Novatel says it plans to release a patch to counter a security researcher's discovery that the popular Novatel MiFi 3G router can be attacked via a malicious page to modify the settings of the device, possibly disabling the security or locking out the owner of the router.
The spokesman said the ability of a hacker to change the MiFi's settings can only be done if the user surfs to a malicious web site and stays connected to that site.
"MiFi has CGI parameters that are intentionally programmable so that developers can read or change MiFi settings and build browser-based widgets. Most of these are openly published by Novatel," the spokesman explained. "There are other CGI settings not published for MiFi that are accessible only when a user surfs to a malicious web site and stays connected to that site. The nature of the threat is better characterized by the ability of the hacker to change MiFi settings, only when connected to the malicious site, and does not provide access to the user's personal data. The exception to this is location data such as GPS. In this instance, the user location data is visible only when the user is connected to the malicious site and GPS is activated. No malware remains on MiFi when the user disconnects from the malicious site. Any data received or sent through MiFi is secure."
Novatel MiFi router hacked
Novatel's guidance for MiFi hotspot device disappointing
Verizon's answer to WiFi: MiFi