From the folks at security think tank GNUCitizen comes yet another demonstration of the insecurity that's present by default in the UK's most popular home broadband router. By default, the BT Home Hub, which is manufactured by Thomson/Alcatel, uses a weak algorithm to generate keys used for locking down a Wi-Fi network. So weak …
Still more secure than most
Much as I dislike the Home Hub, it must be pointed out that the fact it actually ships with a pre-set WEP key makes it more secure than most home routers on the market, which come with blank passwords. And my experience is that the average user leaves them this way.
"NETGEAR" is my isp! At least this way there's a few seconds of a challenge first, and maybe some kind of legal mumbo jumbo involved before you add a couple more megabits to your connection pool.
Paris knows all about leeching from society...
Not Belkin then?
It seems that everywhere I go, my laptop will find an unsecured network called Belkin54g
BT 'product' "not secure"?
Exactly WHAT part of this were we supposed to be surprised by.
Of course, this sort of story will NEVER reach the mainstream public, a bit like their other little 'security' issue!!
This is not a surprise.
The BTHomeHub is awful, even the BT engineers say it's crap.
My line gets about 512K on the home hub, 1.5Mb with my Draytek Vigor 2910 and Vigor 100 (2910 is a dual WAN Router, the 100 is an ADSL/2+ modem).
Mind you, even the 2910 defaults to no wireless security (though it is off by default). Makes no difference though, if you try to crack into the home hub chances are it will just lock up before you manage to get in...so you *could* say it is the most secure router out there, in a f****d up kind of way.
Given that most ISPs now provide 'setup software' with their routers...
...I don't know why they don't allow (aka force) preople to specify their own WPA (or WEP, if you must) keys when they install the kit.
@Martin Edwards: Really? I tend to find most are either set up by someone who vaguely knows what they're doing OR by someone who doesn't know anything and thus studies the manual in great detail. Most (if not all) router manuals stress from the get-go that wireless needs to be secured - having once gone wardriving for a laugh, every single Home Hub was using WEP - while that's not necessarily with the stock key, I'm willing to be it is in 99.9% of cases. There are always a few NETGEAR, belkin54g, etc unsecured, but they really are in the minority.
never told us...
pity they've not passed that information on to the contnract engineers who work on BT's broadband installatiion / home computer service. Having said that, we warned then over a year ago that sending out home hubs with 40-bit WEP encryption was stupid. They ignored us of course.In fact we were under strict instructions NOT to change the WEP settings, presumably so that the service centre bods had an easy life when customers called in with connection problems. (The WEP key is printed on the back of the hub)
I can only see networks called "Sky" from here
WEP encrypted too... netgear dg834 me thinks
Until the tool does get released WEP is still better than nothing, you do at least require *some* knowledge to get at a WEP protected network, you just need a computer and one hit with the clue bat to get at an unprotected one. My router came defaulted to no protection, but at least the wifi was turned off. 9 times out of 10 Joe Bandwidth Stealer is going to go for the unprotected network rather than the WEP one, he only goes for the WEP one because he wants to show off.
Here we go again.
OMG! Shock Horror! Leave your wifi AP open and bad things will happen to you!
Such a shame that we can't spread the idea that you should deliberately make your WiFi open and give it an SSID of "Your Address - Open". Go back 5 years and there was a possibility that things like NoCat would make it reasonably easy to offer open access reasonably securely with logging and such like. Even with FON, this never really happened.
I for one want to live in a world where the Dlink-Linksys-Belkin default open access community is everywhere. So can we please stop making it easy for the average man in the street to secure their Wifi?
What can't they...
do like the Orange Livebox?
It comes (now) on with WPA on as standard, but even if this was cracked its not a big deal.
I run WEP (some device don't use WPA), but the box has one great feature.
The live box is automatically configured to only allow new devices to connect for a couple of minutes after a reset or by pressing a button. After that, even a correctly set up device cannot attach.
Don't forget the USB ADSL dongles
which I would imagine are behind most of the zombie botnets connections in the world .... offering as they do a backdoor without firewall into the PC.
