Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verizon MiFi Owned By Simple Attack

Posted by timothy on from the changing-the-default-seems-smart dept.

Trailrunner7 writes "Security researcher Joshua Wright has developed a simple attack that allows him to recover the passwords for any Verizon MiFi device. The MiFi is essentially a tiny, portable wireless AP, and Wright's attack uses a simple and effective technique to get default passwords by using the device's SSID and some existing password attacks on the encryption protocols the MiFi employs. Result: complete 0wnage of any MiFi."

86 comments

  1. Important Question by wolrahnaes · · Score: 4, Insightful

    Is the choice of a predictable default password and a vulnerable encryption protocol specific to Verizon's branded version of this device or does it also affect the identical Sprint version and/or any GSM variants that may exist? As much as I dislike Verizon, I don't want to see the wrong name stuck on this if the problem is Novatel's, not Verizon's.

    --
    I used to get high on life, but I developed a tolerance. Now I need something stronger.
    1. Re:Important Question by querist · · Score: 3, Informative

      This does NOT work on Sprint devices. I own one, and it came without any password by default, but with very clear instructions urging the user to set one and showing the user how to set one. (The MiFi device itself is great, by the way - please don't let Verizon's poor handling of the initial configuration turn you away from a wonderfully useful device.)

  2. Dupe? by sconeu · · Score: 2, Informative

    http://mobile.slashdot.org/article.pl?sid=10/02/02/1632203

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    1. Re:Dupe? by rhsanborn · · Score: 4, Informative

      Not a dupe, just double embarrassment for Verizon. Femtocells are devices used to extend cellular coverage, usually in your home or office, generally via your own internet connection with a box you generally have to pay extra for. The MiFi device is a mini wireless access point that has a built in cellular access. It allows you to share your Verizon cellular internet service with friends or coworkers.

    2. Re:Dupe? by fibrewire · · Score: 2, Interesting

      No doubt that when the femtocell article was posted, someone was like "Hey, i can do that on a Verizon MiFI because it not only does it use the same technology, but allows me to get far more useful data than anyone would be doing over a phone"

      Does this mean that Verizon should stop promoting the MiFi as a small business tool? Aren't small businesses without a clue the only ones purchasing the MiFi anyway? No clue = not security conscious

    3. Re:Dupe? by sconeu · · Score: 1

      Not necessarily. I've considered it for long trips to/from my daughter's university. My netbook doesn't have a wireless modem, but it does have WiFi. Ditto for my daughter's fullsize laptop.

      I'm sure that there are other people (not businesses) who are buying or considering a MyFi sort of thing.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  3. Slightly misleading title by Scorpion_1169 · · Score: 5, Informative

    To clarify, this exploit is only for the configuration as shipped from the factory. Just like most consumer routers, you can reconfigure the SSID and WPA-PSK values via a web interface.

    1. Re:Slightly misleading title by Overzeetop · · Score: 4, Funny

      To clarify, this exploit is only for the configuration as shipped from the factory. Just like most consumer routers, you can reconfigure the SSID and WPA-PSK values via a web interface, but almost nobody does.

      Fixed that for you. Yes, yes, people are getting better with their home routers. For most people, if you mention SSID and WPA-PSK, it will probably be countered with a WTF?

      --
      Is it just my observation, or are there way too many stupid people in the world?
    2. Re:Slightly misleading title by Frosty+Piss · · Score: 1

      To clarify, this exploit is only for the configuration as shipped from the factory.

      In other words, this is not news. Everyone know that you change the default factory pass and ID...

      --
      If you want news from today, you have to come back tomorrow.
    3. Re:Slightly misleading title by stoolpigeon · · Score: 4, Insightful

      They wont know what it's called but they have a good chance of knowing that they need to "give their wireless a name and password". I can see anywhere from 5 to 8 wireless networks from my home on any given day. All have non default ssids and passwords. I doubt they were all set up by IT professionals. My guess is a lot of 'regular' folks have clued in.

      --
      It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
    4. Re:Slightly misleading title by MerlynEmrys67 · · Score: 1
      No - what has happened is that almost every (all that I have seen - but that isn't anywhere close to an exhaustive search) consumer router now comes with a "setup" disk. You attach the router to your computer - run the setup disk and it prompts you to give it a password. From there it created a file that you put onto a USB key that you can give all of your friends to import into the Windows Wireless profile manager - and imagine that... easy security.

