back to article Home Wi-Fi security's just as good as '90s PC security! Wait, what?

UK home Wi-Fi security is as bad as PC security was in the 1990s, according to a new study. Security software firm Avast found that more than half of all routers are poorly protected by default or common, easily hacked password/ID combinations. Easily hacked password combinations such as admin/admin or admin/password, or even …

  1. Haku
    1. Anonymous Custard Silver badge

      Hail Skroob!

      1. Charles 9 Silver badge
        Joke

        "And change the combination on my luggage!"

        1. Anonymous Coward
          Trollface

          luggage

          my padlocked luggage has no combination - its just bad assed steel

  2. TRT Silver badge

    Well...

    I use a separate WiFi access point, router and DHCP/DNS server. So they'd have to guess at least two passwords to change the DNS setting. And I don't use the defaults anyway. But at least Sky etc have been blowing unique default passwords into their kit for the last few years, so it's not quite as bad as it used to be. I think this is more scaremongering headline grabbing demi-marketing by Avast.

    1. HMB

      Agreed

      Quite a few vendors are using unique passwords in their devices. My plus net router was like that. I've since changed it naturally.

    2. ElNumbre
      Boffin

      Re: Well...

      Except a lot of vendors use algorithms to generate the "random" uniqueness, and when clever people figure out what that algorithm is, the gates fall.

      I guess though its difficult from a support perspective to have truly random values, as what if the config is lost, how can you get back into the device, unless said mfr then maintains a database of settings, and well, think of the world of problems that leakage can create.

      1. Anonymous Coward
        Anonymous Coward

        Re: Well...

        Sky's current 'best ever router' piece of crap only accepts alpha-numeric wifi passwords. Their router is the main reason I'm about to ditch them. Easy enough to pick any old shortcut, or text file - preferably unique - and use it's SHA-1, but I like squiggly bits and cartoon profanity too much.

        1. Missing Semicolon
          Happy

          But alphanumeric passwords are all you need...

          obligatory

        2. Anonymous Coward
          Anonymous Coward

          Re: Well...

          If it's alphanumeric, then it may be limited to hexadecimal character (0-9, A-F). I use a hexidecimal key, but it's also 64 characters long: reaching the key's size limit of 256 bits (it's not worth making a password that digests to something larger than the actual key). I also prudently only allow WPS by push-buton (which requires physical presence to engage).

  3. Yugguy

    HomeHub 5 is the most secure system in the WORLD

    My BT HH5 has given up giving out dhcp addresses and won't accept any new manual IPs.

    It's the future folks.

    1. Khaptain Silver badge

      Re: HomeHub 5 is the most secure system in the WORLD

      @Yugguy

      So how do add new devices, do you have to eliminate an existing one first ? How do you protect against IP Spoofing ? Are MAC addresses also locked down ?

      1. TRT Silver badge

        Re: HomeHub 5 is the most secure system in the WORLD

        I think that is not a design feature...

        1. John Tserkezis

          Re: HomeHub 5 is the most secure system in the WORLD

          "I think that is not a design feature..."

          It isn't a design feature that some cars rust to bits 10 years into their life either.

          But they still consistently do. By that virtue, it becomes a feature.

    2. Stacy

      Re: HomeHub 5 is the most secure system in the WORLD

      My parents router does this often (meaning they cant use their Skype cam to see their grandchild - almost the only reason they have an Internet connection)

      The only solution I found is to turn it off, wait then turn it back on. Wait for all the connection lights to come on. Then (no that doesn't fix it!) perform a soft reset and wait again.

      Why off and on doesn't work, or why the soft reset on its own doesn't work, I have no idea (except that it's the worst router I've ever had the misfortune to use! WiFi performance is so poor that we don't bother trying any more when we visit - just use the ethernet cable and he off of the grid for most of the visit).

      Called BT but they have no idea what a Dhcp server is, let alone how to fix I. One of their engineers (their to fix a broken BT vision box) even said the problem was caused by network cables being plugged into the router and that only the WiFi should be used (forgetting that the BT vision box *has* to be plugged in via cable and screwing up the Skype cam in the process).

      1. Charles 9 Silver badge

        Re: HomeHub 5 is the most secure system in the WORLD

        Sounds like the router's overloading. I noticed many old routers start giving up the ghost or going berserk when newer security protocols were mandated. I had to retire an old D-Link because it kept resetting. It was my cue to move up to more recent hardware.

