MiFi security weakness highlights need for code auditing
News reports that the GPS-enabled Wireless MiFi unit can be persuaded to reveal its position across the internet – without the user being aware of the information leak – highlights the fact that manufacturers are cutting corners and failing to code audit products before they ship.
“As our colleagues at EvilPacket have discovered, the unit’s integral GPS interface can be hacked in such a way that a MiFi user visiting a malicious Web site can have their geographic location and passphrase revealed without their permission,” said Richard Kirk, European director at Fortify Software.
“This is symptomatic of a product that has shipped before the designers have thought through the possible security issues with their product, and failed to test the security of the device’s software at all stages of its development,” he added.
According to Kirk, regular security testing of the code as part of a development process ensures software that is being developed is inherently secure. In other words, this approach builds security into the device – as opposed to attempting to add it after the device has been designed as is what will happen in this situation.
This approach is not only more cost-effective, but also results in applications that are much more secure because security was considered at every step of the development process.
“This isn’t singling out the manufacturer of the affected MiFi unit for specific criticism. The failure to test the security of device software at all stages in their development is a common issue amongst technology products – the days of breadboarding up a device and then manufacturing it without a security test of the software have long gone,” he said.
“That approach to technology product development may have applied in the early days of computing – as seen by BBC TV’s Micro Men recently – but technology has moved on, so IT systems designers now owe it themselves, as well as their customers, to test the security of their software at all stages of product development,” he added.