AppSec Blog

AppSec Blog
05 Feb 2010

More MiFi Fun. Consistent Authentication Matters!

7 comments Posted by Johannes Ullrich
Filed under Uncategorized

I came across this last week during teaching Sec542 in New York. A bunch of students, including myself, used the Verizon MiFi device for internet access [1]. Recently, a number of issues had been released with the Novatel version of the device [2].

I figured it would be a nice exercise to look at the Verizon version of the device. This device does not include a GPS as far as I know, so the Novatel GPS exploit would not work. However, I run into the other part of the issue: The device does require a password to log in and retrieve the setting page, but it does not require a password to submit new settings. This flaw allows an attacker to change settings on the device by simply tricking the browser to submit a "POST" request to the right URL. The only variable the attacker has to guess is the IP address of the device, which defaults to 192.168.0.1.

In order to exploit the flaw, the attacker would have to setup a web page with the following content:

<form method="POST" action="http://192.168.x.y/home.cgi">
<input type="hidden" name="NP_WiCurrPf" value="Open">
<input type="hidden" name="todo" value="setprofile">
<input type="hidden" name="WiCurrPf" value="Open">
</form>
<script>
document.forms[0].submit();
</script>

The attacker will then have to trick the victim to visit the page with this code. The code above will turn the MiFi's settings to a default "open" access point. If the IP address is not known, the attacker would just use multiple forms until one works.

How to defend against this: A simple session logic would be a good start. In addition, "home.cgi" needs to check if the user is actually logged in. Right now, home.cgi accepts responses blindly. This problem exists for other MiFi features as well, like retrieving the configuration. I leave it up to the reader to write some javascript to pull the configuration and post it to a website (note: all you need is a GET. Same origin doesn't matter in this case for XDomainRequest or XMLHttpRequest Level 2).

[1] http://www.verizonwireless.com/b2c/mobilebroadband/?page=products_mifi
[2] http://www.engadget.com/2010/01/18/novatels-mifi-devices-shown-to-be-incredibly-useful-easily-hac/

Permalink | Comments RSS Feed - Post a comment | Trackback URL

7 Comments

Posted February 05, 2010 at 7:43 PM | Permalink | Reply
uberVU - social comments

<strong>Social comments and analytics for this post...</strong>

This post was mentioned on Twitter by johullrich: MiFi WiFo FunFi FoFun... More MiFi Fun. Consistent Authentication Matters! http://jbu.me/77...

Posted February 05, 2010 at 8:56 PM | Permalink | Reply
Bubba

And when the client just happens upon this rogue site and the settings get set to open, the client loses his wifi connection (assuming its not already open, in which case you don't need your hack) and knows something is up, connects back in and fixes it and doesn't re-visit the site that caused him to get disconnected.

Posted February 05, 2010 at 9:02 PM | Permalink | Reply
Johannes Ullrich

unless the attacker is faster and secures it first ;-). Also, if the victim got the "open" version in its prefered network list, for example from setting it up first, the victim may reconnect back to it with little disruption.

But I agree. The better "hack" is to pull the configuration and then just configure the malicious client to match it.

Posted February 05, 2010 at 10:49 PM | Permalink | Reply
dr strangep0rk

On these devices isn't the default password the manufacture year, month, day and sequential identifier. This make the default PSK easy to find. Just a walk to your local cafe can be a treasure find for someone looking for trouble.

In many of these modems their are other URLs and setup pages that may be useful including of course submitting post to corrrect URL's. Who doesn't love a network device with default settings...LOL

Posted February 06, 2010 at 12:54 AM | Permalink | Reply
cmb

hah reconnects and fixes it? That may be the case for 90+% of security professionals, and maybe 80% of IT people in general, but I bet 99% of average end users just reconnect to the now-open AP and off they go, likely without even paying attention to the fact that it's an open network. Of course there are plenty of better hacks as mentioned, but even this trivial one is likely to be successful against average users almost always.

Posted February 07, 2010 at 4:23 AM | Permalink | Reply
Species

The defaut PW is not the manufacture year, month, day and sequential identifier. I cant say what it is, but it isnt that. It is completly random, and is hard coded into the hard reset image. Cus device disconnetects. they call tech support, they hard reset the device, boom the security is back up.

Posted March 22, 2010 at 10:51 PM | Permalink | Reply
smith

Hi, Good job Folks! You guys are improving day by day. Keep up the good work. As a programmer one should code in a secured manner inorder to prevent the future flaws and vulnerabilities which the hackers could not take benefit of. Such coding comes only when there is proper training. SANS as usual is the best in the computer security, ...

Post a Comment






* Indicates a required field.

RSS

Search Blog:

Categories

Recent Posts

Recent Comments

Popular Posts

Archives

Links

Latest Blog Posts

WhatWorks in AppSec: ASP.NET – Defend Against Cross-Site Scripting Using Th [...]
May 29, 2013 - 8:24 PM

WhatWorks in AppSec: Log Forging
May 21, 2013 - 8:15 PM

Security Testing: Less, but More Often can make a Big Difference
January 14, 2013 - 6:42 PM

View More »

Latest Tweets @sansappsec

New blog post: "WhatWorks in AppSec: http://t.co/li2A6Tms9W [...]
May 29, 2013 - 9:18 PM

New blog post: "WhatWorks in AppSec: Log Forging" http://t.co/O0UQa12yFC
May 21, 2013 - 8:23 PM

Starts in 15 min: Webcast on "Java Web Security by Example" [...]
February 19, 2013 - 5:45 PM

Latest Papers

Web Application Injection Vulnerabilities: A Web App's Security Nemesis?
By Erik Couture

Setting Up a Database Security Logging and Monitoring Program
By Jim Horwath

Endpoint Security through Application Streaming
By Adam Walter

View More »

"The course used real code with simple scenarios illustrating a full attack scenario and how to fix the vulnerabilities."
- Jeffrey Bell, Lockheed Martin

"Teaches important security concepts that allow developers to build solid applications."
- Marcus Gunn, Lockheed Martin

"Gives tangible ideas to put into practice to make your code and infrastructure more secure."
- Keith G. Tullius, II, Escambia County Sheriff's Office