back to article Hackers actively stealing Wi-Fi keys from vulnerable routers

Hackers have graduated from planting malware on the vulnerable routers supplied to consumers by various ISPs towards stealing Wi-Fi keys. Andrew Tierney, a security researcher at UK consultancy Pen Test Partners, noticed the switch-up in tactics in attacks against its honeypot network over the weekend. Customers of UK ISP …

  1. Bronek Kozicki

    Oh my ... that's why we need proper ISP like A&A, who not only generate the password just for your broadband modem, but also go out of their wait to help you set up a better one, if you happen to have one.

  2. Andy Non Silver badge

    The words "TalkTalk" and "hacked" tend to crop up quite a lot in the same sentence.

    1. Doctor Syntax Silver badge

      "The words "TalkTalk" and "hacked" tend to crop up quite a lot in the same sentence."

      And a small number of customers tend to be mentioned a lot in the same articles.

    2. VinceH

      And the words "TalkTalk" and "incompetent fuckwits" ought to crop up a lot in the responses.

    3. Anonymous Coward
      Anonymous Coward

      TalkTalk still has customers?

      Why?

      Seriously, why?!?

      1. Anonymous Coward
        Anonymous Coward

        Re: TalkTalk still has customers?

        ££

        Seriously, ££.

        The ONLY reason.

  3. Captain Badmouth
    Headmaster

    "it reverts customers back"

    Wrong on two counts, revert means to "go back" so the back is redundant.

    Secondly you do not revert something, something reverts. (see transitive/intransitive with your favourite search engine.)

    :)

    1. Anonymous Coward
      Anonymous Coward

      Re: "it reverts customers back"

      If you want to be pedantic, be complete. It doesn't revert customers at all, only their routers.

      :) :)

  4. WolfFan Silver badge

    interesting

    I have a router thing from AT&T. It serves up Internet access, TV, and telephone. It has a switch attached which allegedly does 1000baseT. It has a wireless access point attached with allegedly does 802.11n.

    This device has a long alphanumeric passcode on its side. The passcode appears to be unique; I've seen multiple AT&T router things and all have different passcodes. In any case, the first thing I did was to change the passcode to something of my choosing, even prior to setting up WPA wireless security and changing the default SSID to one of my choosing. As the silly thing only offered WPA security, I turned the WAP off and connected an Apple AirPort device to the AT&T thing by Ethernet. I put the Apple device into bridge mode and ran WPA2-AES (not, repeat NOT, WPA/WPA2, which uses TKIP and I turned off the AT&T thing's wireless precisely because it was WPA-TKIP) and set up wireless from the Apple device. My AT&T device is no longer visible by wireless. Even if it were vulnerable to this hack, it's not available. The Apple device doesn't use a HTML administration page. In order to administer it, I have to use Apple's AirPort Utility software... and the very first thing that pops up when APU locates a new Apple device is a request that I change the default password. It won't go forward unless there's a new password. I of course changed the passcode, admin name, SSID, etc.

    Frankly, I think that everyone should disable the WAP on their ISP-provided devices and put in a 3rd-party WAP, and first thing change the default password, admin username if possible (some systems won't let you change the admin username; Apple will, but Apple, in its infinite wisdom, seems to be dumping AirPorts), the SSID, and, if the system uses an HTML page for admin, the default IP (usually 192.168.1.1 or 192.168.2.1, unless the ISP is AT&T, which uses 192.168.1.254 for reasons which no doubt make sense to them) and anything else that might be easily discoverable. And, unless there's a really good reason why not, I'd use WPA2-AES. And I'd ignore stupidity such as MAC filtering, all that does is create trouble for legit users.

    1. Woodnag

      MAC filtering, all that does is create trouble for legit users.

      Actually MAC filtering just creates trouble for new users. Which include potential abusers, hence the WPA2-AES.

      1. WolfFan Silver badge

        Re: MAC filtering, all that does is create trouble for legit users.

        MAC filtering is absolutely completely useless. All legit users broadcast their MAC. Anyone who has a sniffer can and will pick up a valid MAC in a matter of seconds. They can then spoof that valid MAC. MAC filtering will keep attackers out for minutes at best. Meanwhile, if MAC filtering is turned on every time a new legit system shows up (new laptop, new cellphone, new tablet, whatever) the new MAC has to be added to the filter. If I have WPA2-AES turned on, I merely have to ensure that the new hardware can handle WPA2-AES and enter the passcode. Once per new machine. With MAC filtering, I have to play with the router, and hand out the WPA2-AES passcode. I don't see any reason to go to the extra work just to make an attacker take five minutes max extra.

