Yesterday’s news that hackers had figured a way to illicitly access the Novatel Wireless MiFi 2200 and pull out GPS location data had some users looking anxiously at their personal internet hotspot. Novatel’s official comment on the situation has come in, and the company are basically saying that while the likelihood of encountering the problem is slight, they’re still planning a security patch that will close off the hole.
“MiFi has CGI parameters that are intentionally programmable so that developers can read or change MiFi settings and build browser based widgets. Most of these are openly published by Novatel. There are other CGI settings not published for MiFi that are accessible only when a user surfs to a malicious web site and stays connected to that site. The nature of the threat is better characterized by the ability of the hacker to change MiFi settings, only when connected to the malicious site, and does not provide access to the user’s personal data. The exception to this is location data such as GPS. In this instance, the user location data is visible only when the user is connected to the malicious site and GPS is activated. No malware remains on MiFi when the user disconnects from the malicious site. Any data received or sent through MiFi is secure. Novatel will provide a patch going forward.” Novatel Wireless
We don’t have a timescale for the release of that patch, however. For the moment, the old adage that you should only click on links that come from other people or sites that you trust holds true as ever; for someone to manipulate your MiFi you need to be browsing a site using the malicious code.