      Just realize that your dad will loose this file AND the password - requiring a cross country flight to visit.

      --
      I have mod points and I am not afraid to use them
    5. Re:Slightly misleading title by Lumpy · · Score: 1

      Then why is there over 20 AP's on my block that are broadcasting "Linksys" on channel 6 with no key or even passwords for accessing the config.

      It seems like NOBODY knows this.

      --
      Do not look at laser with remaining good eye.
    6. Re:Slightly misleading title by darkmeridian · · Score: 3, Insightful

      New routers come with software that change the SSID and sets up encryption. Also, people are used to stealing wifi from others, when they get their own wifi, know to encrypt it.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    7. Re:Slightly misleading title by natehoy · · Score: 1

      Just realize that your dad will loose this file AND the password - requiring a cross country flight to visit.

      Or at least instruction on how to press-and-hold the reset button on the back of the router for 30 seconds. On nearly every router I've heard of, that forces a factory reset, then you have them go through the setup process again.

      Of course, if your dad is ponying up for a cross-country flight to come visit, I'd be the last one to interfere with good family relationships... :)

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    8. Re:Slightly misleading title by Anonymous Coward · · Score: 1, Insightful

      It helps to also write the SSID and Password down on a piece of paper and tape it to the router. Writing down passwords is generally bad practice, but in this situation if the person is already inside your house with physical access to your equipment then they could also just plug in an Ethernet cable for access.

    9. Re:Slightly misleading title by interkin3tic · · Score: 3, Funny

      All have non default ssids and passwords.

      Yes, for example in my neighborhood there is a "dontstealmyinternet," which doesn't require a password, and a "freewifi" which does. I find that odd.

    10. Re:Slightly misleading title by stoolpigeon · · Score: 1

      Yeah - I think ssids are pretty interesting. Someone should collect good ones. If I've thought of it now, there's probably a site that's been doing just that for a while.

      --
      It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
    11. Re:Slightly misleading title by jandrese · · Score: 3, Interesting

      That freewifi one might be a guy who isn't even using wifi. If you've ever hung around airports looking for a wireless signal, there is always somebody broadcasting "Free Wireless Internet" or similar SSIDs in ad-hoc mode. Apparently this is a side effect of how some drivers deal with the situation where they can't find a usable access point. If they see an ad-hoc network, they'll "join" it as well, and then start broadcasting the ad-hoc ssid as their own. Thus, in crowded places where people are using Windows (like airport waiting areas), the Free Wifi bug will spread like a disease. It has been like this for years too.

      --

      I read the internet for the articles.
    12. Re:Slightly misleading title by Anonymous Coward · · Score: 0

      I'm going to set up a access point called "COMPLETELY FREE WIFI" and redirect all web traffic to Goatse.

    13. Re:Slightly misleading title by ottothecow · · Score: 1
      I always wondered what that was.

      I see it all the time and it looks like some sketchy malicious AP (you know...email your secret business documents through my free airport wifi please) but I figure that it can't be since it does not actually work. If you are going to sniff peoples data and do a MITM...you need to actually provide something on the other end.

      --
      Bottles.
    14. Re:Slightly misleading title by Anonymous Coward · · Score: 0

      I get about 10-20 APs listed in my apartment (depending on the day/location in my apartment). Not a single one has no password. Anecdotal evidence sucks.

    15. Re:Slightly misleading title by Chris+Mattern · · Score: 1

      Owning a Mi-Fi myself (although Sprint, not Verizon), this article was worrying me a bit. But it looks like you can only get bit by it if you're a moron. Reconfiguring the SSID and encryption keys is of course the very first thing I do with any Wi-Fi access point. No worries.

    16. Re:Slightly misleading title by Anonymous Coward · · Score: 0

      Is that what you are supposed to do with that disk? Shoot - I always toss that and the manual aside and just add a second IP address to my NIC of 192.168.1.100 and then point my browser at 192.168.1.1 and configure the thing. Sometimes (depending on brand) I need to open the manual for the "default password", other times I don't have to look it up. Then I set the thing for the correct network and configure security and all that.