The biggest problem so far is that Thomson seems unable to fix any of the bugs reported. I'm using a 780WL (was their "top-of-range" box), there are several BIG bugs (like SIP account not registering on router restart), easily reproducible crash bugs, etc.... that have never been fixed.
If you check the Bethere forum (they are also using the Thomson boxes) you'll see an endless list of bugs...
I suspect that Thomson took over the product form Alcatel, probably not the team and is now left with was is likely to be a badly documented, hard to debug code. And as long as people like BT are ordering the boxes (and debug/workaround the issues by themself) I'm not really sure they are motivated to do anything!
The router has a lot of great features (especialy for a consumer box), too sad the support is SOOOOOOO poor.
@ stu reeves
You CAN alter the pairing time on the Orange (Wanadoo) Livebox by going into the configuration. This can be set to up to 60 minutes. (well, it can on mine, the one with the fucking irritating pulsasting light! Thank fuck they let you turn THAT off!) I'd change the default password there too,. but I'd imagine you've already done that. Just a shame you can't change the default username, it's not exactly had a great deal of thought put into it.
I too have begun to see a profusion of "SKY...." boxes appearing in my neighbourhood. Looks like Uncle Rupe's making inroads in the "Total World Media Domination" masterplan!
People expect some form of security from BT?
I thought the whole mantra of the company was "zero privacy". Tying in nicely, with their relationship with Phorm.
These aren’t problems with the home hub; they are designed to be totally open
Don't forget that having a BT HomeHub leaves you open to a much bigger security risk - BT selling your browsing data to a spyware company.
Anyone who still has BT as an ISP almost deserves to get their wireless network cracked.
I luv my netgear router, its got the most secure wireless connection point in the world because i keep it turned off XD
wireless is overrated nowadays and its still faster to stream vids and music over a hard wire connection
anonymously post since i don't want ppl cracking my unprotected upnp
Channeling Harry Hill
But which is faster...
80 password guesses, or 2 minute WEP password cracking (http://www.youtube.com/watch?v=d7tpl77VwO4).
@ Stu Reeves
actually the Orange Livebox comes with both WEP and WPA enabled, however this causes confusion to some computers and you often have to turn onef o them off.
Where the Livebox DOES have an ace card is that you only have a time e to "pair" a wireless network card and the router after you press a button on the back. After the timeout you cannot connect - even with the right WEP/WPA key
WPA support isn't everywhere
Nintendo DS for example, doesn't support it.
So many have problems with their WI-FI its not surprising that most dont come with security in mind , but rather ease of setup.
@ dervheid - Sky boxes
you see lots of SKY routers because Sky appear not to tolerate other routers on their Network
I was recently requested by a customer to set up her existing router on a new Sky account (it was a better model than the SKy-supplied Netgear) and Sky helpdesk refused any information regarding required logn / authentication details. All I got was a comment "you can only use one of our routers on our service. The software of the Sky box has been bastardized so the logon details are hidden: I've not found a way round this yet.
Any of you Linux bods out there able to hack one and find what is needed to get a non-Sky router working on a Sky ADSL account?
Unfortunately, some of us are still contracted to BT! :(
Educate me someone
Either i'm going to get flamed or someone will not follow my question, umm, here goes.
There is a lot of talk about WIFI cracking, someone will say "Yeah, theres a website that says it can be done", or "Everyone knows it's not secure" or "It can be cracked in 30 seconds" But all I hear is anecdotes, or I get pointed to some old website showing how to crack a fairly old set up.
Ive talked in person to people who have told me how easy they are to crack, then I ask them how would they do it and they shrug.
But has anyone here actually cracked a WIFI signal being generated by a modern up-to-date hub or computer and got in? Is there an epidemic of people having their connections compromised or is it just hype? I'm curious.
B.T.W I don't use WIFI myself, so i'm asking the question from a "New to the WIFI signal subject".
First person who points me to a five year old website gets a poke in the eye ;-)
Nintendo only support WEP
on the DS. So what can anyone do - throw the device away and get a PSP ?
Mario Karts and other games are better online, my kids would like to continue to be able to play online DS games.
