Forgot your password?
typodupeerror
Encryption Security Wireless Networking

Verizon MiFi Owned By Simple Attack 86

Posted by timothy
from the changing-the-default-seems-smart dept.
Trailrunner7 writes "Security researcher Joshua Wright has developed a simple attack that allows him to recover the passwords for any Verizon MiFi device. The MiFi is essentially a tiny, portable wireless AP, and Wright's attack uses a simple and effective technique to get default passwords by using the device's SSID and some existing password attacks on the encryption protocols the MiFi employs. Result: complete 0wnage of any MiFi."
This discussion has been archived. No new comments can be posted.

Verizon MiFi Owned By Simple Attack

Comments Filter:
  • Dupe? (Score:3, Informative)

    by sconeu (64226) on Wednesday February 03, 2010 @02:19PM (#31012824) Homepage Journal
  • by Scorpion_1169 (609426) on Wednesday February 03, 2010 @02:20PM (#31012832) Homepage
    To clarify, this exploit is only for the configuration as shipped from the factory. Just like most consumer routers, you can reconfigure the SSID and WPA-PSK values via a web interface.
  • by querist (97166) on Wednesday February 03, 2010 @02:35PM (#31013016) Homepage
    The Password is the ESN of the CDMA chip.
  • Re:Dupe? (Score:5, Informative)

    by rhsanborn (773855) on Wednesday February 03, 2010 @02:45PM (#31013140)
    Not a dupe, just double embarrassment for Verizon. Femtocells are devices used to extend cellular coverage, usually in your home or office, generally via your own internet connection with a box you generally have to pay extra for. The MiFi device is a mini wireless access point that has a built in cellular access. It allows you to share your Verizon cellular internet service with friends or coworkers.
  • by ptbarnett (159784) on Wednesday February 03, 2010 @02:58PM (#31013332)

    a simple attack that allows him to recover the passwords for any Verizon MiFi device.

    The attack is based on searching through a limited set of default passwords.

    Changing the password to something other than the default prevents this attack. I don't have a Verizon MiFi device, but I have one from Sprint. By default, it was an open access point. I quickly changed it to something else before I left the store, and changed it again later at a distant location over the (somewhat) secure connection.

    It was literally the first one sold from the store where I bought it. Sprint may have since changed to something like Verizon has done, with a (non-) random password. But, I would have changed it anyway.

    My Verizon router (for FIOS) had a similar setup, although I don't think it's a predictable SSID and password. However, it was WEP-64. Needless to say, it was the first thing I changed.

    An aside: I made the initial connection and changed the password in the Sprint store with my iPhone. The staff was really amused by that, and asked how fast the connection was. I used the iPhone speedtest to tell them -- about the same as the PCMCIA Sprint AirCard I had before this.

  • by Anonymous Coward on Wednesday February 03, 2010 @03:10PM (#31013516)

    Here i was thinking i was the only one to do this for fun.

    Even funnier if you connect a tiny computer to it (or custom firmware) to dump anything they are doing to a memory stick or something, just so you can laugh at their attempts.
    I say tiny computer because then you can setup some Linux OS, make it look like Windows XP (requires a liiiitle bit of effort), set up VNC and watch the idiots try to hack Linux with Windows viruses.
    "What the fuck, my EXEs aren't running"

    Shame i'm no longer in a place with a lot of people anymore. That router is sitting being useless in a box.
    I should set it up one day and go in to a town and watch as hundreds of people try to connect to "Free WiFi 100Mbit [random-company-sounding-name]"

  • by Chris Pimlott (16212) on Wednesday February 03, 2010 @03:16PM (#31013592)

    Worse yet, it appears that 14 of the 32 bits of the ESN are fixed for a given product (emphasis mine):

    The Electronic Serial Number (ESN) is a 32-bit number assigned by the mobile station manufacturer which uniquely identifies the mobile station equipment. The rules to be followed by manufacturers for assigning the ESN are given in the IS-95 standard. Binary digits are allocated for a manufacturer's identity code (8 bits), the equipment serial number (18 bits), and 6 bits are reserved. ESN, and MIN1, along with other digital input, are used during the authentication process.

    Source [cdmaonline.com]

  • by querist (97166) on Wednesday February 03, 2010 @05:02PM (#31014786) Homepage
    This does NOT work on Sprint devices. I own one, and it came without any password by default, but with very clear instructions urging the user to set one and showing the user how to set one. (The MiFi device itself is great, by the way - please don't let Verizon's poor handling of the initial configuration turn you away from a wonderfully useful device.)

The meta-Turing test counts a thing as intelligent if it seeks to devise and apply Turing tests to objects of its own creation. -- Lew Mammel, Jr.

Working...