        I'd have a good long look at it. If it keeps crashing or resetting, it's probably overloaded and it may be time to replace the kit.

        1. Stacy

          Re: HomeHub 5 is the most secure system in the WORLD

          Seeing that BT insist on updating it OTA (which then kills the configuration) I wouldn't be surprised if they have done something. But it has never worked well since they got it. If I lived closer I would sort it for them (or replace it with a decent Adsl router - assuming that wouldn't kill their BT vision box). But only going once a year makes that hard to do.

  4. Rabbit80

    How many routers are configured to allow external access?

    To break into the router, first you have to hack the WiFi - and if the WiFi is broken, the attacker can cause all sorts of mischief anyway!

    Seems like a non-issue to me unless external access is granted to your router configuration.

    1. Khaptain Silver badge

      Hacking into the Wifi won't give you access to the router, it will only give you access to the LAN. There is no relation between the PSK Wifi key ( WPA or whatever) and the Admin/Password of the router.

      1. TRT Silver badge

        But there are many routers set up in such a way, by default, that the administration system is only available from the LAN, and that account has a default password. So once you have the WiFi password, you are in and able to administrate, change DNS/default route etc.

        1. Khaptain Silver badge

          @TRT

          But aren't those routeurs also the ones that provide the 16 character random Wifi keys, they are not so easy to attack using rainbow/dictionary attacaks. They would actually require a much more determined attack in which case user home security is not a major problem for the hacker anyway.

          1. Anonymous Coward
            Anonymous Coward

            But once you're in the LAN, you can pwn one of the attached machines and leave a backdoor in it, allowing you to come back later and attack the router at a more leisurely (and more difficult to trace) pace.

      2. phuzz Silver badge

        There shouldn't be a relation between the Wifi key, and the password for the router's admin pages, but I'm sure they're identical in many homes. (Have you ever tried explaining the difference to a non technical person?)

  5. Anonymous Coward
    Anonymous Coward

    And how many routers out there haven't had their firmware updated in aeons leaving routers wide open to hacking bugs. That's assuming the consumer grade router suppliers have provided support for the more than the usual two weeks from release, looking at you netgear !

    1. K Silver badge

      Have an upvote for mentioning about firmware updates. But I'd disagree on the support front, Netgear have been quite good with this, I've seen upgrades 2-3 years after I brought the equipment.. though finding the firmware can be a little tricky.

      One interesting question off the back of this is educating users to life expectancy and maintenance of equipment, older generations pride themselves on "looking" after stuff and use it until its given up the ghost. Whilst this is good from a resource usage perspective, most of them will not be aware of the pitfalls.. i.e. the risks!

      1. Anonymous Custard Silver badge

        Or alternatively DD-WRT or OpenWRT.

        Have to say also no complaints about my Netgear - it even seeks and downloads new firmware itself, and when all is ready lets me know that it's available to pull the trigger on the upgrade (or not if you so wish). OK the quality of the firmware has a couple of times given issues (killing 5GHz connectivity at worst), but older firmware is downloadable from their website.

        1. John Tserkezis

          "Or alternatively DD-WRT or OpenWRT."

          Honestly, I've never seen them as options. Any and all firmwares they have available are for hardware revisions that are no longer available, or if you're *really* lucky, there might be a highly expermental version.

          Don't get me wrong, they all do bloody good work, all very worthy and valuable, but, I'm not buying second hand gear with the risk of the hardware revision being one sub-number off, just to get a feature I might be able to get elsewhere anyway.

    2. Anonymous Coward
      Anonymous Coward

      @k

      Granted things have a certain end of life, but netgear really peed me off with no updates for DGN3500 in less than a year, however North America firmware got a little longer. Decided to buy a Draytek in the end. Solid router and get firmware updates for a long time, eg 2820 still getting firmware updates after 7 years !

      @AC

      Would have loved to put DD-WRT or OpenWRT. on the DGN3500 but it's not supported by any open firmwares.

      1. Anonymous Coward
        Anonymous Coward

        Same for my R7000 (at the time I got it, it was pretty top of the line for a home router, with triple-antenna ac wireless and a beefy CPU). Alternative firmware is sketchy and seems to be missing things I get now and use. The stock firmware's fine for now, and since it's a high-end they're still updating it regularly. I just can't use its VPN mode at present because OpenVPN on Android only has preliminary TAP mode support.