      I guess it is interesting to know how the "other folks" (the non-IT people) deal with their routers. I generally never want to put some manufacturer disk in my computer.

    17. Re:Slightly misleading title by thewils · · Score: 1

      I think a good ssid name would be "honeypot".

      --
      Once I was a four stone apology. Now I am two separate gorillas.
    18. Re:Slightly misleading title by Coren22 · · Score: 3, Interesting

      My wifis show up as "GetCurtainsISeeYou" and "ImDatingYourDaughter" Figured I would screw with the neighbors.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    19. Re:Slightly misleading title by thetoadwarrior · · Score: 1

      They're missing out on the fun. It's awesome to name your connection things like "my neighbour's wife gives awesome head" or "Your mother touches me there too".

    20. Re:Slightly misleading title by interkin3tic · · Score: 1

      There is another one in the area called "virusporno" which I can only assume is a lot of shared porn in which the actors and actresses have horrible sexually transmitted infections.

    21. Re:Slightly misleading title by Anonymous Coward · · Score: 0

      What I find most strange is that nobody uses spaces in SSIDs. Spaces (and punctuation, etc.) are not special characters and can be used without problems. "Don't steal my internet!" is a valid SSID.

    22. Re:Slightly misleading title by Anonymous Coward · · Score: 0

      If this is true, then why was that jailbroken iPhone SSH 'bug' so successful? It involved similar circumstances.

    23. Re:Slightly misleading title by tlhIngan · · Score: 3, Interesting

      That freewifi one might be a guy who isn't even using wifi. If you've ever hung around airports looking for a wireless signal, there is always somebody broadcasting "Free Wireless Internet" or similar SSIDs in ad-hoc mode. Apparently this is a side effect of how some drivers deal with the situation where they can't find a usable access point. If they see an ad-hoc network, they'll "join" it as well, and then start broadcasting the ad-hoc ssid as their own. Thus, in crowded places where people are using Windows (like airport waiting areas), the Free Wifi bug will spread like a disease. It has been like this for years too.

      Actually, it's more of a Windows side effect.

      User connects their laptop to "Free Wireless Internet" AP (a real, live accesspoint). User then leaves, and parks butt in another location. Windows again looks for a network with SSID "Free Wireless Internet" as well as doing scans for other networks (ad-hoc or otherwise). Inadvertently, it also broadcasts this as an ad-hoc SSID, so a second user doing a scan sees it and tries to connect. They fail (obviously), but now their laptop will look for an ad-hoc network called "Free Wireless Internet", to which others will try to connect, fail, and broadcast anew ad-hoc network.

      It's spread to the point where you can see that SSID everywhere. A viral SSID, effectively.

      http://www.wlanbook.com/free-public-wifi-ssid/
      http://blogs.chron.com/techblog/archives/2006/09/free_public_wif.html

      A bit more Googling will reveal a ton more of same. Of course, it's trivially simple for someone to really do set up a real MITM using tihs viral SSID, so beware.

    24. Re:Slightly misleading title by Anonymous Coward · · Score: 0

      Someone in the trailer-park where my friend lives has "BigFatFloppyDick". I'm not sure what's worse -- the SSID or the trailers.

    25. Re:Slightly misleading title by Lord+Ender · · Score: 1

      It's actually pretty rare to encounter an unencrypted wifi access point these days. And the few that are unencrypted tend to have some sort of security at another layer (browser-based authentication, for example). This would suggest that most people actually do know how to enable security on their routers.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    26. Re:Slightly misleading title by Culture20 · · Score: 1

      User connects their laptop to "Free Wireless Internet" AP (a real, live accesspoint). User then leaves, and parks butt in another location. Windows again looks for a network with SSID "Free Wireless Internet" as well as doing scans for other networks (ad-hoc or otherwise). Inadvertently, it also broadcasts this as an ad-hoc SSID, so a second user doing a scan sees it and tries to connect. They fail (obviously), but now their laptop will look for an ad-hoc network called "Free Wireless Internet", to which others will try to connect, fail, and broadcast anew ad-hoc network. It's spread to the point where you can see that SSID everywhere. A viral SSID, effectively.

