250,000 eircom modems can have their password guessed – How will eircom react?

Update: 250k modems actually. Front page of Irish Times.

Some potential other headlines:
Ireland’s largest WiFi network now free to all
eircom security flaw affects 150k broadband users
Jimmy Hendrix loving programmer creates massive security hole
All along your bases – Hendrix Lyrics makes hacking easy

So news is out that you can guess the WEP key for the eircom modems that a lot of people have. Something like 100k-150k or maybe more. It seems the WEP key (which is like a long gibberishy password) is generated based on Jimmy Hendrix lyrics and the network ID of the modem itself. After the discovery and proof of concept, there’s now a website which allows you to plug in the the network ID of your neighbours and it’ll provide you with the WEP key. How helpful. (I won’t be linking to it)

So how will eircom react? Will they have the website, boards.ie posts and blog posts about it taken down? Will they contact all their customers and tell them to change their default key? I’d hate to be working on their support lines once the mainstream press covers this, as I’m sure they will. Time will tell I suppose.

14 Responses to “250,000 eircom modems can have their password guessed – How will eircom react?”

  1. Colm Doyle says:

    I always figured there had to be a logic to the WEP generation, it was just a matter of time really.

  2. Have you verified this? I tried it on 4 different eircom networks yesterday and it didn’t work.

  3. Damien says:

    People around me have tried. I have not. It’s illegal in the Republic to do that 🙂

  4. Colm Doyle says:

    In a hypothetical scenario, where this was not illegal, I would more than likely have tested it and confirmed that it does indeed work.

    But of course I haven’t in reality, because as Damien rightly points out, that’s a no no 😉

    *cough* *cough*

  5. Damien says:

    Exactly Colm. 🙂

  6. Damien B says:

    Surely the issue here isn’t just stealing someones broadband/bandwidth, but getting access to their network as well?

  7. 73man says:

    Blog giant in code cracking plot shocker.

  8. Rahood says:

    This is why you should buy your own gateway/modem/router/switch/port or what ever the marketing droids are calling them these days.
    Read the netopia manual for a simple fix.

    http://www.netopia.com/support/intl/eircom/technotes/IEWG_110.html

    Linksys with openDNS would be by my choice at home and as for the office I dont see this as an issue because nobody in their right mind is using the free modem provided by Eircom to face the world and if they are well then your sys0p should be out of a job.

  9. knuth says:

    Rahood: A fantastic display of fanboyism, great work chief!

    The Netopia router is an excellent router. There is no logical reason to shell out extra money for a more ‘branded’ router.

    Please do not blame the routers lack of enforced security measures due to chimps that are unable to select the WPA/2 encryption method.

    Thanks.

  10. Sinéad says:

    I don’t even need a WEP key to access my neighbour’s eircom broadband, they simply don’t have one.

  11. Rahood says:

    @knuth
    Has Linksys ever hardcoded sNTP servers that it did not own into its firmware.
    D-Link has and so have Netgear. Can you buy Netopia gear from PCworld or Elara where the average Joe shops. Notice I said average Joe and not ‘chimps’ btw.
    So yes I could be called a fan in that regard but if you want ‘fanboyism’ as you call it.. my friends and family all sit behind a Linksys WRT54GL if they need wireless because the firmware is GPL’d and I can also add NAS and voip from the router itself should they wish 😉
    Is it logical to use a cd to set up a router because thats where the problems start. Better to have printed instructions in the box because as we all know only too well Windows users will click on anything autorun.inf when told to do so 🙂 (my fanboyism is sneaking out again)

    “Please do not blame the routers lack of enforced security measures due to chimps that are unable to select the WPA/2 encryption method.”

    WEP by default is the problem, not the average Joe who has been shafted by a lack of decent info on a product supplied at a tight pricepoint.

    Between those little sperm tailed wireless devices advertised on the TV and now this, Is it any wonder I often cry myself to sleep over the state of net access in Ireland.

  12. Olivier says:

    WEP is utterly broken. It can be cracked from scratch in less than a minute. If you are serious about security, use WPA with a strong password.

    Less than a minute means that it is actually faster to crack your own WEP key than to type the hex code correctly in a text field. 😉

    See http://www.theregister.co.uk/2007/04/04/wireless_code_cracking/ or http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/

  13. Evert Bopp says:

    This is a completly overhyped issue.
    WEP encryption was “crack-able” from day 1. It can be cracked within minutes using tools that have been available for years.
    Some smart-ass tool that uses the SSID rather than sniffing & analysing packets does not increase the risk.
    What should be addressed is the question if these networks should be secured at all and if so who should be responsible for this.

    E.