I guess I could lock down the device by MAC address... though I understand even that is not secure (i.e. can be faked) ?
There is a reason
As I understand it, WPA causes too many headaches for ISPs like BT who would have to deal with people struggling to connect their Wii, PS3, mobile phone, and whatever else. WEP is just simpler to deal with from a support point of view.
As for security, yes it's a risk, but as 99% of the public are clueless in this regard I should think they're pretty safe as the 1% who might want to go round hacking everyone else is going to have a hard time getting round that 99%. It's like having a Yale lock on your front door. Most burglars can get past them easily but relatively few people really get burgled. Sure you can put deadlocks on your door just in case.
Not as bad as it was
It used to be the case like previous posters point out that no-one secured their networks, so a quick sniff would result in a list of networks named Linksys etc, all default and unsecured.
It's not like that at all anymore. I live in a condominium, where I can usually see around 30 to 40 networks at any given time, and not a single one of them is insecure.
heres a dedicated WEP cracking utility, this version dates from 2007
less secure than a 2-digit [0-9] combination lock? LOLHAX
@anon coward hacking sky boxes
Quick web search will give you the required info. Basically ping the router and save result to a config file to extract the password.
Your user name is very easy to find. It is the router mac address (handily on the router label) @skydsl.com making it something like
Not that I've ever hacked a sky box of course.
You can even use the sky box with this info. once of course you've flashed the crippleware (sorry firmware) with a newer Netgear version.
The most insecure bit?
The pillock "plugging" in another device!
As an exercise, do an NMAP scan of you local subnets outside your firewall at home and you'll see at least 2 in every 100 routers with open ports to remote desktop, open ftps with default passwords, open routers still left with default passwords, I even found a HP printer/scanner plugged straight into an router with no password. There are lists of default passwords for all the major models and makes of routers, it really doesn't take a degree in IT and ten years of security knowledge to break into most home routers.
Not quite that easy
If anyone has actually tried to do a WEP or other crack, they would know that you need the right wifi hardware. You cant just use the cracking software on any old card, they only support certain chipsets. I tried various cards and gave up. Manufactureres stopped making cards with the chipsets and promiscuous drivers ages ago. Simon is right - most people have no idea whats involved.
I'll challenge anyone
There's not a hacker in this world who could get onto my wireless network, even if I left it open. Nothing gets through my walls! Seriously, nothing... wireless is only good for the room I am in and if I want to use my mobile I have to go outside. I had to run cat5 to my bedroom so I can use my laptop in bed.
Most networks have a WEP device.
Meaning that home networks can't adopt WPA.
I would love to move to WPA, but my Terratec Noxon boxes are WEP only. I wonder what the legal stance is, for these companies that refuse to do updates or exchange programs for hardware that make your network insecure.
Are they liable for producing insecure products which open up your home network?
Despite several emails to Terratec, about Noxon not supporting WEP, they just brush the problem under the carpet...
Keeping jobs for the boys
Whilst in no way questioning the intellect of the boys at this Security think tank, out in the real world I see few unsecured networks anymore.
At a friends flat in Streatham, London a total of 17 networks are visible on my thinkpad and the only 1 not secured with 128bit WEP or WPA (most were WPA) was the local Oxfam shop (Yes I went down there and helped them get WPA up and running).
I agree most were running default SSID but does that really matter that much. I use WPA2 with AES but stopped hiding my SSID in the end because it was a pain having to type the SSID and the password on my N95 :-)
This security think tank sound a bit like the Government to me, lets scare everyone than we can get more funding.
> the most secure wireless connection point in the world because i keep it turned off
Instead of leaving the Wi-Fi permanently switched off, why didn't you just buy a wired router?
re: sky routers
Here's a handy little guide for you AC, courtesy of sky users forum.
Hope this is helpful.
@Tibb the Cat
Thanks for the links.
Well one piece of software is 3 years old, the other, hmm, slightly newer.
So have you used them? Did they work? On current equipment I could buy in the shops?