      This sounds like a great basis for an "around the world in 80 days" style bet: "I bet I can start a 'Free Porno Libre' SSID in Alaska and you'll see it spread to Morocco, Japan, Paris, and Beijing in less than five days". It might even kill "Free Wireless Internet" as the default viral SSID.

    27. Re:Slightly misleading title by dissy · · Score: 1

      If you've ever hung around airports looking for a wireless signal, there is always somebody broadcasting "Free Wireless Internet" or similar SSIDs in ad-hoc mode.

      While this can be (and usually is) a side effect of how windows does network sharing automatically, one should be at least aware of the fact this is also used as a well known attack vector.

      EvilDude sits at airport, pays $40 or whatever for a days worth of paid wifi, then his laptop (in his backpack out of sight) uses one card to jump on the paid wifi for internet uplink, and broadcasts an ad-hoc network under a name using 'free' in the SSID.

      The logic is, anyone that jumps on his wifi to avoid paying, will then have their traffic all routed through EvilDudes laptop, where it is comfortably logged for later parsing.

      You still have the same level of problems with SSL MitM attacks, so https at least is usually somewhat safe. But plain text is an instant lost cause.

      If EvilDude gets enough credentials to log into a bank account and steal about $200, he can then upgrade to a Cisco aronet wifi card for his 2nd card. He then has the ability to put the card in to true access point mode.
      No more ad-hoc ickiness, just pure infrastructure mode access point offerings.

      Makes it really difficult to tell other than by SSID.

      Not trying to scare monger, as this attack vector is still rare. More a reminder to always practice safe browsing while on an untrusted uplink!

    28. Re:Slightly misleading title by Anonymous Coward · · Score: 0

      The scary part is that lots of 'regular' folks that have clued in think that using there phone number as there password is secure

    29. Re:Slightly misleading title by lymond01 · · Score: 1

      If it were just like consumer routers, you wouldn't need a hack. Just download the manual from the web and look up the default admin password.

      "Hah! I've tunneled under your foundation, broken through your basement floor, picked the lock on your basement door, and finally let myself in to join you for some refreshments and perhaps a movie."

      "The front door was unlocked."

    30. Re:Slightly misleading title by zonky · · Score: 1

      I've seen one in Wellington, NZ titled 'FreeMidgetPorn'.

    31. Re:Slightly misleading title by ErkDemon · · Score: 1
      I once came across one broadcasting the ID "Al Quaeda".

      I thought, "Well, I'm not going to be piggybacking on THAT".

      --
      Eric Baird
    32. Re:Slightly misleading title by X0563511 · · Score: 1

      Easy enough to do. I could shove a WRT54GL board into something, and it can provide an access point while at the same time connecting to another. It's not gonna happen with stock firmware, but hell... if you're after this, that's not gonna bother you.

      Or, you could even just throw two in and bridge them. One serves, one connects.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    33. Re:Slightly misleading title by X0563511 · · Score: 1

      Even better, EvilDude can actually know what he's doing and broadcast in 'master' mode. No ad-hoc nonsense required.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    34. Re:Slightly misleading title by jimthehorsegod · · Score: 1

      Anecdotal evidence sucks.

      Actually I find quite the opposite...

    35. Re:Slightly misleading title by ottothecow · · Score: 1
      oh yeah, it certainly wouldn't be hard. Laptop with an extra wireless card, bridge the pay wifi (or a 3g connection) and start watching your traffic.

      The only issue is that I have never ever connected to one of these "Free Airport Wifi" and had it give me a real connection so the GP's explanation makes a lot of sense.

      --
      Bottles.
  4. Default settings by Nickodeemus · · Score: 4, Insightful

    This article is pointless - it points out how to overcome the encryption on a MIFI that has the default settings in place.

    If you deploy any networking device with default settings in place, you deserve to be compromised.

    Take 30 minutes to reconfigure the device using default settings and this is a non-issue.

    1. Re:Default settings by querist · · Score: 4, Insightful

      This article is NOT pointless, especially when you consider that the password is the ESN. That greatly narrows down the possible values because the first part of the ESN is assigned by manufacturer. Also, it is NOT pointless because the average person will look at that long string of seemingly random numbers, and the strings are different for each unit because the string is the ESN of the chip, and will think that it is a secure, randomly generated number. The length of the password itself is good. It is the fact that several of the digits are predictable, thus significantly reducing the number of values you need to try, that makes this significant. The average person will not know this and will THINK that it is secure. My own testing: average time to break (on units that I had legal permission to scan, of course) was just over four minutes after forcing a reset. This article is a wake-up call to companies that are issuing these things that they need to fix those passwords.