        1. Anonymous Coward
          Anonymous Coward

          Re: MAC filtering, all that does is create trouble for legit users.

          The way I do it is this: My wireless router is hooked up to several printers and each packet is physically printed. These are checked before being keyed into the main router. Therefore my wireless is fully protected and cannot be hacked. The only downsides are I used a lot of paper and the bandwidth is reduced.

        2. Muscleguy

          Re: MAC filtering, all that does is create trouble for legit users.

          It's the same principle as getting a decent lock for your bike. The idea is not that your lock will be inviolable but that faced with a rank of bikes a thief is going to go for the easiest locks first. So, provided my neighbours are as lazy as you then a wifi thief will go for them first and in preference, time is money, and the chance of being caught.

          I have WPA2-AES turned on as well AND our wifi does not broadcast. You to have to know it is there and it's precise, non standard, name.

          1. Charles 9

            Re: MAC filtering, all that does is create trouble for legit users.

            Unless they have the capacity to just take the RACK, and I HAVE seen whole racks get stolen.

          2. Roland6 Silver badge

            Re: MAC filtering, all that does is create trouble for legit users.

            I have WPA2-AES turned on as well AND our wifi does not broadcast.. You to have to know it is there and it's precise, non standard, name.

            Turning off the broadcast of SSID is even more pointless than MAC filtering. It was discredited as a security mechanism pre-2006...

          3. JohnG

            Re: MAC filtering, all that does is create trouble for legit users.

            "The idea is not that your lock will be inviolable but that faced with a rank of bikes a thief is going to go for the easiest locks first."

            Yes but like thieves, the intentions/ambitions of the thieves may vary. Faced with a row of bikes, some thieves may ignore them and go for a nearby Mercedes. More effort may be required but reward vs effort vs risk calculation is different. Some hackers may see increased security as a challenge and imagine the promise of something more worthwhile than access to someone's willy photos.

    2. Anonymous Coward
      Anonymous Coward

      Re: interesting

      How the above sounds... "Look at me, look at me. I did it this way and therefore anyone else who did it differently is stupid and deserves to be hacked"

      Most people (ie non-techies) don't want multiple devices and a mass of wires linking them all. The supplied hardware SHOULD be good enough and where default credentials are included, they are all changeable by those of us who see a need to change them.

      1. Lee D Silver badge

        Re: interesting

        MAC Filtering is pointless. You are advertising your MAC over the airwaves all day long and if it's visibly associated with a WAP, it's likely that that MAC is in the allowed MAC list.

        And faking any MAC (once you know what one to fake), wireless or wired, takes precisely seconds.

        If you've even bothered to turn on MAC filtering, I judge you.

      2. WolfFan Silver badge

        Re: interesting

        How the above sounds... "Look at me, look at me. I did it this way and therefore anyone else who did it differently is stupid and deserves to be hacked"

        Most people (ie non-techies) don't want multiple devices and a mass of wires linking them all. The supplied hardware SHOULD be good enough and where default credentials are included, they are all changeable by those of us who see a need to change them.

        Son, I don't give a flying fuck at a rolling doughnut on the deck of a tanker in a thundering typhoon what you do or don't do. I am saying that those who don't take reasonable precautions will get hacked, whether or not they deserve it, because they'll be the low-hanging fruit. Anyone who does not use any kind of key will have their systems accessed by the general public at will. Anyone who uses WEP will be hacked in under five minutes. Anyone who uses WPA-TKIP will be hacked in a few hours. WPA2-AES is noticeably harder to hack. Unless someone has a reason to specifically go for my network, they'll have a look, notice that it's hard to hack, and go hunting easier targets elsewhere. I operate on the principle that there are tigers out there... but I don't have to be faster than the tigers, I just have to be faster than you.

        Having a 'mess of wires' means that I can, if necessary, turn wireless completely off, making it quite difficult for outsiders to access my network. I do not operate by what some people might think ISPs 'should' do. I operate by what they actually do, and what they actually do is provide equipment which is of distinctly lower quality that is available relatively cheaply elsewhere. AT&T's device only does WPA-TKIP, and runs at 802.11n, max. Apple (and D-Link, and Netgear, and Linksys, and others) makes devices which do 802.11ac and WPA2-AES and they don't cost that much either. I'm not about to hold my breath waiting for AT&T to hand out better devices; the current AT&T device replaces one which did 802.11g and was in service for a very long time. Indeed, the fact that it only did 802.11g and WPA-TKIP is exactly why I bought my first Apple device in the first place, the current one being my second, the first did 802.11n. Should someone elect to not get better quality equipment, well, that comes under the heading of Not My Problem. And it means that there is a lot of low-hanging fruit around to keep the hackers busy, and far away from me. You no like? Me no care.

