MiFi Attack Exploits GPS To Reveal User's Location

← Back to Stories (view on slashdot.org)

MiFi Attack Exploits GPS To Reveal User's Location

Posted by timothy on Saturday January 16, 2010 @08:20AM from the wish-it-was-easy-for-non-attackers dept.

An anonymous reader writes "Security researcher Adam Baldwin has identified that the Sprint and Verizon MiFi devices are vulnerable to a multitude of attacks. Combining these attacks together, an attacker can gain the GPS location of the MiFi device without the user becoming immediately aware. The attack can be successfully executed without authentication and even if the GPS has been disabled by the administrator." There's a video, but a handy text summary, too. Upshot: "Any MiFi user that visits a specially crafted page will give up their GPS location to the attacker."

62 comments

Min score:

Reason:

Sort:

Why does it have a GPS? by Darkness404 · 2010-01-16 08:24 · Score: 3, Insightful

I think the main question is why would a glorified router have a GPS built-in? I can see no real reason for a GPS being in a router. Phones? Perhaps. Router? No.

--
Taxation is legalized theft, no more, no less.
1. Re:Why does it have a GPS? by ceoyoyo · 2010-01-16 08:29 · Score: 1, Informative
  
  The reason for having a GPS in these things is the same as having one in a phone: so all the stuff built for phones that depends on location will work on whatever you connect to the MiFi.
  A router that sits in your house has no need for GPS. One that is designed to be out and about with you needs one as much as your phone does.
2. Re:Why does it have a GPS? by Anonymous Coward · 2010-01-16 08:36 · Score: 1, Interesting
  
  Or more "paranoidally" put, they like to know where a hotspot is at any given time. For whatever reason.
  That it works even with GPS mode turned OFF on the phone is DIRECT evidence of poor security design.
  Who knows how much intel you're pinging away on that IP-phone? More than any of us are cleared to know.
  I trust cell phone companies with my voice, only... and they often screw even that up.
  And my confirmation captcha is "phones"... as if I needed more proof they were listening!
3. Re:Why does it have a GPS? by LostCluster · 2010-01-16 08:36 · Score: 1
  
  Because you're on a cellular network and the company providing service wants to know where its users are using them so they can plan the network. Furthermore, if you are missing and need to be rescued, your MiFi giving out your location might be a good thing.
4. Re:Why does it have a GPS? by John+Hasler · 2010-01-16 08:51 · Score: 2, Insightful
  
  > Because you're on a cellular network and the company providing service wants
  > to know where its users are using them so they can plan the network.
  They know what cells you are using and the signal strength. That's all they need.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
5. Re:Why does it have a GPS? by LostCluster · 2010-01-16 08:58 · Score: 1
  
  Nope. That works only when you can contact multiple towers... hard to triangulate a location with only one vector to play with.
6. Re:Why does it have a GPS? by hanabal · 2010-01-16 09:07 · Score: 2, Insightful
  
  if the phone is only picking up the signal from one tower you can eliminate any side of the tower where another tower is close by, as you would expect to have more than one signal. so unless the tower is completely isolated you can have a pretty good idea where they are, at least what direction.
7. Re:Why does it have a GPS? by Mr2001 · 2010-01-16 09:14 · Score: 1
  
  Each tower is divided into three 120-degree zones, so that narrows it down quite a bit.
  
  --
  Visual IRC: Fast. Powerful. Free.
8. Re:Why does it have a GPS? by fuzzyfuzzyfungus · 2010-01-16 09:20 · Score: 2, Interesting
  
  The MiFi device essentially is a phone. It connects to a cellular data network and then makes that connection available over wifi to nearby computers.
  
  If they actually included a real GPS chipset, that would be puzzling, just from a cost/weight/battery life/board space perspective; but basically anything that interacts with a cell network gets location data within the limits of tower triangulation accuracy essentially for free(and then, if Verizon is the carrier, the firmware locks you out of that until you pay an extra monthly fee; but the capability is there).
  