    2. Re:Default settings by interval1066 · · Score: 1

      Nickodeemus is kind of right though, the moral of this story, as is the moral of all stories of this type; CHANGE THOSE DEFAULT SETTINGS.

      --
      Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
    3. Re:Default settings by Chris+Pimlott · · Score: 1

      Also, it is NOT pointless because the average person will look at that long string of seemingly random numbers, and the strings are different for each unit because the string is the ESN of the chip, and will think that it is a secure, randomly generated number.

      You raise a good point. Any time you ship with a dummy/example/default value that should be changed, you need to make it blindingly obvious to the user--or better yet, require it be changed on first use. Being excessively tolerant to bogus data often just hides or delays problems until a later time.

    4. Re:Default settings by Chris+Mattern · · Score: 1

      This article is NOT pointless, especially when you consider that the password is the ESN.

      For about 10 seconds, then I finish changing it. Why would I trust their unknown password generation process when I can use apg, which I *know* generates random passwords?

    5. Re:Default settings by querist · · Score: 1

      I agree with you, and with Nickodeemus and the other who all say that you should change the password ASAP, but the point I was trying to make (and apparently did not) was that to the average person, not the technically adept person, the long string of numbers appears to be a completely random string and seems perfectly strong. The only reason I cracked this thing several months ago was that I did some recon on "MiFi" online first and discovered the manufacturer and the range of ESNs assigned, then I noticed pictures that had the last part of the password blanked out and I saw that the first part matched the first part of the ESN range for the manufacturer. Numbers of that length would be decent passwords if they were not predictable. They never should have used the ESN. Even if they did something simple like HASHING the ESN it would have worked, because you normally can't see the ESN unless you've already attached to the device. That way, they still would have had a unique password for each device (the hash of the ESN instead of the ESN) but it would not be so easily predictable. Such is life, I guess.

    6. Re:Default settings by StillNeedMoreCoffee · · Score: 1

      I'm sick and tired of this attitude that makes victims responsible for the crimes against them. Like well its her fault for dressing up so attractivily, she deserved what she got. Or doesn't he know not to walk in that neighborhood, he deserved what he got. Or didn't he do exhaustive checking with all sorts of agencies before investing with Maddoff, oh wait, he did and they all said things were good, well he deserved to get cheated.

      That puts blame where it does not belong. It is the argument used by those that break into peoples computers. Well they should not have let me steal from them, they are dumb and deserve it. Very wrong headed, lets not forget, people who commit crimes are at fault, period.

         

    7. Re:Default settings by thePowerOfGrayskull · · Score: 1

      It remains fairly pointless -- since most APs now come with configuration software that prompts you to change both SSID and . TFA was a good academic exercise, but if the setup packaging is structured so that you have to go out of your way to leave the default values in place, then it's of very limited use. It's only relevant if these devices *don't* come with such a setup (not having one, I don't know either way...)

    8. Re:Default settings by mirix · · Score: 1

      Do you lock the door on your (car | house)?
      Obviously the person breaking into your house is committing a crime, but if you don't even bother to lock it, you're at least partly to blame, right?

      --
      Sent from my PDP-11
    9. Re:Default settings by StillNeedMoreCoffee · · Score: 1

      No, there is no excuse for a crime. None. You can not be blamed for leaving your car unlocked. You should not have to lock your car. Out in the rural area's people don't lock their cars or their houses. That is the way it should be. There the same rule holds.

      It would be like you were saying, you did not buy automobile insurance so you deserve to get in an accident.

  5. Gotta love the article by powerlord · · Score: 3, Funny

    From The Fine Article:

    Change the Default SSID: Change the default SSID from "Verizon MiFi2200 XXXX Secure" to another value that is not common, but not unique either (somewhere in the middle) to mitigate precomputed PSK attacks, as well as general wireless anonymity attacks.