        Downvote away.

        1. asdf

          Re: interesting

          >How the above sounds... "Look at me, look at me. I did it this way and therefore anyone else who did it differently is stupid and deserves to be hacked"

          It really isn't complicated for IT folks who frequent this site. Don't buy a home router until you check there is open source firmware for it. Once you buy it put said open source firmware on it immediately (I really like Gargoyle and OpenWRT but if really hard core about security the BSD based solutions pfSense, m0n0wall, etc are the way to go). Also with DSL modems put them into transparent bridging mode and do the PPP through your home not the ISP provided router. Not that difficult if you do have IT chops.

          1. asdf

            Re: interesting

            For record yes yes open source is not a panacea but a quick search of past articles on here will show a hell of a lot more of these type of issues with factory firmware than with the open source firmware projects out there. Not to mention when a big security issue is found in say OpenWRT a new firmware image will be issued more than likely that day not to mention with usually years of support past the manufacturer who is all too happy to move on to selling new kit. Even with open source you still need to properly secure the router but at least with open source you start with a more likely than 5 eyes free and no obvious back door, slate.

            1. Charles 9

              Re: interesting

              That's IF you can get one that works bug free. Harder than it looks.

          2. Anonymous Coward
            Anonymous Coward

            @asdf Re: interesting

            "Don't buy a home router until you check there is open source firmware for it."

            Thought everybody on here would use Cisco or Juniper at home TBH?

            1. asdf

              Re: @asdf interesting

              >Thought everybody on here would use Cisco or Juniper at home TBH?

              Ha good one. Maybe if you are a network guy and can long term borrow one from work. Like I said if I am going to drop big coin on a appliance server home router I am going with something that will run one of the BSDs. Cisco and Juniper OSs aren't more secure or even stable they just scale better (and have more fancy enterprise and ISP centric features) which isn't much of an issue for a home router.

    3. kain preacher

      Re: interesting

      Blinks you must have a really old unit from ATT. Mine does WPA2-PSK (AES)

      it does n/ac

  5. Anonymous Coward
    Anonymous Coward

    Anybody know if BT Infinity is affected?

    I use the default ( random ) password because I can't forget it - it's written on the back of the modem.

    1. cybergibbons

      If you are using the provided HomeHub or any of the common BT VDSL modems, we haven't seen any particular issues with TR-064 being exposed publically. I don't think anyone has got your key via the same route.

      1. Anonymous Coward
        Anonymous Coward

        BT HomeHub

        If you're still using the BT-supplied HomeHub, then regardless of any security-related concerns you have the more basic problem that the HH is fundamentally a bit s**t. Go shopping for something from NetGear or similar

        1. Anonymous Coward
          Anonymous Coward

          Re: BT HomeHub

          It seems to have done the job. The wifi doesn't reach my office, but that's what CAT5E is for. The connection is fast and stable, so I'm happy with it.

          The 4k Humax STB, not so much.

    2. Anonymous Coward Silver badge
      Holmes

      If you have such difficulty remembering the wifi password that you have to resort to the label each time, you might as well:

      a) change the password to something you stand a chance of remembering

      b) write the new password on a sticky label and affix it to the router, where you'll be able to find it when you do forget.

      1. Anonymous Coward
        Anonymous Coward

        But what if:

        a) You have such a bad memory that any password YOU try will be easy to break?

        AND/OR

        b) The router is in a communal location (say the bedroom hallway, somewhere near the center of the house for maximum coverage area), meaning ANYONE who can see the router can jot down the password AND the default one for good measure?

        PS. If you MUST put the router in a publicly-accessible location, PLEASE disabled WiFi Protected Setup COMPLETELY. INCLUDING the Push-Button Control.

    3. Cynic_999

      "

      I use the default ( random ) password because I can't forget it - it's written on the back of the modem

      "

      If you wanted to, you could change the password and write the new password on the back of your router alongside the original one.

      Just a thought ...

  6. Sureo
    Unhappy

    "...the situation is under control..."

    Every time I ask my ISP about security issues, they give me this reply, but have no further information on the matter. Essentially a brush-off and an admission nothing is being done.