  6. frank ly

    MAC address whitelist filter

    That's what I use on my old router, but I realise that many people wouldn't have a clue where to start. I also realise that a serious and well equiped hacker would be able to sniff my WiFi devices MAC addresses; but there are further layers of protection as well as a 'strong' password.

    1. Yet Another Anonymous coward Silver badge

      Re: MAC address whitelist filter

      But somewhat pointless if the router handed out by the millions by your cable co can be hacked by a simple buffer overflow on the public side anyway.

      1. Khaptain Silver badge

        Re: MAC address whitelist filter

        I went and googled "buffer overflow home router", it came back with some scary results....

    2. chivo243 Silver badge
      Go

      Re: MAC address whitelist filter

      @Frank ly

      Yes, the whitelist! The only way to fly. I like to know who is on my home network.

    3. phuzz Silver badge
      Linux

      Re: MAC address whitelist filter

      You don't have to be well equipped to sniff MAC addresses, or even that knowledgeable. A laptop and the right linux distribution is about all you need.

  7. Anthony 13

    Is there a legal advantage to your neighbour ...

    ... using your WiFi* i.e. an IP address is not a person! Should we all in fact be running open guest networks with the bandwidth locked right down?

    This is not advice, merely an observation ... I take no responsibility for any negative repercussions...

    * To be a pedant, this article (despite its headline) is really about router security not WiFi.

    1. Ken Hagan Gold badge

      Re: Is there a legal advantage to your neighbour ...

      It depends where you live. In the UK, you'd probably be busted for negligently helping terrorists in some way.

      Joking apart (hey, Mrs May, I *was* joking, whatever you might think) the main downside of this approach is that your neighbours will use up your monthly bandwidth allowance downloading stuff.

  8. Anonymous Coward
    Anonymous Coward

    begin flaming

    I live in a grade 2 listed house with single glazed windows. It would be trivial for somebody to break into my house and steal my car keys. I.e. if you're close enough to meddle with my wifi then you're low on my list of potential threats.

    1. Khaptain Silver badge
      Coat

      Re: begin flaming

      When a Paedo Terrorist Wife Beating Police and Government Hater hacks your home network and starts downloading/uploading some nasty child/woman/torture pics and or terroristic bomb making instructions using your email address and details, along with photos of your wife/children/dog all having an intimate moment and then uses your personal banking details to pay for some underage drug dealing prostitute to come over to your house in a stolen Mercedes, then you might start to realise how important your Wifi password truly is.

      Yes, Sir, that truly is a daily, nigh hourly, occurence in some parts of Britain. We really do live in dangerous times.

      Signed

      The Daily Mail Reader Club President

  9. Anonymous Coward
    Anonymous Coward

    New modem/router and securit

    Recently had to get a new modem/router as lightening took the old one out in spectacular style. Could not connect to the new one over wifi as it needed to be "set-up". Required a load of fields to be input and the you had to set a new admin password and this was all before connecting to the ISP. Looks like it used the form fields to identify name, address, area, etc and all these were banned from the password, or any combinations of them. Also insisted on a password of 8 characters or more with the usual 1 capital letter, 1 number, 1 special character and what knocked me, no numbers or letters in sequence in either alphabet or on the keyboard. Really had me thinking before I could come up with a decent one (password, that is). Still after setup, discovered I could only log into the modem/router through the cat5 cabling as wifi would not allow you to login - login to modem / router was disabled over wifi. Had to enable it. Talk about locking something down. Best I have seen so far and since I got it up and working, no issues, no re-boots, things just work and everybody in the house loves it. Also, its a nice looking black box, with green leds to indicate what is going on. Leave it sitting there in the corner doing its own business and firmware updates are as simple as anything. But bugger me, I cannot remember who makes the thing.

    1. Anonymous Coward
      Anonymous Coward

      Re: New modem/router and securit

      Come on - you must have checked by now? :)

  10. Michael H.F. Wilkinson Silver badge
    Happy

    Plus ce change, plus c'est la même chose

    Ah, reminds me of an old BOFH episode

    "But I like the word Maggot!"

    "And I like the words Grievous Bodily Harm, but I don't use them as a password. Not any more, anyway. "

  11. Mark Allen

    The default IP Addresses just as bad

    Most routers sit on 192.168.1.1 or 192.168.0.1 by default. A small number are on 192.168.1.254. And Belkins are (used to be) on 192.168.2.1

    This makes it trivial to send commands to the routers from a web page from the User's own PC from within the LAN. Visit a website, and it could well be issuing a command to your router using plain old HTML.