  The utter fail here is that the MiFi interface is as vulnerable as it is.
9. Re:Why does it have a GPS? by Anonymous Coward · 2010-01-16 09:26 · Score: 1, Informative
  
  Uh.. except for the fact that the phones hosting the apps needing to know location.. will be on phones that have GPS receivers and can thus determine location. The router doesn't need to know shit except that there is an 802.11 device locally and a cellular network regionally.
  Apps aren't running on the MiFi router any more than a web browser runs on a home router.
10. Re:Why does it have a GPS? by dgatwood · 2010-01-16 09:53 · Score: 3, Insightful
  
  That it works even with GPS mode turned OFF on the phone is DIRECT evidence of poor security design.
  No, the fact that third parties *found* the back door is direct evidence of poor security design. The fact that the backdoor was there is at least as likely to be an intentional measure for law enforcement purposes as it is to be a mistake. Odds are, when they "fix" this bug, the backdoor will still be there, just hidden a little better.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
11. Re:Why does it have a GPS? by FlyingBishop · 2010-01-16 09:58 · Score: 1
  
  The distinction isn't really relevant, as we've seen when even Google's law enforcement backdoor is the weakest link in their security system.
12. Re:Why does it have a GPS? by e9th · 2010-01-16 10:32 · Score: 1
  
  From the EVDOinfo review:
  The Sprint MiFi enables the GPS functionality and allows for Sprint's "Location Based Services" that will plot onto a Google map the restaurants/banks/shopping/gas/etc that are near by. Verizon disables the GPS capabilities of the MiFi!
13. Re:Why does it have a GPS? by flirzan · 2010-01-16 11:06 · Score: 1
  
  And by "Verizon disables the GPS capabilities of the MiFi" you mean "Verizon doesn't use it", since the hardware is still there, and can still be activated to retrieve the location of any Verizon MiFi.
  
  --
  Twinkies sure taste good for something that is 68% air.
14. Re:Why does it have a GPS? by Anonymous Coward · 2010-01-16 11:49 · Score: 0
  
  I meant nothing of the sort. I didn't write the review, only quoted it because it contains one answer to the OP's question.
15. Re:Why does it have a GPS? by wh1pp3t · 2010-01-16 12:46 · Score: 1
  
  There are different configurations of sites; varying from three, two or even one sector. Some cell sites will have a remote sector mounted in a physically different location (cost savings). It all depends on where the coverage is needed.
  
  Regarding the reason for GPS functionality: the RF engineers need to know where your MiFi is. It's all about statistics and measurements with those guys.
16. Re:Why does it have a GPS? by John+Hasler · 2010-01-16 12:47 · Score: 1
  
  > Each tower is divided into three 120-degree zones...
  And they can use signal strength and/or round-trip time to estimate distance. That should give them all the information they need for network planning purposes.
  However, they pretty much have to use GPS to comply with FCC E911 rules.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
17. Re:Why does it have a GPS? by John+Hasler · 2010-01-16 12:49 · Score: 1
  
  GPS can't be completely disabled because E911 needs it. They still screwed up, though.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
18. Re:Why does it have a GPS? by Mr2001 · 2010-01-16 13:04 · Score: 1
  
  However, they pretty much have to use GPS to comply with FCC E911 rules.
  It's not clear to me why E911 is relevant to a 3G data router. It can't be used to make emergency calls, can it?
  
  --
  Visual IRC: Fast. Powerful. Free.
19. Re:Why does it have a GPS? by Mr2001 · 2010-01-16 13:06 · Score: 1
  
  Regarding the reason for GPS functionality: the RF engineers need to know where your MiFi is. It's all about statistics and measurements with those guys.
  Are you saying the router is designed to report its GPS location to the carrier without the user's knowledge (ostensibly for the purpose of improving the network)? That seems like a privacy violation in itself.
  