    1. dajames

      Re: "...the situation is under control..."

      Every time I ask my ISP about security issues, they give me this reply, but have no further information on the matter. Essentially a brush-off and an admission nothing is being done.

      ... and why does this not make you wonder whether you might do better with a different ISP?

  7. tiggity Silver badge

    Talk Talk Spokesperson

    Based on previous form they will have no clue and what they do say will be at least 99% lies

    1. Anonymous Coward
      Anonymous Coward

      Re: Talk Talk Spokesperson

      They don't actually have a spokesperson. All they have is an old ice cream tub with some stock phrases that someone paste to a piece of paper and hands out as a press statement.

      The phrases include:

      Small minority of customers

      A few customers

      We have no evidence of any misuse of personal information

      We have not noticed any attacks in the wild

      This is an industry-wide problem

      We take security very seriously

      We take data protection very seriously

      We take our responsibilities very seriously

      We have put training in place

      We have made sure the necessary steps have been taken

      We don't believe this is a significant issue

      We completely refute any allegations that we are totally clueless

      Our CEO is a conservative life peer and a friend of David Cameron so whatever you say about her will be ignored

      1. Eddy Ito

        Re: Talk Talk Spokesperson

        Sadly the response from 98% of users is likely to be;

        "Did someone mention ice cream?"

      2. Anonymous Coward
        Anonymous Coward

        Re: Talk Talk Spokesperson

        I think you should make a 'Talk Talk Shit' app where these stock phrases of bullshit are available on demand to save costs on PR drones.

        Make the lies big, tell them often and they become the truth, sadly.

        1. Charles 9

          Re: Talk Talk Spokesperson

          What's their response when it's a LAWYER calling?

          1. Anonymous Coward
            Anonymous Coward

            Re: Talk Talk Spokesperson

            What's their response when it's a LAWYER calling?

            "I will have to escalate this call, please wait while I put you through"

            .. and wait

            .. and wait.

            1. Charles 9

              Re: Talk Talk Spokesperson

              Then the lawyer calls back and demands someone up top before a lawsuit lands on the legal team's desk?

  8. Seanmon

    What?

    "If customers have an issue connecting to the internet, they should visit our help site."

    Sigh.

    I long for the days when your ISP was just an ISP. I just want the fastest connection you can give me. Thats all. I do not need you ten thousand shite TV channels or your telephone service or your cheap set-top box. And I want to chose my own router, thanks.

    1. Charles 9

      Re: What?

      Our service. Our rules. Take it or leave it. Oh, and BTW, many ISPs are the ONLY ISPs in the immediate geographic area, meaning leaving it means leaving the Internet.

      1. phuzz Silver badge

        Re: What?

        As far as I know TalkTalk only do ADSL in the UK, which means their customers are free to switch to a whole variety of different ISPs. We don't have the same artificially restricted market as the US seems to.

  9. hellwig

    Is Talk Talk Real?

    The stories about "Talk Talk" on El Reg are ridiculous, is that a real company? I have to think the whole premise of "Talk Talk" is a joke on anyone not familiar with UK telcos and ISPs.

    1. WolfFan Silver badge

      Re: Is Talk Talk Real?

      They are, unfortunately, real. https://www.talktalkgroup.com/

      They are also so bad that they make AT&T and even Comcast look, well, a lot less like the pirates they are. And they're not the worst ISP in Britain. That's probably BT, unless they've improved considerably, something I doubt.

  10. waldo kitty
    Facepalm

    HOW??!?

    If customers have an issue connecting to the internet, they should visit our help site

    if you can't connect to the internet, how the hades are you supposed to go to some help site?

    1. Cynic_999

      Re: HOW??!?

      Whooooossshh

    2. David 132 Silver badge

      Re: HOW??!?

      You're overestimating TalkTalk's desire to help their customers.

      Note that for those who can't get to the help site, TT have of course, what do you take them for? provided an alternative source of support - it's in a locked filing cabinet, in a disused lavatory, in the basement, behind a sign saying "beware of the leopard"...

      1. Anonymous Coward
        Anonymous Coward

        Re: HOW??!?

        @David 132

        I see what you did there, but their alternate methods are not as obvious as that.

  11. MotionCompensation

    What a mess

    I get the feeling this is only the beginning. This mess might become so big that even very computer literate users will be affected by the incompetence of these corporations. There is nowhere to hide, sooner or later you will be hit.

