AOH :: HP Unsorted S :: BU-1472.HTM

Sprint / Verizon MiFi CSRF+CSS Gives up GPS info to attacker



Sprint / Verizon MiFi CSRF+CSS Gives up GPS info to attacker
Sprint / Verizon MiFi CSRF+CSS Gives up GPS info to attacker



The MiFi by Novatel Wireless (re-branded and sold by multiple vendors
such as Sprint and Verizon) is a mobile wifi hotspot. The mifi also has
a built in GPS to provide location based searching.

Turns out that the web interface to this little device has a lot going
on that can be exploited, from gaining the user=92s GPS data to
terminating the user=92s connectivity. The POC isn't online yet due to
vendor lag but it's not all that complicated if you have a MiFi and a
few minutes.

*1. Authentication not required.*

The MiFi does not require a valid session to commit changes to
configuration settings. This makes exploiting the below issues a lot
easier when you don=92t have to require that the victim have a valid session.

*2. Enable GPS without the users knowledge.*

The GPS on a MiFi can be enabled by visiting the following URL.
Depending on the situation the victim may get a alert that says =93Login
Required=94 but if they are like the typical user they will simply click
on it and forget it ever happened.

*3. Cross-Site Request Forgery (CSRF)*

The web interface does not validate referrer or use any magical tokens
to protect against CSRF. This means that we can have a victim visit our
malicious website and do evil things like change the wireless settings
of the MiFi.

*4. Output Encoding
*

In multiple locations of the MiFi web interface user input is not
properly encoded when output back to the user. One interesting location
is the key field for the wifi settings. I=92m wondering why the hell
somebody thought it was a good idea to print the wifi key in clear text
back to the user, and in this case it=92s not properly encoded either
giving us a nice 63 character persistent injection point for script.

So for those that weren=92t paying attention: Any MiFi user that visits a
specially crafted page will give up their GPS location to the attacker.

Here is a video clip for the Sprint MiFi (latest firmware) of the
working proof of concept.
http://evilpacket.net/2010/jan/14/mifi-geopwn/ 



The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.