    I suggest using linksys or netgear. :D

    Nothing like watching script kiddies THINK they know what the router is, and bashing their heads trying to figure out why they can't get into what MUST be an unconfigured network.

    Only catch is if you're in an environment with lots of them pre-configured in which case 'FreeWiFi' is also good (with a nice strong random password of course :P ).

    --
    This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
    1. Re:Gotta love the article by Anonymous Coward · · Score: 4, Funny

      Nothing like watching script kiddies THINK they know what the router is, and bashing their heads trying to figure out why they can't get into what MUST be an unconfigured network.

      Even better - get a plain linksys router, set it to factory default settings, but don't connect it to internet.

      Script kiddies keep trying to figure out why they can't connect to the internet...

    2. Re:Gotta love the article by Volante3192 · · Score: 1

      You are my hero for today sir, best thing I've read all day.

    3. Re:Gotta love the article by Anonymous Coward · · Score: 1, Informative

      Here i was thinking i was the only one to do this for fun.

      Even funnier if you connect a tiny computer to it (or custom firmware) to dump anything they are doing to a memory stick or something, just so you can laugh at their attempts.
      I say tiny computer because then you can setup some Linux OS, make it look like Windows XP (requires a liiiitle bit of effort), set up VNC and watch the idiots try to hack Linux with Windows viruses.
      "What the fuck, my EXEs aren't running"

      Shame i'm no longer in a place with a lot of people anymore. That router is sitting being useless in a box.
      I should set it up one day and go in to a town and watch as hundreds of people try to connect to "Free WiFi 100Mbit [random-company-sounding-name]"

    4. Re:Gotta love the article by Anonymous Coward · · Score: 0

      Parent:

      in which case 'FreeWiFi' is also good (with a nice strong random password of course :P ).

      by interkin3tic (1469267) (#31013252):

      in my neighborhood there is a "dontstealmyinternet," which doesn't require a password, and a "freewifi" which does. I find that odd.

      You have met, apparently.

    5. Re:Gotta love the article by sconeu · · Score: 1

      That is so cruel. I love it!!!!

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    6. Re:Gotta love the article by Anonymous Coward · · Score: 0

      Dumb move. An unconfigured router can be bricked remotely.

    7. Re:Gotta love the article by thePowerOfGrayskull · · Score: 1

      I say tiny computer because then you can setup some Linux OS, make it look like Windows XP (requires a liiiitle bit of effort), set up VNC and watch the idiots try to hack Linux with Windows viruses.

      That sounds like an awful lot of time that could be better spent looking at po... erm, poetry and stuff.

    8. Re:Gotta love the article by powerlord · · Score: 1

      Yeah, but just think, if we create a small distro for this. :)

      --
      This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
    9. Re:Gotta love the article by ckaminski · · Score: 1

      I've done that with XP machines in VMs that I nice'd down to 286 speeds. :-)

      Must have been annoying! '

    10. Re:Gotta love the article by powerlord · · Score: 1

      So HE'S the one that tried to hack my WiFi!! ;)

      --
      This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
    11. Re:Gotta love the article by Anonymous Coward · · Score: 0

      You forgot one important step. Set it up so that it gives them a virus as soon as they connect. Yes I know that's evil, but freeloaders suck and need to be shat upon.

  6. Please stop by Anonymous Coward · · Score: 0, Flamebait

    using the words "own" and "pwn."

  7. The "Password" is the ESN by querist · · Score: 3, Informative

    The Password is the ESN of the CDMA chip.

    1. Re:The "Password" is the ESN by Chris+Pimlott · · Score: 2, Informative

      Worse yet, it appears that 14 of the 32 bits of the ESN are fixed for a given product (emphasis mine):

      The Electronic Serial Number (ESN) is a 32-bit number assigned by the mobile station manufacturer which uniquely identifies the mobile station equipment. The rules to be followed by manufacturers for assigning the ESN are given in the IS-95 standard. Binary digits are allocated for a manufacturer's identity code (8 bits), the equipment serial number (18 bits), and 6 bits are reserved. ESN, and MIN1, along with other digital input, are used during the authentication process.

