1/19/2010 Update: We've received a note from a Novatel representative indicating that the CGI parameters the device uses for configuration were designed to be "intentionally programmable" to ease remote setup. The statement also clarifies that a user's data will not be exposed via this hack, and that the company is working on a patch. The full statement after the break if you're inclined to read it.
MiFi has CGI parameters that are intentionally programmable so that developers can read or change MiFi settings and build browser based widgets. Most of these are openly published by Novatel. There are other CGI settings not published for MiFi that are accessible only when a user surfs to a malicious web site and stays connected to that site. The nature of the threat is better characterized by the ability of the hacker to change MiFi settings, only when connected to the malicious site, and does not provide access to the user's personal data. The exception to this is location data such as GPS. In this instance, the user location data is visible only when the user is connected to the malicious site and GPS is activated. No malware remains on MiFi when the user disconnects from the malicious site. Any data received or sent through MiFi is secure. Novatel will provide a patch going forward.