back to article ISP TalkTalk's Wi-Fi passwords Walk Walk thanks to Awks Awks router security hole

A years-old vulnerability continues to menace the security of some home Wi-Fi networks in the UK. The WPS feature in TalkTalk's Super Router can be compromised to steal the gateway's wireless network password, according to folks at software development house IndigoFuzz. The British ISP and telco was warned of the shortcoming …

  1. Peter Ford

    Ralink router?

    All the TalkTalk routers I've seen for years have been Huawei - doesn't mean there's not an exploit for them though...

    1. Anonymous Custard Silver badge
      Headmaster

      Re: Ralink router?

      Currently (for home fibre anyway) they're offering D-Link 3782's and Huawei HG633's (and also the HG635 for business, but they seemingly can't/don't/won't offer them to home users any more).

      They've just also brought out a new super hub (a Sagemcom apparently), but if you want one of those as an existing customer you have to shell out £120.

      That said on both the routers whilst WPS is enabled in the configuration that ships, it can seemingly be switched off via the router's web dashboard (as can uPNP). Of course whether that actually does anything physically is another question entirely.

      At least that's my experience in the time between the upgrade to fibre and going out and buying my own Netgear that I could configure how I wanted to and lock down (as my old ADSL one wasn't VDSL compatible).

  2. J. R. Hartley Silver badge

    Reaver

    Easy peasy

    1. Anonymous Coward
      Anonymous Coward

      Re: Reaver

      2014 called and they want their hacking tool back.

      1. J. R. Hartley Silver badge

        Re: Reaver

        2010 called, they want their catchphrases back.

  3. robidy

    Dido - Router for rent?

    Just singin'

    1. Dave K Silver badge

      Re: Dido - Router for rent?

      I want to thank you for giving me free wifi from your house

      Oh just to be online with you is thanks to free wifi from your house

      Push the button, I'm logged in at last cos I'm vulnerable through and through

      Then you handed me your passwords I see all is true

      And even if my router falls down now, I wouldn't have a clue

      Because you've breached me....

  4. Peter X

    Checklist at the ready...

    [ x ] ...we take the security of our customers very seriously...

    [ x ] ...an industry-wide problem that affects all ISPs...

    [ x ] ...we're just here to make money and do as little as possible!

  5. Chozo

    Popped a TT router back in 2016 for educational purposes, hardest part was getting physically close enough to pick up a decent signal without being noticed.

  6. Anonymous Coward
    Anonymous Coward

    WPS/uPNP

    Things you should disable, it goes without saying really though sometimes even disabling WPS makes no difference.

  7. AndrueC Silver badge
    Joke

    Maybe Talk Talk thinks that customers who are still with them must have so little interest in personal security that it's not worth patching.

    1. Ian Emery Silver badge

      Many a word, spoken in jest.........

  8. Anonymous South African Coward Silver badge

    TalkTalk won't TalkTalk.

    1. Symon Silver badge
    2. dotdavid

      They TalkTheTalk but don't WalkTheWalk

  9. Anonymous Coward
    WTF?

    a WPS pairing option that is always turned on

    Bloody hell. I've come across many a crap supplied router and ALL of them you've had to press a button to

    put it into pairing mode.

  10. Doctor Syntax Silver badge

    IndigoFuzz went public immediately because TalkTalk subscribers publicly raised the alarm in 2014 that the WPS feature is insecure they'd have done nothing about it anyway.

    FTFY

  11. Lee D Silver badge

    Turn WPS off.

    Unless it's literally one of those "you need to press a button just as the new client connects" kind of deals.

    Even then, you're taking a risk.

    It's really not the end of the world to put your Wifi passphrase on a QR code and let people scan it when they need it (which should be very rare circumstances).

    Besides, guests should be on separate wireless anyway.

    1. Spacedinvader
      WTF?

      Aye, haud on while I go out and buy a separate router solely for those times mates pop round and want to use my internet rather than their 4G.

      1. MartyOhr

        Talk Talk were so bad at delivering my 'Super'-router that I bought a £20 one from amazon prime, had it delivered the same day and configured it myself. It means that TalkTalk can send me 'updates' like some other ISPs do which would reset all the fine tuning to make it run to perfection.

        I setup a segregated guest wifi network with no password but the bandwidth capped at 300K; enough for a visitor to check facetwitter or email or whatnot; but slow enough to stop someone parking up outside and watching netflix for free.

        Talk Talk's router eventually arrived on the same day that a replacement arrived. They sit unopened in a box somewhere - if anyone wants one let me know.

      2. Lee D Silver badge

        1) Why does printing a QR code need a new router? Just disable WPS.

        2) If your mates can join it without your assistance, so can anyone else.

        3) How often do your mates join it for the first time ever, rather than just have their phones switch to Wifi as they enter your house?

        P.S. Don't use ISP-supplied routers. Not only are they generally the cheapest junk known to man, they suffer from all these kinds of problems. Honestly, if you're even vaguely IT, you bin the router they give you and put a proper one in (which isn't expensive... £40/50?) on day one of a connection and then have it follow you whenever you move.

        P.P.S. Guess what most ISPs give you on their default routers? A little card with a QR code that has the default wifi details for your router. Even my dad knows that, and he slides it out for any guests that need access.

        1. This post has been deleted by its author

        2. Martin-73 Silver badge

          Not all ISP supplied routers are crap. A&A supply (currently) a Zyxel VMG3925-B10B which is around the 70-80 pound mark with their home::1 tariff if you sign up for a year. :)

          Admittedly they're hardly the 'typical consumer isp'

  12. jonha

    Get a decent 3rd party router and switch off all Wifi functions...

    ... on the supplied modem/router. That's what I've done for years and years, mainly for security reasons but also because a stand-alone router tends to have better WiFi speeds. (I swear by Asus but there are other good brands.)

    1. Lee D Silver badge

      Re: Get a decent 3rd party router and switch off all Wifi functions...

      Yep.

      In the same way that a TV is just a display device now, and I don't need all the gumpfh built in because of the number of other boxes I have that can do that and which are already set-up to do so, any ISP router is just "an Internet connection" and I have all my usual systems behind that and turn off everything but the Internet on the given router (e.g. go into modem mode, etc.). I used a WRT54G for years, through several house moves, it literally didn't matter what the Internet connection actually was, everything in the house "just worked". Then moved to a Draytek Vigor, same thing. When the line went down, switch to 4G, carry on on all devices as per normal.

      Same principle in work. One VLAN is "unfiltered Internet". Anything from ADSL/VDSL/leased-line etc. go on that VLAN and present a gateway IP. I then honestly don't care what equipment is required for that, I just have a gateway IP per connection, on a VLAN that nothing else touches, and the router sees that VLAN and sanitises it and offers it out to the network.

      If a connection goes down, a provider is changed, the whole equipment is upgraded? Who cares? So long as it stays on that VLAN, I never have to change any other settings whatsoever.

      And then everything "past this point" is untrusted, unfiltered, potentially hostile traffic, just treat it as such. Everything is secured by my boxes in the middle, and everything on the local network stays the same and safe. And it doesn't matter what crappy devices I have to use to supply the connection at all.

  13. Anonymous Coward
    Anonymous Coward

    From what I can see it appears the vulnerability is for TT's D-link routers and there doesn't appear to be any evidence of the Huawei models HG633 & HG635 being affected.

  14. Tigra 07 Silver badge
    Mushroom

    Can El Reg run a monthly section on the latest hack to affect TalkTalk? They are every month after all.

    I sincerely hope GDPR puts them out of business this year. Can they afford to lose 4% of their yearly turnover every month?

    1. ukaudiophile

      Are you not being somewhat optimistic there? I am sure if you looked back Talk Talk have not had a month where there's only been 1 security flaw found in their system, I'd expect them to get hit with 4% fines several times most months. That's, of course, when they're not hosing down the internet with subscribers personal details for their off shore service office.

      Let's see, 4% fine per GDPR violation multiplied by 400,000 subscriber details being distributed over the internet = Talk Talk out of business.

      Was approached in the street a couple of months ago by an individual representing Talk Talk, asked if I had an internet connection, said they could save me money. They were told I value my personal details such as my bank account details and credit card details too much to have anything to do with their company. Individual looked puzzled so I suggested the Googled Talk Talk data loss and see if they were happy to have their personal details with a company like that.

      1. Anonymous South African Coward Silver badge

        Individual looked puzzled so I suggested the Googled Talk Talk data loss and see if they were happy to have their personal details with a company like that.

        Googled it, seems they had two data losses/breaches...

        1. ukaudiophile

          Yes, two which they've so far admitted, which impacted a mere 207,000 customers including their bank accounts.

          In my books, that level of recklessness means the company should be closed down and I would certainly never trust that company with any of my data. The fact that they outsource to Wipro tells me all I need to know, and the fact Wipro staff used a 'rogue' portal to access customer information which they should have been nowhere near.

          It's the same reason I don't use Facebook, I have zero confidence in my information being protected to a standard I deem adequate.

      2. Tigra 07 Silver badge

        RE: ukaudiophile

        They're always touting for new subscribers in the town centre near me. They're pushy too.

        I've said multiple times i'd never go back to TalkTalk, only to be asked why and given their entire marketing pitch.

  15. Anonymous Coward
    Anonymous Coward

    ISP Routers == security problem

    Seeing as ISP provided routers often provide the ISP's staff direct access to people's internal networks, it's kind of surprising so many IT people still use them.

    If you have to use an ISP supplied router, at least make sure you have a dedicated firewall between it and your internal network.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019