In the two days since I posted about the security flaw in Eircom broadband routers’ default configuration, coverage has spiraled to the front page of the Irish Times and elsewhere. In the words of a former roadie for Metallica: “new shit has come to light, man”. Bart got a reply from Eircom. I am surprised to say that it looks like everyone’s favourite Irish telecoms operator (excluding BT Ireland… and Smart Telecom) are taking this seriously and responsibly. I am obliged to nitpick, however, at a particular section:
“This vulnerability makes it possible for a person with an advanced working knowledge of encryption and coding techniques to access an eircom customer’s Internet connection”
Eircom, you are missing the very crucial point here. We are not worried about the person with an advanced working knowledge of encryption and coding techniques – WEP is no protection against these guys to begin with. We are worried about the guy with NO knowledge of encryption and NO coding techniques, who can simply wander over to s4dd’s Eircom WEP Key Generator website and type in his neighbour’s SSID.
A lot of people missed the issue here, focusing instead on the demerits of WEP encryption. Here’s the analogy: someone sells you a new car with those old-fashioned locks on the side of the window that you push down / pop up. Anyone who knows what they’re doing can break through this security mechanism simply by using a coathanger, but at least your car is locked, right? What if everyone in Ireland had the key to the car? The fact that there are better ways to secure your car than using those push down / pop up buttons suddenly becomes irrelevant.
This is not about the strength of WEP – it is about being sold short. It’s about thinking you have a Cornetto when it’s really just a Wibbly Wobbly Wonder. It is also a funny story about an over-enthusiastic programmer who spent weeks thinking up an elaborate key-gen algorithm but was so distracted by the Hendrix solo in his head that he overlooked a pretty significant weakness in his magnus opus. But more importantly, it is about a false sense of security (albeit partial security) given to Eircom broadband customers.
So how will Eircom respond? According to the letter sent to Bart, they’ll contact everyone affected outlining the issue, with advice on how to handle it. They’ll be upgrading the security on their routers and will also try to improve the general security awareness of their customers. Could we ask for anything more? This does not sound like the incompetent Eircom I’m used to dealing with. Business development mangers at Monster.ie could take note!
4 Comments
Yup, good response from eircom there.. I think we should see how they follow through before we begin to sing their praises!
could be a nice money maker securing eircom networks
My name is Jim. I am from Dublin, Corks big daddy. Ok, thats not the issue here, the Chinamen made router is the issue man!
I would like to see what form the Eircom response takes, and how long it takes. Somehow, I cant see this being a top issue for Eircom to therir non-business customers, especially since the media story broke and ended in a day
well james i have to agree with everything you said, I was talking to a friend about 2 months ago and somehow we got into convo about wep/wpa and the wafle goes on sure he says i can break wep anytime i like, ummm i was thinking is this guy another self learning person like myself who has learned the way of the penguin (linux for the winblows) or has he used cygwin and got aircrack installed on windows with all them old wifi drivers ?? , so i asked him what distro do you like or how did you over come the problem with drivers and all the .dll file you have to collect to install(get it working) aircrack on windows, he looks at me with confussion in his eyes (WTH is this guy talking about) Distro what site is that he replys and you dont know how to install your wifi card i can do it for you, ummmmm i was thinking there was I installing slackware (my fav) and all the extras to get my aircrack working to test MY OWN security on MY OWN Router. and this guy is breaking the wep code and he does not know what i thought he already did know ummmm. now i was confussed so i asked if your not using what i was using what are you using and there it was on his phone a .jar file with the key generator for eircoms wep code WOOOOW. i was totaly taken back there was me for the last 4 years learning all i needed to know about wifi bluetooth and so on and this guy comes out with DEMOs eircom wep key generator EIRCOM SHAME ON YOU now anyone who gets nicked downloading illegal MP3 files can say nop it wasn’t me and point out there window, it was someone out there lmao.
what really gets up my nose about eircom is they should have 1 made a video – how to get your eircom router working – this would take about 10 minutes to make and a day to edit for one person with a small amount of knowledge of computers – this could have been added to there web site and to the disc they supply with the router.
2 phone or send a letter to all there broadband customers and asked them to change the ssid on there AP (router)
3 asked all there customers to change there wep code at least or use WPA
this would be a quick fix
but in saying what i have just done,
the worst is yet to come ALL WIFI encryption codes can be broken I KNOW coz i have done on my own routers for learning more about securing my own system.and i have noticed something else.
persons using game consoles like the PS3 or Xbox with wifi and the security WEP, well even if you are using eircom router and change your ssid AP name or using any router for that matter with WEP, the code can be broken in 20 seconds again i know I have done on my Routers (netopia-linksys-netgear) i don’t think any are immune to this. and as far as eircom telling there customers, I’m one, I have not seen a letter nor got a phone call about this issue there is one simple solution, turn your wifi on when your using it and off when your not ummmm im thinking again by simply accessing the internet on another person router all there inforamtion can be sniffed Credit card details all there keys logged, bebo user names passwords, MSN chat logged the list goes on in fact to make it really bad soneone could open up a porn site on someone elses internet connection if it was me (i would not dare but) i could have this done in say 1 hour that is set up domain name (even with dynamic ip address i can have a static domain name redirected to it)set up apache/php/mysql/ and have it open for business or send 1000000s of spam emails everyday and never get nicked now think about that all you eircom0000 0000 users.
What i can say to you eircom is, you are responsible for peoples information within your domain please secure it Now. Do the right thing please.
what i will say to all you eircom users is imagine getting a knock on the door and a police man shows you a some paper giving him/her the right to search your home and take all your computer devices out of your home, do you really know how far wifi signals can travel is there some pervert or terrorist or simply just some kid /adult abusing your internet connection and you have no control over it ??????????
whats really scary is, somewhere i was reading about the county council making dublin city a wifi zone lol, come on what do they do all day watch star trek get into the real world anything in the airwave can be broken and sniffed yes yes we all know its illegal to do this but then agian when you watch star trek all day, suppose you start to believe thats how life works
One Trackback/Pingback
[...] Eircom Respond to Netopia Security Issue [...]
Post a Comment