      Source

  8. that's not a bad default choice... by BitwiseX · · Score: 1

    * Manufacture Year: "09" represents the 2-character year of manufacture. * Manufacture Month: "11" represents the 2-character month code. * Manufacture Day?: "19" represents the 2-character day code (NB: This could be wrong, one sample had a value of "34" here, need more data). * Sequential Identifier: "00891" represents the 5-character sequential identifier code. Based on this assessment, we can determine that the password selection for the MiFi default is weak. Instead of 11 numeric values with an effective entropy of approximately 36 bits, the MiFi password only has an effective entropy of less than 17 bits for a given 6-byte prefix. If the concept of a manufacture date-stamp is true for the 6-byte prefix, then we have a relatively small search space to find the default MiFi PSK.

    Weak? maybe....but as far as DEFAULT passwords go that seems above average to me! You mean it's not EXACTLY THE SAME on every device manufactured? That's a good thing! In many cases I'd think that's a better password choice than many users would choose for themselves.

  9. Verizon FiOS routers allow login from WAN by 140Mandak262Jamuna · · Score: 3, Interesting

    I got a verizon FiOS service. The router they gave me runs a web server and throws a username/password dialog to the WAN side. That part can not be disabled by the user. They claim it is used to push firmware upgrades and other service settings changes. But instead of making the device make outbound calls to specific servers, they are relying on a simple username/password dialog. Hope they are using some randomly generated password stored in tables in a secure location. Thus even if a password is compromised, the damage is limited to that router. If it is a formula based password generator, there is potential for widespread pwning of verizon routers.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Verizon FiOS routers allow login from WAN by jandrese · · Score: 2, Interesting

      It's the same password on every device. No tech wants to go around looking up passwords for everything he connects to.

      --

      I read the internet for the articles.
  10. "Owned" by N0Man74 · · Score: 5, Insightful

    Really? Headlines with "owned" and summaries with "ownage"?

    Did we go from "News for Nerds" to "News for Teenage Online Gamers" recently, or would that require taking it one step further and using the "Pwn" form of the word. Maybe we should sprinkle in a "MiFi Fail!" in there somewhere too.

    1. Re:"Owned" by Anonymous Coward · · Score: 0

      It's actually a term used a lot even between professionals of the industry.

    2. Re:"Owned" by cptnapalm · · Score: 1

      MiFi Fail: Pwn!
      I see the pass of a Verizon!

    3. Re:"Owned" by Anonymous Coward · · Score: 1, Funny

      It's pwned and pwnage. "Pwn" does not exist.

    4. Re:"Owned" by Anonymous Coward · · Score: 0

      lolumad?

    5. Re:"Owned" by Anonymous Coward · · Score: 0

      Yeah, Charlie Miller definitely is an amateur.

      Thanks for proving you're as dumb and clueless as I thought, though. :)

  11. Submitter is clueless on what 0wnage is by NitroWolf · · Score: 1

    The submitter of this article is apparently clueless as to what "0wnage" is ... the router is not owned. You've hacked a password to allow you to use the router. To own the router, you would need root access. You don't have that with this attack... you have a simple WPA-PSK password. Big deal... anyone can do that with a bit of time on their hands and a Backtrack 4 CD on laptop. Wheeee... you are a l33t scr1pt k1ddie now!

    It's an interesting article from the standpoint of how an unconfigured router is insecure (that is to say, it's the article isn't really that interesting since everyone should know by now that an unconfigured router is insecure) - but it's not news and it's not really useful. It's DEFINITELY not ownage in any way, shape or form.

    1. Re:Submitter is clueless on what 0wnage is by natehoy · · Score: 4, Interesting

      The funny part of this story is that Verizon routers take so much effort to hack based on their default configuration. I read it as a good move on Verizon's part.

      It's just hard enough that someone thinks that "hacking" it is some form of accomplishment. That's pretty impressive given that this is a default configuration, which by definition has to use some form of predictable algorithm for their password. At least they are shipping them with OK encryption enabled by default and a password that takes 4 minutes to crack.

      Now, if someone managed to hack into one of these gizmos and get free Internet after a user changed the password to a properly secure one, that would be news.