  --
  Visual IRC: Fast. Powerful. Free.
20. Re:Why does it have a GPS? by LostCluster · 2010-01-16 13:09 · Score: 1
  
  And there's the problem... with only contact to one tower, you don't have an exact direction... just a distance and a 120 degree range. That creates an arc on the map, all of which has to be checked to find you. E911 would much rather have a GPS point.
21. Re:Why does it have a GPS? by wh1pp3t · 2010-01-16 13:14 · Score: 1
  
  Yes. You are in effect using the carriers licensed spectrum. They have a right to know what devices are using it and where. Just because they know where a MiFi is, doesn't mean they have YOUR MiFi location. RF engineers don't deal with customer data (unless they need to meet with a customer), nor do they have access to it.
22. Re:Why does it have a GPS? by Mr2001 · 2010-01-16 14:40 · Score: 1
  
  E911 would much rather have a GPS point.
  How is E911 relevant to a 3G data router that can't be used to dial 911?
  
  --
  Visual IRC: Fast. Powerful. Free.
23. Re:Why does it have a GPS? by Mr2001 · 2010-01-16 14:46 · Score: 1
  
  You are in effect using the carriers licensed spectrum. They have a right to know what devices are using it and where.
  Well, there'd be rioting in the streets if it turned out that typical cell phones were constantly reporting GPS data to the carrier, especially if they still did it when the GPS feature was supposedly turned off. Why should a MiFi be any different?
  
  RF engineers don't deal with customer data (unless they need to meet with a customer), nor do they have access to it.
  The carrier still has that data, though, and they could be forced to turn it over when faced with a subpoena or warrant -- or, as we've seen repeatedly, they could just decide to turn it over in response to a polite request from the government.
  
  --
  Visual IRC: Fast. Powerful. Free.
24. Re:Why does it have a GPS? by LostCluster · 2010-01-16 14:50 · Score: 1
  
  Because if you're wanted or missing and have your MiFi with you, it's easier to find you.
  Manhunts have gone down like crazy since the popularity of a cell phone means if you are wanted on a warrant for something as insignificant as skipping jury duty, they can ask your cell company where you are right now.
25. Re:Why does it have a GPS? by Mr2001 · 2010-01-16 14:57 · Score: 1
  
  In other words, there is no legitimate reason for the MiFi to have a GPS receiver? It's only useful to locate the owner at someone else's request?
  
  --
  Visual IRC: Fast. Powerful. Free.
26. Re:Why does it have a GPS? by Anonymous Coward · 2010-01-16 16:20 · Score: 0
  
  [citation needed]
27. Re:Why does it have a GPS? by tlhIngan · 2010-01-16 17:31 · Score: 1
  
  I think the main question is why would a glorified router have a GPS built-in? I can see no real reason for a GPS being in a router. Phones? Perhaps. Router? No.
  Easy. E911.
  The thing's got a 3G modem in it, which is the similar to what you'd find in similar phones (since it's CDMA, I'd expect a 3G CDMA phone). Except that instead of being able to make calls, it only handles data.
  3G modems, ehether they're the ones embedded in your phone, or in those "internet sticks" are pretty much the same. Heck, they may be exactly the same (there are only a few chipset manufacturers out there), so they'd have similar features.
28. Re:Why does it have a GPS? by wh1pp3t · 2010-01-16 18:05 · Score: 1
  
  Well, there'd be rioting in the streets if it turned out that typical cell phones were constantly reporting GPS data to the carrier, especially if they still did it when the GPS feature was supposedly turned off. Why should a MiFi be any different?
  There is a big difference between a device that in effect acts as a cell site (broadcasting) versus a subscriber handset.
  
