Slashdot Mirror

← Back to Stories (view on slashdot.org)

MiFi Attack Exploits GPS To Reveal User's Location

Posted by timothy on from the wish-it-was-easy-for-non-attackers dept.

An anonymous reader writes "Security researcher Adam Baldwin has identified that the Sprint and Verizon MiFi devices are vulnerable to a multitude of attacks. Combining these attacks together, an attacker can gain the GPS location of the MiFi device without the user becoming immediately aware. The attack can be successfully executed without authentication and even if the GPS has been disabled by the administrator." There's a video, but a handy text summary, too. Upshot: "Any MiFi user that visits a specially crafted page will give up their GPS location to the attacker."

13 of 62 comments (clear)

  1. Why does it have a GPS? by Darkness404 · · Score: 3, Insightful

    I think the main question is why would a glorified router have a GPS built-in? I can see no real reason for a GPS being in a router. Phones? Perhaps. Router? No.

    --
    Taxation is legalized theft, no more, no less.
    1. Re:Why does it have a GPS? by John+Hasler · · Score: 2, Insightful

      > Because you're on a cellular network and the company providing service wants
      > to know where its users are using them so they can plan the network.

      They know what cells you are using and the signal strength. That's all they need.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    2. Re:Why does it have a GPS? by hanabal · · Score: 2, Insightful

      if the phone is only picking up the signal from one tower you can eliminate any side of the tower where another tower is close by, as you would expect to have more than one signal. so unless the tower is completely isolated you can have a pretty good idea where they are, at least what direction.

    3. Re:Why does it have a GPS? by fuzzyfuzzyfungus · · Score: 2, Interesting

      The MiFi device essentially is a phone. It connects to a cellular data network and then makes that connection available over wifi to nearby computers.

      If they actually included a real GPS chipset, that would be puzzling, just from a cost/weight/battery life/board space perspective; but basically anything that interacts with a cell network gets location data within the limits of tower triangulation accuracy essentially for free(and then, if Verizon is the carrier, the firmware locks you out of that until you pay an extra monthly fee; but the capability is there).

      The utter fail here is that the MiFi interface is as vulnerable as it is.

    4. Re:Why does it have a GPS? by dgatwood · · Score: 3, Insightful

      That it works even with GPS mode turned OFF on the phone is DIRECT evidence of poor security design.

      No, the fact that third parties *found* the back door is direct evidence of poor security design. The fact that the backdoor was there is at least as likely to be an intentional measure for law enforcement purposes as it is to be a mistake. Odds are, when they "fix" this bug, the backdoor will still be there, just hidden a little better.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    5. Re:Why does it have a GPS? by Mr2001 · · Score: 2, Informative

      There is a big difference between a device that in effect acts as a cell site (broadcasting) versus a subscriber handset.

      But the MiFi doesn't act at all like a cell site - from the carrier's perspective, it's no different from any other cell phone (except it doesn't make or receive voice calls).

      It's just a 3G modem attached to a wifi router. The 3G part uses the carrier's licensed spectrum in the same way that a smartphone does, and the wifi part uses unlicensed spectrum.

      --
      Visual IRC: Fast. Powerful. Free.
    6. Re:Why does it have a GPS? by Mr_Silver · · Score: 2, Interesting

      I think the main question is why would a glorified router have a GPS built-in? I can see no real reason for a GPS being in a router. Phones? Perhaps. Router? No.

      In short, FCC E911 rules.

      Most USB modem vendors use Qualcomm chipsets which come with GPSOne as standard. As such, they just need to include an antenna.

      USB modems sold in Europe still have GPSOne in there, but the antenna is removed to reduce costs. As such you cannot get a fix.

      --
      Avantslash - View Slashdot cleanly on your mobile phone.
    7. Re:Why does it have a GPS? by Mr2001 · · Score: 2, Informative

      MiFi accepts 3G connections from handsets. The same as a cell site.

      No, it doesn't accept 3G connections from handsets! Where on earth did you get that idea?

      The MiFi is quite simply a wifi router that gets its internet connection from 3G instead of a cable or DSL modem.

      You seem to be thinking of some kind of nano-cell device that does the opposite of what MiFi does.

      You are apparently just disagreeing with me for the point of disagreeing.

      That's rich, considering the load of misinformation you just dropped. It turns out the reason I'm disagreeing with you is that you're spouting off about something you don't understand.

      --
      Visual IRC: Fast. Powerful. Free.
  2. Bad title by spire3661 · · Score: 2, Insightful

    Cell tower triangulation is not GPS in any way shape or form.

    --
    Good-bye
  3. Publicity Stunt? by LostCluster · · Score: 2, Insightful

    Here's one from the conspiracy theory file:

    Since the MiFi is such a novel concept, people might not think it includes anything not related to data connections. By making this mistake and it landing on Slashdot and such, it's advertising the GPS... plus giving notice so nobody can sue them and claim they didn't know they were carrying a device that would reveal their location.

  4. WTF is a MiFi?? by Anonymous Coward · · Score: 3, Funny

    MILF Finder?? Where do I get one?? I need to locate a willing MILF real bad, I feel horny, horny!

    1. Re:WTF is a MiFi?? by olsmeister · · Score: 2, Funny

      Yeah, I saw MILF Attack Exploits GPS to Reveal User's Location, and I thought that's not an exploit, that's something I'd pay for!

  5. Even if the GPS is disabled... by Anonymous Coward · · Score: 2, Informative

    Well, then the attack enables it. Duh. It's a cross-site request forgery, i.e. an attack where the web browser "reflects" a request so that it appears to originate on the inside, where the configuration interface is available. Combine this with the lack of an authentication requirement, the attacker can simply enable the GPS and get the coordinates.

    Here's the relevant text from the unavailable web page:

    1. Authentication not required.

    The MiFi does not require a valid session to commit changes to configuration settings. This makes exploiting the below issues a lot easier when you don't have to require that the victim have a valid session.

    2. Enable GPS without the users knowledge.

    The GPS on a MiFi can be enabled by visiting the following URL. Depending on the situation the victim may get a alert that says "Login Required" but if they are like the typical user they will simply click on it and forget it ever happened.

    3. Cross-Site Request Forgery (CSRF)

    The web interface does not validate referrer or use any magical tokens to protect against CSRF. This means that we can have a victim visit our malicious website and do evil things like change the wireless settings of the MiFi.

    4. Output Encoding

    In multiple locations of the MiFi web interface user input is not properly encoded when output back to the user. One interesting location is the key field for the wifi settings. I'm wondering why the hell somebody thought it was a good idea to print the wifi key in clear text back to the user, and in this case it's not properly encoded either giving us a nice 63 character persistent injection point for script.