I came across this last week during teaching Sec542 in New York. A bunch of students, including myself, used the Verizon MiFi device for internet access . Recently, a number of issues had been released with the Novatel version of the device .
I figured it would be a nice exercise to look at the Verizon version of the device. This device does not include a GPS as far as I know, so the Novatel GPS exploit would not work. However, I run into the other part of the issue: The device does require a password to log in and retrieve the setting page, but it does not require a password to submit new settings. This flaw allows an attacker to change settings on the device by simply tricking the browser to submit a "POST" request to the right URL. The only variable the attacker has to guess is the IP address of the device, which defaults to 192.168.0.1.
In order to exploit the flaw, the attacker would have to setup a web page with the following content:
<form method="POST" action="http://192.168.x.y/home.cgi">
<input type="hidden" name="NP_WiCurrPf" value="Open">
<input type="hidden" name="todo" value="setprofile">
<input type="hidden" name="WiCurrPf" value="Open">
The attacker will then have to trick the victim to visit the page with this code. The code above will turn the MiFi's settings to a default "open" access point. If the IP address is not known, the attacker would just use multiple forms until one works.