The MiFi unit – which is sold on a badged basis by T-Mobile and Vodafone – acts as mobile broadband router, but on a totally wireless basis, with WiFi being used between a computer or smartphone and the device, and a 3G connection to link to the internet. According to Novatel Wireless, the GPS security vulnerability is less pronounced on the European version of the MiFi if the cellco is using the 7.15 firmware or later.
Unconfirmed reports suggest that the UK version of the MiFi unit has to be logged in to its administrator web page before a malware-infected site can subsequently trigger the unit's GPS information feed.
Commenting on the security flaw, Fortify Software, the application vulnerability specialist, says that the problem highlights the fact that manufacturers are cutting corners and failing to fully code audit products before they ship.
Richard Kirk, European director with Fortify, said: "this is symptomatic of a product that has shipped before the designers have thought through the possible security issues with their product, and failed to test the security of the device' software at all stages of its development."
Kirk added that regular security testing of the code as part of a development process ensures software that is being developed is inherently secure. In other words, he explained, this approach 'builds security into' the device – as opposed to attempting to add it after the device has been designed, as is the case in this situation.
This approach, the Fortify European director went on to say, is not only more cost-effective, but also results in applications that are much more secure, because security was considered at every step of the development process.
"This isn't singling out the manufacturer of the affected MiFi unit for specific criticism. The failure to test the security of device software at all stages in their development is a common issue amongst technology products – the days of breadboarding up a device and then manufacturing it without a security test of the software have long gone", he said.
"That approach to technology product development may have applied in the early days of computing but technology has moved on, so IT systems designers now owe it themselves, as well as their customers, to test the security of their software at all stages of product development," he added.