Novatel Wireless’ MiFi personal 3G hotspot has won plenty of admirers, but that attention has also uncovered a security loophole that could allow third-parties to not only discover a user’s GPS position but extract their entire configuration remotely. The issue, identified by EvilPacket’s Adam Baldwin, has been shown to affect the MiFi 2200 units sold by Verizon and Sprint in the US; users need only visit a certain webpage to reveal their location or have configuration settings changed.
A further exploit can extract the entire configuration of the MiFi, again in clear text, including all of the security settings. It’s unclear if the issue affects the newer, more complex MiFi 2352/2372 units, which also have applications processors. We’re waiting on an official comment from Novatel Wireless.
[via UMPC Portal]