  12. Youngone Silver badge

    Long Ago

    10 or 12 years ago I worked in a central city high rise next to a high rise student hostel.

    Said hostel was packed to the rafters with students, each with their own ISP supplied Wi-Fi router.

    One slow afternoon my boss and I had a lot of fun logging on to every one we could using the default admin logon (admin/admin in case you were wondering) then changing the Wi-Fi setup.

    Probably illegal, but we had a laugh. A few days later one of the (fixed) access points was broadcasting it's SSID as "Fuck off Gary" so I guess Gary got the blame.

  13. Infernoz Bronze badge
    Facepalm

    Simples, buy your own better router and secure it properly.

    Relying on fixed ISP provided router WiFi passwords was always a stupid idea because it is probably in an ISP database or easily calculated, which may get stolen/cracked eventually.

    I parked the unreliable 2 Chinese boxes, and installed a combined Draytek VDSL2 and WiFi router, use my own long-random alpha-numeric WPA2 AES passwords for its WiFi names, and have configured the transmission power to only be enough to get reliable reception inside my house, so people outside will have a tough time getting a reliable signal outside for mischief attempts.

    1. Charles 9

      Re: Simples, buy your own better router and secure it properly.

      Even with a sensitive directional antenna aimed through a window?

      1. cybergibbons

        Re: Simples, buy your own better router and secure it properly.

        Using a directional antenna outside of someone's house falls firmly into the territory of "tough time" and covers the typical threat model of a home user.

        1. Charles 9

          Re: Simples, buy your own better router and secure it properly.

          Point is, a directional antenna can be very sensitive, and a window is normally radio-transmissive, so you're prone to leakage. IOW, it may not be as tough a time as you think.

  14. Anonymous Noel Coward
    Boffin

    Joke's on them.

    I set my WiFi password to the last 40 digits of Pi.

    1. Charles 9
      Facepalm

      That don't even make sense. As Pi is an irrational number, there's no such thing as a last digit: not even a repeating one. If Pi terminated or repeated, it could become rational and could be expressed exactly as a ratio.

      Besides, under AES-256, you probably couldn't get away with more than 32 digits (32 characters * 8 bits = 256 bits), maybe 64 if you go the hex route. I personally use a 64-hex-character scramble, which also hits the limit.

      1. Captain Badmouth
        Happy

        @Charles 9

        I thought Noel meant it as a joke.

        1. Charles 9

          Re: @ Captain Badmouth

          Then use the Joke Alert next time, not the Geek. Anyway, it was a very terrible joke at that, worse than a Fozzie Bear joke.

          1. Captain Badmouth
            FAIL

            Re: @ Captain Badmouth

            I thought using the geek icon was part of the joke, but then, what do I know?

            Irony is dead.

      2. Mummy's 'ickle soldier

        He who laughs last...

        Didn't get the joke.

  15. Doctor Syntax Silver badge

    Meanwhile even the Beeb seems to have noticed: http://www.bbc.co.uk/news/technology-38223805

  16. Andrew Findlay
    Alert

    Physical proximity not needed

    As in several other articles on this subject, the author has accepted the idea that "The hacker has to be physically close to the router to compromise the Wi-Fi". That is not true: they just need to have control of a nearby device; they don't even need to know *where* the device or network actually is.

    Imagine a row of houses with compromised WiFi keys where one of them contains a device that is part of a botnet. That device can probably see the networks belonging to several other houses, so all it has to do is to look them up in some central database and it can get inside another net, making it *much* easier to compromise more devices, steal traffic etc. Repeat.

    1. Charles 9

      Re: Physical proximity not needed

      "Imagine a row of houses with compromised WiFi keys where one of them contains a device that is part of a botnet."

      ONLY if the device itself has WiFi capabilities. If they're on a landline, they wouldn't have the capability to see the other networks. That reduces the potential victims and makes a remote exploit difficult since you'd have to query any given bot to see if it has WiFi capabilities AND is near a vulnerable spot. Not to mention since most WiFi-capable devices can only latch onto ONE network at a time, you run the risk of cutting the bot off the net because at best it'll get a new IP and you'll have to reconnect and at worst it fails and gets cut off completely.

  17. goldsteinalex

    FlashRouters

    If you use a VPN Router, one you flash on your own or purchased from FlashRouters, you can set up a VPN network to secure your connection.

    1. Charles 9

      Re: FlashRouters

      Now you lose bandwidth to overhead, and many people have tight data allowances. Cost can be too great.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like