@El Reg, how about one of you guys have a go. This would be the greatest IT news website ever if one of your writers tried it and wrote an article about it. We need to confirm the truth or dispel the myth about WIFI cracking.
Me myself (Also what Clive Smith is saying) think this is something the WIFI manufacturers maybe caught onto years ago and have solved.
Anyhow, continue my education someone.
unfortunately i needed a router badly since my last 1 burned out from all the downloading so i had to do the dirty and get it from Pc World (never again)
at least now im looking for some proper netgear hardware for a separate dual wan firewall and a stand alone modem to upgrade my net
I see people constantly going on about the WEP/WPA angle but very few people seem to mention about locking the connection down to specific allowed devices via their MAC addresses. If a hacker can't even connect to the router, how is he going to crack the WEP/WPA key anyway?
Someone did mention about the possibility of spoofing MAC addresses but they would need to know what MAC addresses are allowed to connect and their associated NAME.
Well, because I would use Ubuntu all the time if I could.
BT home flub...
WEP can be cracked in around 1 to 8 minutes with Back Track Linux,
WPA is more secure but can still be cracked, WPA is not available to BT home flub users unless you flash it to open up their locked down options
This is, quite frankly not good enough why, is that band of tossers known as BT peddling such junk in the first place?
Yes, aircrack-ng works fine these days, with fake authentication and ARP injection it cracked my neighbours 128-bit WEP key in a surprisingly quick 4 minutes.
You'll need an Atheros chipset wireless card (amazon) and have to be comfortable fiddling with Linux.
Just fround these, I think they answer your points
WEP cracking using modern equiment
how the feds do it - a demonstration
WPA IS available to Home Hub users - you just have to log onto the advanced admn page and change the settings. No need to flash it
Its not obvious, but it IS there
Was going to simply state here that this whole discussion is a waste of time, as blocking all but allowed MAC addy's is far simpler than setting up any sort of encryption, and for the purposes of restricting who's using the wireless connection is more than adequate.
But, someone beat me to it..
@ Xander Dent
...oh gosh, you're serious aren't you?
I'll get my coat - and nip round yours to airodump-ng* your MAC...
Paris, because for all her (de)faults, I'd still wouldn't say no to airodumping her MAC.
*Ever since 'Google', I've been exploring the beauty of 'verbing' - randomly converting nouns to verbs
not being funny
i just wasted 10 minutes concisely and susynctley typing an argument that covered every point made, showing you lot how paranoid you all are, then realised that would take away my fun of watching an afternoons stupidity in the comments section. so who is the more foolish, the fool or the fool that follows him?
1. Providing a default key (as it is now)
2. Redirecting the first www connection to the router in order to input a passphrase
3. Creating a stronger key to cut'n'paste? (WPA unless specified)
... This could all be fixed in a simple software update, could it not? (just like the "we changed your admin password to the HH serial number" thing)
@ All the people with Belkin, Netgear, etc - at least there is *some* security with the Homehub out of the box - think about the average customer here - I've set up over 500 routers and think that Netgears etc are pretty OK - but where's the default security?!!! Even WEP discourages casual connections from the neighbours looking for their daily pr0n.
Prefer to default to "no protection at all"
So you get your wireless router. "Great", you think, "now I can work wirelessly." Not so fast, young padawan, because first you need to configure it. "No problems, it's wireless." And you know the passcode to talk to it? "Ah..." Where's your PC? "Upstairs." Where's the router? "Downstairs." And you don't know the passcode, so your PC can't talk to the router? "Err..."
The sad truth is that unless your wireless router defaults to "wide open, come and get me", there ain't any way your PC upstairs can talk to the wireless router downstairs. If you've got an Ethernet port on your PC then you can bring the router upstairs, plug it in with a Cat5 and set it up that way, then bring it back downstairs. But if you haven't (and many PCs don't come with Ethernet), you're right out of luck.
Unless your PC can guess what the passcode is. And that's presumably where this comes in. Sure, it ain't bombproof, but it's shipping with enough security that out-of-the-box it's protected, instead of being wide open for a while until you get round to configuring your security.
Which, per Steve and Xander, should include a MAC address whitelist for most home users.