  The carrier still has that data, though, and they could be forced to turn it over when faced with a subpoena or warrant -- or, as we've seen repeatedly, they could just decide to turn it over in response to a polite request from the government.
  This has nothing to do with your argument. I am speaking from an engineering point of view. However, if/when instances of this occur, people need to sue the Fed (under violation of the Constitution) and the carrier (secondary).
  If your main worry is what a large corporation will provide the Fed (warrentless or not), stop using their services (i.e. a mobile) immediately. at&t is one of the largest, if not the largest lobbyist in the Washington. The others are not far behind. Stop screaming bloody murder about privacy, and actually DO something about it. Maybe go HAM. Personally, I don't care. I have close friends who are Afghan and Iranian, and I talk with them on my mobile all the time; I assume my shit is being tracked.
29. Re:Why does it have a GPS? by Anonymous Coward · 2010-01-16 19:24 · Score: 0
  
  Remember we're talking FCC rules here. Do you think they should make sense?
30. Re:Why does it have a GPS? by Mr2001 · 2010-01-16 20:04 · Score: 2, Informative
  
  There is a big difference between a device that in effect acts as a cell site (broadcasting) versus a subscriber handset.
  But the MiFi doesn't act at all like a cell site - from the carrier's perspective, it's no different from any other cell phone (except it doesn't make or receive voice calls).
  It's just a 3G modem attached to a wifi router. The 3G part uses the carrier's licensed spectrum in the same way that a smartphone does, and the wifi part uses unlicensed spectrum.
  
  --
  Visual IRC: Fast. Powerful. Free.
31. Re:Why does it have a GPS? by rtb61 · 2010-01-16 20:59 · Score: 1
  
  I would have thought a device like that would basically be a fiscal time bomb waiting to go off into the users face. With the download limits and extra charges on mobile broadband used in conjunction with the higher risk wireless connections, I smell a profiteering opportunity for incumbent phone companies to sell less than secure devices to a bunch of gullible unskilled users.
  I expect it will not be long before we start hearing horror stories about huge mobile data bills. I consider myself fairly skilled and aware of what is going on and I would be deeply hesitant about installing a device as financially risky as that and I certainly would not recommend it to anyone.
  
  --
  Chaos - everything, everywhere, everywhen
32. Re:Why does it have a GPS? by Anonymous Coward · 2010-01-17 01:11 · Score: 0
  
  RTFA, the GPS doesn't work when turned off. However the attacker can turn it on without the user's knowledge.
  The phone company doesn't need GPS to know where the MiFi is, they know which cell tower it connects to and where that tower is and if it is in contact with multiple towers they can triangulate exact position.
33. Re:Why does it have a GPS? by wh1pp3t · 2010-01-17 03:51 · Score: 0
  
  But the MiFi doesn't act at all like a cell site - from the carrier's perspective, it's no different from any other cell phone (except it doesn't make or receive voice calls).
  It's just a 3G modem attached to a wifi router. The 3G part uses the carrier's licensed spectrum in the same way that a smartphone does, and the wifi part uses unlicensed spectrum.
  MiFi accepts 3G connections from handsets. The same as a cell site. There are implications from having another device accept connections from subscriber handsets, again for stats and performance measurements.
  Smartphone does not accept 3G connections from other handsets.
  They are NOT the same.
  You are apparently just disagreeing with me for the point of disagreeing. Think what you want about how they operate and don't buy a MiFi. If you don't like the "privacy" risk, speak with letters to your representatives, your votes and your dollars; don't whine on /.
  
  Good day, sir.
34. Re:Why does it have a GPS? by Mr_Silver · 2010-01-17 04:58 · Score: 2, Interesting
  
  I think the main question is why would a glorified router have a GPS built-in? I can see no real reason for a GPS being in a router. Phones? Perhaps. Router? No.
  In short, FCC E911 rules.
  Most USB modem vendors use Qualcomm chipsets which come with GPSOne as standard. As such, they just need to include an antenna.
  USB modems sold in Europe still have GPSOne in there, but the antenna is removed to reduce costs. As such you cannot get a fix.
  
