|
The MiFi by Novatel Wireless (re-branded and sold by multiple vendors
such as Sprint and Verizon) is a mobile wifi hotspot. The mifi also has
a built in GPS to provide location based searching.
Turns out that the web interface to this little device has a lot going
on that can be exploited, from gaining the user=92s GPS data to
terminating the user=92s connectivity. The POC isn't online yet due to
vendor lag but it's not all that complicated if you have a MiFi and a
few minutes.
*1. Authentication not required.*
The MiFi does not require a valid session to commit changes to
configuration settings. This makes exploiting the below issues a lot
easier when you don=92t have to require that the victim have a valid session.
*2. Enable GPS without the users knowledge.*
The GPS on a MiFi can be enabled by visiting the following URL.
Depending on the situation the victim may get a alert that says =93Login
Required=94 but if they are like the typical user they will simply click
on it and forget it ever happened.
*3. Cross-Site Request Forgery (CSRF)*
The web interface does not validate referrer or use any magical tokens
to protect against CSRF. This means that we can have a victim visit our
malicious website and do evil things like change the wireless settings
of the MiFi.
*4. Output Encoding
*
In multiple locations of the MiFi web interface user input is not
properly encoded when output back to the user. One interesting location
is the key field for the wifi settings. I=92m wondering why the hell
somebody thought it was a good idea to print the wifi key in clear text
back to the user, and in this case it=92s not properly encoded either
giving us a nice 63 character persistent injection point for script.
So for those that weren=92t paying attention: Any MiFi user that visits a
specially crafted page will give up their GPS location to the attacker.
Here is a video clip for the Sprint MiFi (latest firmware) of the
working proof of concept.
http://evilpacket.net/2010/jan/14/mifi-geopwn/