    1. Anonymous Coward
      Anonymous Coward

      Re: The default IP Addresses just as bad

      Well, the address ranges can't be helped. 192.168/16 is the designated C-class private address range. Any router outside yours that gets such an address is supposed to drop it, so it's a security feature. Even if your router tried a different address (BTW, most allow you to set it within reason), it wouldn't be hard for a malware to do an exhaustive search of 65,536 possible IPs, plus most can figure it out based on the victim's own IP (which normally has to have the same subnet to be visible on the router's network). The attack you describe appears to be based on cross-site scripting and can probably be mitigated by two things: (1) a router with a short timeout period, meaning an attempt to hit the router discretely results in either a password prompt or a 401 error, and (2) a browser savvy to XSS attempts.

    2. John Tserkezis

      Re: The default IP Addresses just as bad

      "This makes it trivial to send commands to the routers from a web page from the User's own PC from within the LAN."

      I'll give you a hint, it doesn't matter. If someone has physical access to your equipment, they already own it.

      This is why corporates lock up their servers from all but the few key personel. If your only option is to break in via the network, it's much harder.

  12. Anonymous Coward
    Anonymous Coward

    Confustion

    Virgin's Superhub has a guest account that is "safe"

    How is it safe ?

    http://help.virginmedia.com/system/selfservice.controller?CMD=VIEW_ARTICLE&ARTICLE_ID=3098&CURRENT_CMD=SEARCH&CONFIGURATION=1001&PARTITION_ID=1&USERTYPE=1&LANGUAGE=en&COUNTY=us&VM_CUSTOMER_TYPE=Cable

    1. Missing Semicolon
      Devil

      Re: Confustion

      Completely useless.

      You set it up, then a few weeks later, a firmware upgrade busts the device back to factory settings.

      Again.

      1. Charles 9 Silver badge

        Re: Confustion

        That's why they tell you to back up the settings before applying an upgrade. That way, even if the upgrade borks them, you can restore them from the backup.

        1. John Tserkezis
          Facepalm

          Re: Confustion

          "That's why they tell you to back up the settings before applying an upgrade."

          I've just upgraded the firmware on a box that warned me if I had a stored setup file that was created with an earlier firmware version, it won't be accepted now, due to certain security change requirements.

          So, you write things down, resulting in a long winded and painful restore - worse still if you didn't read the firmware revision notes beforehand. Ironicaly, that's what the stored setup file was supposed to cure.

          A forehead slap moment if there ever was one.

  13. Anonymous Coward
    Anonymous Coward

    lightening?

    "New modem/router and securit

    Recently had to get a new modem/router as lightening took the old one"

    Do you mean lightning?

    Lightening is what Michael Jackson used to use.....

  14. R0b07

    Virgin Media

    Im using the credentials written on the back of my Virgin media "HomeHub" because every time I change any settings it resets itself within two hours and all of my devices loose connection. I tried putting it in modem only mode and using my tomatoed WRT54g instead but for some reason even that did not work. I decided that it was a faulty modem so it err fell on the floor and stopped working, Richard sent me a new one and it does the same thing.

  15. Anonymous Coward
    Anonymous Coward

    my modem/router is 'telco property'

    and my newest device has an unknown amount of admin accounts on the WAN side. so I turn off its Wi-Fi/remove antenna & use its capacity as a router to connect a single cat5e to my 'real' ASUS dual-core cpu router, which then DHCP supplies all the devices in the house, double NAT of course. This seems to be the best compromise between safety & security. in-home Wi-Fi obviously uses WPA2+AES, (not AES+TKIP as there's a downgrade attack) with "Correct Horse Battery Staple" as the password. With really thick house-walls I gave up trying to blast watts of Wi-Fi through them & replaced the kilometre of TV coax run through the walls with cat5e instead, now using multiple old routers, about 6 of them, as low-power Wi-Fi access points. DD-WRT on those that support it allow great flexibility.

    remember, should you occasionally use bit-torrent to update/upgrade your linux distros that crappy routers can't really handle the 200+ threads that a BT session opens - so they choke - requiring a power-cycle to erase the NAT table; whereas for the same device with DD-WRT firmware this can handle 4k threads, and a well resourced new router considerably more!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019