where its users are using them so they can plan the network.

        They know what cells you are using and the signal strength. That's all they need.

        • Nope. That works only when you can contact multiple towers... hard to triangulate a location with only one vector to play with.
          • Re: (Score:2, Insightful)

            by hanabal (717731)

            if the phone is only picking up the signal from one tower you can eliminate any side of the tower where another tower is close by, as you would expect to have more than one signal. so unless the tower is completely isolated you can have a pretty good idea where they are, at least what direction.

          • by Mr2001 (90979)

            Each tower is divided into three 120-degree zones, so that narrows it down quite a bit.

            • by wh1pp3t (1286918)
              There are different configurations of sites; varying from three, two or even one sector. Some cell sites will have a remote sector mounted in a physically different location (cost savings). It all depends on where the coverage is needed.

              Regarding the reason for GPS functionality: the RF engineers need to know where your MiFi is. It's all about statistics and measurements with those guys.
              • by Mr2001 (90979)

                Regarding the reason for GPS functionality: the RF engineers need to know where your MiFi is. It's all about statistics and measurements with those guys.

                Are you saying the router is designed to report its GPS location to the carrier without the user's knowledge (ostensibly for the purpose of improving the network)? That seems like a privacy violation in itself.

                • by wh1pp3t (1286918)
                  Yes. You are in effect using the carriers licensed spectrum. They have a right to know what devices are using it and where. Just because they know where a MiFi is, doesn't mean they have YOUR MiFi location. RF engineers don't deal with customer data (unless they need to meet with a customer), nor do they have access to it.
                  • by Mr2001 (90979)

                    You are in effect using the carriers licensed spectrum. They have a right to know what devices are using it and where.

                    Well, there'd be rioting in the streets if it turned out that typical cell phones were constantly reporting GPS data to the carrier, especially if they still did it when the GPS feature was supposedly turned off. Why should a MiFi be any different?

                    RF engineers don't deal with customer data (unless they need to meet with a customer), nor do they have access to it.

                    The carrier still has that data, though, and they could be forced to turn it over when faced with a subpoena or warrant -- or, as we've seen repeatedly, they could just decide to turn it over in response to a polite request from the government.

                    • by wh1pp3t (1286918)

                      Well, there'd be rioting in the streets if it turned out that typical cell phones were constantly reporting GPS data to the carrier, especially if they still did it when the GPS feature was supposedly turned off. Why should a MiFi be any different?

                      There is a big difference between a device that in effect acts as a cell site (broadcasting) versus a subscriber handset.

                      The carrier still has that data, though, and they could be forced to turn it over when faced with a subpoena or warrant -- or, as we've seen repeatedly, they could just decide to turn it over in response to a polite request from the government.

                      This has nothing to do with your argument. I am speaking from an engineering point of view. However, if/when instances of this occur, people need to sue the Fed (under violation of the Constitution) and the carrier (secondary).

                      If your main worry is what a large corporation will provide the Fed (warrentless or not), stop using their services (i.e. a mobile) immediately. at&t is on

                    • Re: (Score:3, Informative)

                      by Mr2001 (90979)

                      There is a big difference between a device that in effect acts as a cell site (broadcasting) versus a subscriber handset.

                      But the MiFi doesn't act at all like a cell site - from the carrier's perspective, it's no different from any other cell phone (except it doesn't make or receive voice calls).

                      It's just a 3G modem attached to a wifi router. The 3G part uses the carrier's licensed spectrum in the same way that a smartphone does, and the wifi part uses unlicensed spectrum.

                    • Re: (Score:3, Informative)

                      by Mr2001 (90979)

                      MiFi accepts 3G connections from handsets. The same as a cell site.

                      No, it doesn't accept 3G connections from handsets! Where on earth did you get that idea?

                      The MiFi [verizonwireless.com] is quite simply a wifi router that gets its internet connection from 3G instead of a cable or DSL modem.

                      You seem to be thinking of some kind of nano-cell device that does the opposite of what MiFi does.

                      You are apparently just disagreeing with me for the point of disagreeing.

                      That's rich, considering the load of misinformation you just dropped. It turns out the reason I'm disagreeing with you is that you're spouting off about something you don't understand.

            • > Each tower is divided into three 120-degree zones...

              And they can use signal strength and/or round-trip time to estimate distance. That should give them all the information they need for network planning purposes.

              However, they pretty much have to use GPS to comply with FCC E911 rules.

              • by Mr2001 (90979)

                However, they pretty much have to use GPS to comply with FCC E911 rules.

                It's not clear to me why E911 is relevant to a 3G data router. It can't be used to make emergency calls, can it?

            • And there's the problem... with only contact to one tower, you don't have an exact direction... just a distance and a 120 degree range. That creates an arc on the map, all of which has to be checked to find you. E911 would much rather have a GPS point.
              • by Mr2001 (90979)

                E911 would much rather have a GPS point.

                How is E911 relevant to a 3G data router that can't be used to dial 911?

                • Because if you're wanted or missing and have your MiFi with you, it's easier to find you.

                  Manhunts have gone down like crazy since the popularity of a cell phone means if you are wanted on a warrant for something as insignificant as skipping jury duty, they can ask your cell company where you are right now.

                  • by Mr2001 (90979)

                    In other words, there is no legitimate reason for the MiFi to have a GPS receiver? It's only useful to locate the owner at someone else's request?

    • Re: (Score:3, Interesting)

      The MiFi device essentially is a phone. It connects to a cellular data network and then makes that connection available over wifi to nearby computers.