      I was at my father's house once, setting up a new wireless router. This was a few years ago. The directions said to plug it into the Internet, power it up, connect to it, and set up wireless security (optional). The problem is, the wireless side comes on at first power-up, and it's an open access point. So I connected all the cables, plugged it in, went to go get a cup of coffee, and by the time I returned 15 minutes later the wireless light was blinking solid and someone had already changed the configuration password. I had to do a factory reset and beat the guy to the configuration screen when it powered up again. There was no way to tell the router to power up without wireless enabled, and the antenna was not removable. I was seriously considering wrapping the !@#$ thing in tin foil to give me enough time to get the admin password changed, but on the third try I beat the little bastard to it or he gave up.

      I can imagine that 90% of Internet users at the time would simply have powered up their router, seen the access point name, connected to it, and gone on blissfully unaware that a script kiddie next door had set up port forwarding and was running a Torrent client or webserver off their connection.

      I think the fact that it takes 4 minutes to hack into a default-configured router is a pretty good indication of how far we've come. Maybe not far enough, but still pretty far.

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    2. Re:Submitter is clueless on what 0wnage is by bill_mcgonigle · · Score: 1

      someone had already changed the configuration password. I had to do a factory reset and beat the guy to the configuration screen when it powered up again.

      Next time, use a wireless sniffer and find his MAC. Then find that MAC's physical location based on signal strength (he has to be close). Then beat the hell out of him and tell him that's what happens to punks who screw with your dad's IT.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re:Submitter is clueless on what 0wnage is by Anonymous Coward · · Score: 0

      Here's another scenario where insecure defaults are bad:

      What do you when your relative or friend later calls Verizon about some line trouble he doesn't want to bother you with and Verizon has him reset the router, returning the router password to its default without your knowledge?

      This has happened to me more than once.

  12. Article summary is wrong. by ptbarnett · · Score: 3, Informative

    a simple attack that allows him to recover the passwords for any Verizon MiFi device.

    The attack is based on searching through a limited set of default passwords.

    Changing the password to something other than the default prevents this attack. I don't have a Verizon MiFi device, but I have one from Sprint. By default, it was an open access point. I quickly changed it to something else before I left the store, and changed it again later at a distant location over the (somewhat) secure connection.

    It was literally the first one sold from the store where I bought it. Sprint may have since changed to something like Verizon has done, with a (non-) random password. But, I would have changed it anyway.

    My Verizon router (for FIOS) had a similar setup, although I don't think it's a predictable SSID and password. However, it was WEP-64. Needless to say, it was the first thing I changed.

    An aside: I made the initial connection and changed the password in the Sprint store with my iPhone. The staff was really amused by that, and asked how fast the connection was. I used the iPhone speedtest to tell them -- about the same as the PCMCIA Sprint AirCard I had before this.

  13. Bad summary by Anonymous Coward · · Score: 0

    When I read that summary, the first thing I thought was that it was ANY MiFi router, default or not. The poster needs to mention default passwords. The problem is, we can talk about default passwords being weak all we want, but it HAS to be possible to communicate it to the person who configures it.

    Once they get to using truly random methods to generate totally random keys, we'll be raking them over the coals for daring to print it in the owner's manual where someone could find it and hack into your wireless network.

    The fact is, no matter how secure a device is, a determined idiot will make it insecure. We need to devote time to making users pay attention to security. The problem is that they don't WANT to pay attention to security (until they get hacked).

  14. What have you gained by slapout · · Score: 1

    Isn't the whole point of the MiFi to provide internet access? So, what have you gained? And it's meant to be moved around a lot -- once you hack it, it'll be out of range soon anyway.

    --
    Coder's Stone: The programming language quick ref for iPad
  15. Nice try! by evilviper · · Score: 1

    From TFA:

    we can get down to exploiting a given MiFi device. We don't know how many 6-byte prefixes are in use, but that's where YOU THE READER come in. Please let me know what prefixes you see on your individual devices, and I'll add them to the attack set.

    I've seen more enticing offers in my Spam box...

    How many people are really going to take him up on this offer, exactly? If you understand the topic, you know you'll be making it much easier for people to break-in to the service your paying for, and at worse, perhaps making your own device stick out like a sore thumb as it becomes one of very few submitted... But even if you're completely ignorant of what's going on here, the phrasing is plenty menacing anyhow...

    "Gee. He wants me to e-mail him my secret ID# so he can add my device to the attack set? Sure! Why not?"

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant