All the TalkTalk routers I've seen for years have been Huawei - doesn't mean there's not an exploit for them though...
A years-old vulnerability continues to menace the security of some home Wi-Fi networks in the UK. The WPS feature in TalkTalk's Super Router can be compromised to steal the gateway's wireless network password, according to folks at software development house IndigoFuzz. The British ISP and telco was warned of the shortcoming …
Currently (for home fibre anyway) they're offering D-Link 3782's and Huawei HG633's (and also the HG635 for business, but they seemingly can't/don't/won't offer them to home users any more).
They've just also brought out a new super hub (a Sagemcom apparently), but if you want one of those as an existing customer you have to shell out £120.
That said on both the routers whilst WPS is enabled in the configuration that ships, it can seemingly be switched off via the router's web dashboard (as can uPNP). Of course whether that actually does anything physically is another question entirely.
At least that's my experience in the time between the upgrade to fibre and going out and buying my own Netgear that I could configure how I wanted to and lock down (as my old ADSL one wasn't VDSL compatible).
I want to thank you for giving me free wifi from your house
Oh just to be online with you is thanks to free wifi from your house
Push the button, I'm logged in at last cos I'm vulnerable through and through
Then you handed me your passwords I see all is true
And even if my router falls down now, I wouldn't have a clue
Because you've breached me....
Turn WPS off.
Unless it's literally one of those "you need to press a button just as the new client connects" kind of deals.
Even then, you're taking a risk.
It's really not the end of the world to put your Wifi passphrase on a QR code and let people scan it when they need it (which should be very rare circumstances).
Besides, guests should be on separate wireless anyway.
Talk Talk were so bad at delivering my 'Super'-router that I bought a £20 one from amazon prime, had it delivered the same day and configured it myself. It means that TalkTalk can send me 'updates' like some other ISPs do which would reset all the fine tuning to make it run to perfection.
I setup a segregated guest wifi network with no password but the bandwidth capped at 300K; enough for a visitor to check facetwitter or email or whatnot; but slow enough to stop someone parking up outside and watching netflix for free.
Talk Talk's router eventually arrived on the same day that a replacement arrived. They sit unopened in a box somewhere - if anyone wants one let me know.
1) Why does printing a QR code need a new router? Just disable WPS.
2) If your mates can join it without your assistance, so can anyone else.
3) How often do your mates join it for the first time ever, rather than just have their phones switch to Wifi as they enter your house?
P.S. Don't use ISP-supplied routers. Not only are they generally the cheapest junk known to man, they suffer from all these kinds of problems. Honestly, if you're even vaguely IT, you bin the router they give you and put a proper one in (which isn't expensive... £40/50?) on day one of a connection and then have it follow you whenever you move.
P.P.S. Guess what most ISPs give you on their default routers? A little card with a QR code that has the default wifi details for your router. Even my dad knows that, and he slides it out for any guests that need access.
... on the supplied modem/router. That's what I've done for years and years, mainly for security reasons but also because a stand-alone router tends to have better WiFi speeds. (I swear by Asus but there are other good brands.)
In the same way that a TV is just a display device now, and I don't need all the gumpfh built in because of the number of other boxes I have that can do that and which are already set-up to do so, any ISP router is just "an Internet connection" and I have all my usual systems behind that and turn off everything but the Internet on the given router (e.g. go into modem mode, etc.). I used a WRT54G for years, through several house moves, it literally didn't matter what the Internet connection actually was, everything in the house "just worked". Then moved to a Draytek Vigor, same thing. When the line went down, switch to 4G, carry on on all devices as per normal.
Same principle in work. One VLAN is "unfiltered Internet". Anything from ADSL/VDSL/leased-line etc. go on that VLAN and present a gateway IP. I then honestly don't care what equipment is required for that, I just have a gateway IP per connection, on a VLAN that nothing else touches, and the router sees that VLAN and sanitises it and offers it out to the network.
If a connection goes down, a provider is changed, the whole equipment is upgraded? Who cares? So long as it stays on that VLAN, I never have to change any other settings whatsoever.
And then everything "past this point" is untrusted, unfiltered, potentially hostile traffic, just treat it as such. Everything is secured by my boxes in the middle, and everything on the local network stays the same and safe. And it doesn't matter what crappy devices I have to use to supply the connection at all.
Are you not being somewhat optimistic there? I am sure if you looked back Talk Talk have not had a month where there's only been 1 security flaw found in their system, I'd expect them to get hit with 4% fines several times most months. That's, of course, when they're not hosing down the internet with subscribers personal details for their off shore service office.
Let's see, 4% fine per GDPR violation multiplied by 400,000 subscriber details being distributed over the internet = Talk Talk out of business.
Was approached in the street a couple of months ago by an individual representing Talk Talk, asked if I had an internet connection, said they could save me money. They were told I value my personal details such as my bank account details and credit card details too much to have anything to do with their company. Individual looked puzzled so I suggested the Googled Talk Talk data loss and see if they were happy to have their personal details with a company like that.
Yes, two which they've so far admitted, which impacted a mere 207,000 customers including their bank accounts.
In my books, that level of recklessness means the company should be closed down and I would certainly never trust that company with any of my data. The fact that they outsource to Wipro tells me all I need to know, and the fact Wipro staff used a 'rogue' portal to access customer information which they should have been nowhere near.
It's the same reason I don't use Facebook, I have zero confidence in my information being protected to a standard I deem adequate.
Seeing as ISP provided routers often provide the ISP's staff direct access to people's internal networks, it's kind of surprising so many IT people still use them.
If you have to use an ISP supplied router, at least make sure you have a dedicated firewall between it and your internal network.
Biting the hand that feeds IT © 1998–2019