MiFi Pwned!
Wireless hacking Guru, Josh Wright,has just announced that he has created havoc with a MiFi personal access point.MiFi is a little device that turns 3G wireless signals into WiFi. The cool thing is that the wireless signal can be shared with other nearby computers. According to Josh, he has found a way that, "An attacker can recover the default password from any MiFi device." This is big news because anyone who is involved with wireless networking knows that way too many devices are deployed in their default configuration.
I recently spoke with a client who was concerned about the use of MiFi in their corporate environment. Well-intentioned folks, both employees and contractors, were using these MiFi devices to bypass corporate wireless policy and make their lives a bit easier. Wireless policies are in place for a reason and users should not be allowed to get around them with impunity. MiFi poses several risks, not the least of which is that an authorized user can be on the wired and MiFi network at the same time. This could allow a malicious insider to steal confidential information from the network and then send it out via the MiFi connection. Think of MiFi as a wireless USB drive.
But wait! Josh found more. It turns out, "The MiFi also has a hidden advanced
configuration page" that could allow an attacker to really have some fun. For example, Josh was able to change the security settings to allow WEP, a long-broken encryption and authentication protocol that shouldn't even be included in new wireless devices. Fun.
So what should you do? MiFi devices are fine for hotel rooms and airports but they should not be allowed in corporations. Enterprises should restrict their use by policy and then continuously scan the air to find and disable any MiFis that are in use within the corporate perimeter. Users, of course, should change all of the default settings as soon as they get the device.
Are you using MiFi? Have you changed the default settings? Should your company allow you to use it in their buildings? This is going to be entertaining to watch.