      If they actually included a real GPS chipset, that would be puzzling, just from a cost/weight/battery life/board space perspective; but basically anything that interacts with a cell network gets location data within the limits of tower triangulation accuracy essentially for free(and then, if Verizon is the carrier, the firmware locks you out of that until y
    • by e9th (652576)
      From the EVDOinfo [evdoinfo.com] review:

      The Sprint MiFi enables the GPS functionality and allows for Sprint's "Location Based Services" that will plot onto a Google map the restaurants/banks/shopping/gas/etc that are near by. Verizon disables the GPS capabilities of the MiFi!

      • by flirzan (133046)

        And by "Verizon disables the GPS capabilities of the MiFi" you mean "Verizon doesn't use it", since the hardware is still there, and can still be activated to retrieve the location of any Verizon MiFi.

    • by tlhIngan (30335)

      I think the main question is why would a glorified router have a GPS built-in? I can see no real reason for a GPS being in a router. Phones? Perhaps. Router? No.

      Easy. E911.

      The thing's got a 3G modem in it, which is the similar to what you'd find in similar phones (since it's CDMA, I'd expect a 3G CDMA phone). Except that instead of being able to make calls, it only handles data.

      3G modems, ehether they're the ones embedded in your phone, or in those "internet sticks" are pretty much the same. Heck, they may

      • by rtb61 (674572)

        I would have thought a device like that would basically be a fiscal time bomb waiting to go off into the users face. With the download limits and extra charges on mobile broadband used in conjunction with the higher risk wireless connections, I smell a profiteering opportunity for incumbent phone companies to sell less than secure devices to a bunch of gullible unskilled users.

        I expect it will not be long before we start hearing horror stories about huge mobile data bills. I consider myself fairly skille

        • by cdrguru (88047)

          A cell modem is extremely practical in a few limited circumstances. If you travel a bunch and can trade $60 a month for 6 $10 hotel internet fees, it makes sense as anything past those 6 nights is a benefit.

          A few people actually need to access a customer database "live" while on the road. Great, this enables that. Even if it costs $150 a month because of overage charges, you are probably coming out ahead in the end.

          For the rest of the people on the planet, a cell modem is an utter waste of money.

    • Re: (Score:3, Interesting)

      by Mr_Silver (213637)

      I think the main question is why would a glorified router have a GPS built-in? I can see no real reason for a GPS being in a router. Phones? Perhaps. Router? No.

      In short, FCC E911 rules.

      Most USB modem vendors use Qualcomm chipsets which come with GPSOne as standard. As such, they just need to include an antenna.

      USB modems sold in Europe still have GPSOne in there, but the antenna is removed to reduce costs. As such you cannot get a fix.

  • So that's what he's been doing since Firefly.

    "Shiny ... let's be good guys."
  • Bad title (Score:3, Insightful)

    by spire3661 (1038968) on Saturday January 16, 2010 @04:39PM (#30792922) Journal
    Cell tower triangulation is not GPS in any way shape or form.
    • This isn't using cell tower strengths, it's a GPS chip being planted in the device despite the fact some people would rather not have it.

  • Publicity Stunt? (Score:3, Insightful)

    by LostCluster (625375) * on Saturday January 16, 2010 @04:42PM (#30792934)

    Here's one from the conspiracy theory file:

    Since the MiFi is such a novel concept, people might not think it includes anything not related to data connections. By making this mistake and it landing on Slashdot and such, it's advertising the GPS... plus giving notice so nobody can sue them and claim they didn't know they were carrying a device that would reveal their location.

  • by Anonymous Coward on Saturday January 16, 2010 @04:59PM (#30793054)

    MILF Finder?? Where do I get one?? I need to locate a willing MILF real bad, I feel horny, horny!

  • Should we combine these attacks together, or should we just combine these attacks?
  • Security researcher Adam Baldwin has identified...

    Who knew his good samaritan ways ran so deep and pure? Looks like The Ballad of Jayne Cobb deserves a new verse.

  • by Anonymous Coward

    Well, then the attack enables it. Duh. It's a cross-site request forgery, i.e. an attack where the web browser "reflects" a request so that it appears to originate on the inside, where the configuration interface is available. Combine this with the lack of an authentication requirement, the attacker can simply enable the GPS and get the coordinates.

    Here's the relevant text from the unavailable web page:

    1. Authentication not required.

    The MiFi does not require a valid session to commit changes to configuration settings. This makes exploiting the below issues a lot easier when you don't have to require that the victim have a valid session.

    2. Enable GPS without the users knowledge.

    The GPS on a MiFi can be enabled by visiting the following URL. Depending on the situation the victim may get a alert that says "Login Required" but if they are like the typical user they will simply click on it and forget it ever happened.

    3. Cross-Site Request Forgery (CSRF)

    The web interface does not validate referrer or use any magical tokens to protect against CSRF. This means that we can have a victim visit our malicious website and do evil things like change the wireless settings of the MiFi.

    4. Output Encoding

    In multiple locations of the MiFi web interface user input is not properly encoded when output back to the user. One interesting location is the key field for the wifi settings. I'm wondering why the hell somebody thought it was a good idea to print the wifi key in clear text back to the user, and in this case it's not properly encoded either giving us a nice 63 character persistent injection point for script.

  • > The MiFi does not require a valid session to commit changes to configuration
    > settings.

    That sounds like there may be all sorts of "interesting" possibilities.

When you don't know what to do, walk fast and look worried.

Working...