  --
  Avantslash - View Slashdot cleanly on your mobile phone.
35. Re:Why does it have a GPS? by Anonymous Coward · 2010-01-17 08:00 · Score: 0
  
  Huh? WTF are you talking about? The mifi accepts Wifi connections, not 3G connections. It is a 3G/wifi router.
  It is nothing like a cell site. It does not accept connections from subscriber handsets. Everything about your post is incorrect.
36. Re:Why does it have a GPS? by Mr2001 · 2010-01-17 09:55 · Score: 2, Informative
  
  MiFi accepts 3G connections from handsets. The same as a cell site.
  No, it doesn't accept 3G connections from handsets! Where on earth did you get that idea?
  The MiFi is quite simply a wifi router that gets its internet connection from 3G instead of a cable or DSL modem.
  You seem to be thinking of some kind of nano-cell device that does the opposite of what MiFi does.
  
  You are apparently just disagreeing with me for the point of disagreeing.
  That's rich, considering the load of misinformation you just dropped. It turns out the reason I'm disagreeing with you is that you're spouting off about something you don't understand.
  
  --
  Visual IRC: Fast. Powerful. Free.
37. Re:Why does it have a GPS? by cdrguru · 2010-01-18 06:43 · Score: 1
  
  A cell modem is extremely practical in a few limited circumstances. If you travel a bunch and can trade $60 a month for 6 $10 hotel internet fees, it makes sense as anything past those 6 nights is a benefit.
  A few people actually need to access a customer database "live" while on the road. Great, this enables that. Even if it costs $150 a month because of overage charges, you are probably coming out ahead in the end.
  For the rest of the people on the planet, a cell modem is an utter waste of money.
38. Re:Why does it have a GPS? by vipvop · 2010-01-19 18:34 · Score: 1
  
  The recent Chinese hack of Google made use of the system they use for search warrants:
  http://www.macworld.co.uk/digitallifestyle/news/index.cfm?newsid=28293
Adam Baldwin by Nerdfest · 2010-01-16 08:32 · Score: 1

So that's what he's been doing since Firefly.

"Shiny ... let's be good guys."
1. Re:Adam Baldwin by starbugs · 2010-01-16 08:36 · Score: 1
  
  So does that mean he got his MiFi at a BuyMore?
Bad title by spire3661 · 2010-01-16 08:39 · Score: 2, Insightful

Cell tower triangulation is not GPS in any way shape or form.

--
Good-bye
Publicity Stunt? by LostCluster · 2010-01-16 08:42 · Score: 2, Insightful

Here's one from the conspiracy theory file:
Since the MiFi is such a novel concept, people might not think it includes anything not related to data connections. By making this mistake and it landing on Slashdot and such, it's advertising the GPS... plus giving notice so nobody can sue them and claim they didn't know they were carrying a device that would reveal their location.
1. Re:Publicity Stunt? by Anonymous Coward · 2010-01-16 09:06 · Score: 0
  
  Yes, now Mr. Baldwin presence makes all sense.
2. Re:Publicity Stunt? by Anonymous Coward · 2010-01-16 14:01 · Score: 0
  
  Here's another one: I used Firefox 3.5 on my Ubuntu laptop (which supports the geolocation API). When I accepted to provide location information, they immediately pointed out to the front of my house. I have no GPS on my laptop, what information could they use I didn't know about? They know already the locations corresponding to (what I think is the only info available to them) IP addresses.
3. Re:Publicity Stunt? by LostCluster · 2010-01-16 14:54 · Score: 1
  
  That's easy. Some people did a wardriving scan of the entire nation, noticing what MAC address was given even on WAP/WPA encrypted WiFi systems and where they were when it was detected. Yep... your home WiFi now can tell your laptop you're at home and the work WiFi indicates where the office is. People could do a mass router swap and disable this stuff, but nobody seems to have bothered.
4. Re:Publicity Stunt? by Anonymous Coward · 2010-01-16 17:18 · Score: 0
  
  Contrary to my home (using verizon fios), my work reports to be in the middle of a pond, more than 4 miles from the real location.
WTF is a MiFi?? by Anonymous Coward · 2010-01-16 08:59 · Score: 3, Funny

MILF Finder?? Where do I get one?? I need to locate a willing MILF real bad, I feel horny, horny!
1. Re:WTF is a MiFi?? by olsmeister · 2010-01-16 09:21 · Score: 2, Funny
  
  Yeah, I saw MILF Attack Exploits GPS to Reveal User's Location, and I thought that's not an exploit, that's something I'd pay for!
2. Re:WTF is a MiFi?? by FragHARD · 2010-01-16 14:40 · Score: 1
  
  We'll I am not sure if I would pay for that, but I would definitely take money for it !!!!
  
