E586 and the "security" key
I took delivery of a new E586 and PAYG SIM from Three yesterday, an expensive but worthwhile upgrade as my last 12 month / 12 GB PAYG SIM is about to expire and the battery in my old MiFi is on its last legs. The device is a lovely bit of design and the OLED status screen a generally welcome addition, but I'm completely taken aback by this feature:
"Usefully, the router has a pre-defined SSID and security code - just press the key button on the side and they scroll past."
I've Googled for reviews of this device and every one I've read sings the praises of this "convenient" feature that prevents you having to look inside the battery compartment (home of the default password on earlier models) when connecting a new device. What they don't tell you is that even if you change the default SSID and password to something more secure, there is NO WAY to disable the option to display it at the press of a button.
Insanity! Colleague left his MiFi on his desk while running an errand? Display that SSID and password and grab yourself a few MB of downloads on his dime. Found a lost E586? Free bandwidth and/or all that pre-paid data is yours at the press of a button.
OK, so a savvy thief might be able to lift the SIM from a more secure device and make use of it elsewhere. And not everyone works in an environment full of potential freeloading hacker wannabes like I clearly do. But why make it easy for them?
To mitigate some of the risks with this new MiFi I've had to do two things. I've enabled MAC filtering, which of course adds massively to the time taken to set up a new, legitimate, client and so makes a mockery of the "convenient" time-saving security display key. And I've turned on the SIM lock, which is even more inconvenient in that it requires logging in to the device via a browser to unlock the SIM every time it's turned on (and as long as the MiFi is left on, the SIM lock offers no protection whatsoever).
Apparently users complained about the cryptic status lights on the old style Huawei MiFis, hence the shift towards OLEDs. But at least those devices were impenetrable black boxes if you didn't have the SSID and pre-shared key. Not like the new one, that literally gives up its secrets at the press of a button.
Making things easier for the average punter is very laudable. But leaving a gaping physical security hole, without even an advanced setting option to disable it, is simply inexplicable.