250,000 eircom modems can have their password guessed - How will eircom react?
If you're new here, you may want to subscribe to my site using a feedreader or email. Thanks for visiting - Damien.
Update: 250k modems actually. Front page of Irish Times.
Some potential other headlines:
Ireland’s largest WiFi network now free to all
eircom security flaw affects 150k broadband users
Jimmy Hendrix loving programmer creates massive security hole
All along your bases - Hendrix Lyrics makes hacking easy
So news is out that you can guess the WEP key for the eircom modems that a lot of people have. Something like 100k-150k or maybe more. It seems the WEP key (which is like a long gibberishy password) is generated based on Jimmy Hendrix lyrics and the network ID of the modem itself. After the discovery and proof of concept, there’s now a website which allows you to plug in the the network ID of your neighbours and it’ll provide you with the WEP key. How helpful. (I won’t be linking to it)
So how will eircom react? Will they have the website, boards.ie posts and blog posts about it taken down? Will they contact all their customers and tell them to change their default key? I’d hate to be working on their support lines once the mainstream press covers this, as I’m sure they will. Time will tell I suppose.
Digg it! |
Reddit |
Del.icio.us |
Stumble Upon |
Google
October 1st, 2007 at 10:11 am
[...] (via Damien) [...]
October 1st, 2007 at 10:32 am
I always figured there had to be a logic to the WEP generation, it was just a matter of time really.
October 1st, 2007 at 10:56 am
Have you verified this? I tried it on 4 different eircom networks yesterday and it didn’t work.
October 1st, 2007 at 11:04 am
People around me have tried. I have not. It’s illegal in the Republic to do that
October 1st, 2007 at 11:19 am
In a hypothetical scenario, where this was not illegal, I would more than likely have tested it and confirmed that it does indeed work.
But of course I haven’t in reality, because as Damien rightly points out, that’s a no no
*cough* *cough*
October 1st, 2007 at 11:20 am
Exactly Colm.
October 1st, 2007 at 11:35 am
Surely the issue here isn’t just stealing someones broadband/bandwidth, but getting access to their network as well?
October 1st, 2007 at 11:43 am
Blog giant in code cracking plot shocker.
October 1st, 2007 at 12:59 pm
This is why you should buy your own gateway/modem/router/switch/port or what ever the marketing droids are calling them these days.
Read the netopia manual for a simple fix.
http://www.netopia.com/support/intl/eircom/technotes/IEWG_110.html
Linksys with openDNS would be by my choice at home and as for the office I dont see this as an issue because nobody in their right mind is using the free modem provided by Eircom to face the world and if they are well then your sys0p should be out of a job.
October 1st, 2007 at 2:57 pm
Rahood: A fantastic display of fanboyism, great work chief!
The Netopia router is an excellent router. There is no logical reason to shell out extra money for a more ‘branded’ router.
Please do not blame the routers lack of enforced security measures due to chimps that are unable to select the WPA/2 encryption method.
Thanks.
October 1st, 2007 at 3:19 pm
I don’t even need a WEP key to access my neighbour’s eircom broadband, they simply don’t have one.
October 1st, 2007 at 5:28 pm
@knuth
(my fanboyism is sneaking out again)
Has Linksys ever hardcoded sNTP servers that it did not own into its firmware.
D-Link has and so have Netgear. Can you buy Netopia gear from PCworld or Elara where the average Joe shops. Notice I said average Joe and not ‘chimps’ btw.
So yes I could be called a fan in that regard but if you want ‘fanboyism’ as you call it.. my friends and family all sit behind a Linksys WRT54GL if they need wireless because the firmware is GPL’d and I can also add NAS and voip from the router itself should they wish
Is it logical to use a cd to set up a router because thats where the problems start. Better to have printed instructions in the box because as we all know only too well Windows users will click on anything autorun.inf when told to do so
“Please do not blame the routers lack of enforced security measures due to chimps that are unable to select the WPA/2 encryption method.”
WEP by default is the problem, not the average Joe who has been shafted by a lack of decent info on a product supplied at a tight pricepoint.
Between those little sperm tailed wireless devices advertised on the TV and now this, Is it any wonder I often cry myself to sleep over the state of net access in Ireland.
October 1st, 2007 at 6:29 pm
WEP is utterly broken. It can be cracked from scratch in less than a minute. If you are serious about security, use WPA with a strong password.
Less than a minute means that it is actually faster to crack your own WEP key than to type the hex code correctly in a text field.
See http://www.theregister.co.uk/2007/04/04/wireless_code_cracking/ or http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/
October 2nd, 2007 at 12:42 pm
This is a completly overhyped issue.
WEP encryption was “crack-able” from day 1. It can be cracked within minutes using tools that have been available for years.
Some smart-ass tool that uses the SSID rather than sniffing & analysing packets does not increase the risk.
What should be addressed is the question if these networks should be secured at all and if so who should be responsible for this.
E.