AppSec Blog

More MiFi Fun. Consistent Authentication Matters!

I came across this last week during teaching Sec542 in New York. A bunch of students, including myself, used the Verizon MiFi device for internet access [1]. Recently, a number of issues had been released with the Novatel version of the device [2].

I figured it would be a nice exercise to look at the Verizon version of the device. This device does not include a GPS as far as I know, so the Novatel GPS exploit would not work. However, I run into the other part of the issue: The device does require a password to log in and retrieve the setting page, but it does not require a password to submit new settings. This flaw allows an attacker to change settings on the device by simply tricking the browser to submit a "POST" request to the right URL. The only variable the attacker has to guess is the IP address of the device, which defaults to

In order to exploit the flaw, the attacker would have to setup a web page with the following content:

<form method="POST" action="http://192.168.x.y/home.cgi">
<input type="hidden" name="NP_WiCurrPf" value="Open">
<input type="hidden" name="todo" value="setprofile">
<input type="hidden" name="WiCurrPf" value="Open">

The attacker will then have to trick the victim to visit the page with this code. The code above will turn the MiFi's settings to a default "open" access point. If the IP address is not known, the attacker would just use multiple forms until one works.

How to defend against this: A simple session logic would be a good start. In addition, "home.cgi" needs to check if the user is actually logged in. Right now, home.cgi accepts responses blindly. This problem exists for other MiFi features as well, like retrieving the configuration. I leave it up to the reader to write some javascript to pull the configuration and post it to a website (note: all you need is a GET. Same origin doesn't matter in this case for XDomainRequest or XMLHttpRequest Level 2).



Posted February 5, 2010 at 8:56 PM | Permalink | Reply


And when the client just happens upon this rogue site and the settings get set to open, the client loses his wifi connection (assuming its not already open, in which case you don't need your hack) and knows something is up, connects back in and fixes it and doesn't re-visit the site that caused him to get disconnected.

Posted February 5, 2010 at 9:02 PM | Permalink | Reply

Johannes Ullrich

unless the attacker is faster and secures it first ;-). Also, if the victim got the "open" version in its prefered network list, for example from setting it up first, the victim may reconnect back to it with little disruption.
But I agree. The better "hack" is to pull the configuration and then just configure the malicious client to match it.

Posted February 5, 2010 at 10:49 PM | Permalink | Reply

dr strangep0rk

On these devices isn't the default password the manufacture year, month, day and sequential identifier. This make the default PSK easy to find. Just a walk to your local cafe can be a treasure find for someone looking for trouble.
In many of these modems their are other URLs and setup pages that may be useful including of course submitting post to corrrect URL's. Who doesn't love a network device with default settings''LOL

Posted February 6, 2010 at 12:54 AM | Permalink | Reply


hah reconnects and fixes it? That may be the case for 90+% of security professionals, and maybe 80% of IT people in general, but I bet 99% of average end users just reconnect to the now-open AP and off they go, likely without even paying attention to the fact that it's an open network. Of course there are plenty of better hacks as mentioned, but even this trivial one is likely to be successful against average users almost always.

Posted February 7, 2010 at 4:23 AM | Permalink | Reply


The defaut PW is not the manufacture year, month, day and sequential identifier. I cant say what it is, but it isnt that. It is completly random, and is hard coded into the hard reset image. Cus device disconnetects. they call tech support, they hard reset the device, boom the security is back up.

Posted March 22, 2010 at 10:51 PM | Permalink | Reply


Hi, Good job Folks! You guys are improving day by day. Keep up the good work. As a programmer one should code in a secured manner inorder to prevent the future flaws and vulnerabilities which the hackers could not take benefit of. Such coding comes only when there is proper training. SANS as usual is the best in the computer security, ''

Post a Comment


* Indicates a required field.