  --
  FragHARD or don't frag at all
Bad post by LostCluster · 2010-01-16 09:00 · Score: 1

This isn't using cell tower strengths, it's a GPS chip being planted in the device despite the fact some people would rather not have it.
Google [ Verizon MiFi ] by tepples · 2010-01-16 09:07 · Score: 1

WTF is a MiFi??
Let me Google that for you.
1. Re:Google [ Verizon MiFi ] by Anonymous Coward · 2010-01-16 17:23 · Score: 0
  
  fucking WOOSH!
Who proofreads these? by Chelmet · 2010-01-16 09:14 · Score: 1

Should we combine these attacks together, or should we just combine these attacks?
1. Re:Who proofreads these? by Anonymous Coward · 2010-01-16 09:35 · Score: 0
  
  Should we combine these attacks together, or should we just combine these attacks?
  We should combine these attacks to get her to do this to me, I'm horny, horny!
Jaynestown by FrankDrebin · 2010-01-16 09:18 · Score: 1

Security researcher Adam Baldwin has identified...
Who knew his good samaritan ways ran so deep and pure? Looks like The Ballad of Jayne Cobb deserves a new verse.

--
Anybody want a peanut?
1. Re:Jaynestown by Anonymous Coward · 2010-01-19 03:40 · Score: 0
  
  In between that and watching the human intersect, he leads a varied and interesting life!
Even if the GPS is disabled... by Anonymous Coward · 2010-01-16 09:22 · Score: 2, Informative

Well, then the attack enables it. Duh. It's a cross-site request forgery, i.e. an attack where the web browser "reflects" a request so that it appears to originate on the inside, where the configuration interface is available. Combine this with the lack of an authentication requirement, the attacker can simply enable the GPS and get the coordinates.
Here's the relevant text from the unavailable web page:

1. Authentication not required.
The MiFi does not require a valid session to commit changes to configuration settings. This makes exploiting the below issues a lot easier when you don't have to require that the victim have a valid session.
2. Enable GPS without the users knowledge.
The GPS on a MiFi can be enabled by visiting the following URL. Depending on the situation the victim may get a alert that says "Login Required" but if they are like the typical user they will simply click on it and forget it ever happened.
3. Cross-Site Request Forgery (CSRF)
The web interface does not validate referrer or use any magical tokens to protect against CSRF. This means that we can have a victim visit our malicious website and do evil things like change the wireless settings of the MiFi.
4. Output Encoding
In multiple locations of the MiFi web interface user input is not properly encoded when output back to the user. One interesting location is the key field for the wifi settings. I'm wondering why the hell somebody thought it was a good idea to print the wifi key in clear text back to the user, and in this case it's not properly encoded either giving us a nice 63 character persistent injection point for script.
When MiFi Attacks! by tunapez · 2010-01-16 09:34 · Score: 0, Flamebait

I guess if you're naive enough to buy one of these devices, you deserve to be "vulnerable to a multitude of attacks". I wonder, do the attacks count towards the 5GB cap?

--
Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
1. Re:When MiFi Attacks! by Anonymous Coward · 2010-01-16 10:54 · Score: 0
  
  And what would you have people do, you sanctimonious ass? Grow up and get out of the basement kid.
Maybe more than just reading the GPS. by John+Hasler · 2010-01-16 11:57 · Score: 1

> The MiFi does not require a valid session to commit changes to configuration
> settings.
That sounds like there may be all sorts of "interesting" possibilities.

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Slashdotters would prefer an by Anonymous Coward · 2010-01-17 03:30 · Score: 0

iMilf encounter?