back to article UK's most popular Wi-Fi router defaults to insecurity

From the folks at security think tank GNUCitizen comes yet another demonstration of the insecurity that's present by default in the UK's most popular home broadband router. By default, the BT Home Hub, which is manufactured by Thomson/Alcatel, uses a weak algorithm to generate keys used for locking down a Wi-Fi network. So …

COMMENTS

This topic is closed for new posts.
  1. Martin Edwards

    Still more secure than most

    Much as I dislike the Home Hub, it must be pointed out that the fact it actually ships with a pre-set WEP key makes it more secure than most home routers on the market, which come with blank passwords. And my experience is that the average user leaves them this way.

  2. Anonymous Coward
    Paris Hilton

    Love it

    "NETGEAR" is my isp! At least this way there's a few seconds of a challenge first, and maybe some kind of legal mumbo jumbo involved before you add a couple more megabits to your connection pool.

    Paris knows all about leeching from society...

  3. IR

    Not Belkin then?

    It seems that everywhere I go, my laptop will find an unsecured network called Belkin54g

  4. dervheid
    Alert

    BT 'product' "not secure"?

    Exactly WHAT part of this were we supposed to be surprised by.

    Of course, this sort of story will NEVER reach the mainstream public, a bit like their other little 'security' issue!!

  5. Stephen

    This is not a surprise.

    The BTHomeHub is awful, even the BT engineers say it's crap.

    My line gets about 512K on the home hub, 1.5Mb with my Draytek Vigor 2910 and Vigor 100 (2910 is a dual WAN Router, the 100 is an ADSL/2+ modem).

    Mind you, even the 2910 defaults to no wireless security (though it is off by default). Makes no difference though, if you try to crack into the home hub chances are it will just lock up before you manage to get in...so you *could* say it is the most secure router out there, in a f****d up kind of way.

  6. Anonymous Coward
    Anonymous Coward

    Given that most ISPs now provide 'setup software' with their routers...

    ...I don't know why they don't allow (aka force) preople to specify their own WPA (or WEP, if you must) keys when they install the kit.

  7. Thomas Jolliffe
    Boffin

    Average users

    @Martin Edwards: Really? I tend to find most are either set up by someone who vaguely knows what they're doing OR by someone who doesn't know anything and thus studies the manual in great detail. Most (if not all) router manuals stress from the get-go that wireless needs to be secured - having once gone wardriving for a laugh, every single Home Hub was using WEP - while that's not necessarily with the stock key, I'm willing to be it is in 99.9% of cases. There are always a few NETGEAR, belkin54g, etc unsecured, but they really are in the minority.

  8. Anonymous Coward
    Alert

    never told us...

    pity they've not passed that information on to the contnract engineers who work on BT's broadband installatiion / home computer service. Having said that, we warned then over a year ago that sending out home hubs with 40-bit WEP encryption was stupid. They ignored us of course.In fact we were under strict instructions NOT to change the WEP settings, presumably so that the service centre bods had an easy life when customers called in with connection problems. (The WEP key is printed on the back of the hub)

  9. James

    I can only see networks called "Sky" from here

    WEP encrypted too... netgear dg834 me thinks

    Until the tool does get released WEP is still better than nothing, you do at least require *some* knowledge to get at a WEP protected network, you just need a computer and one hit with the clue bat to get at an unprotected one. My router came defaulted to no protection, but at least the wifi was turned off. 9 times out of 10 Joe Bandwidth Stealer is going to go for the unprotected network rather than the WEP one, he only goes for the WEP one because he wants to show off.

  10. Julian Bond
    Go

    Here we go again.

    OMG! Shock Horror! Leave your wifi AP open and bad things will happen to you!

    Such a shame that we can't spread the idea that you should deliberately make your WiFi open and give it an SSID of "Your Address - Open". Go back 5 years and there was a possibility that things like NoCat would make it reasonably easy to offer open access reasonably securely with logging and such like. Even with FON, this never really happened.

    I for one want to live in a world where the Dlink-Linksys-Belkin default open access community is everywhere. So can we please stop making it easy for the average man in the street to secure their Wifi?

  11. Anonymous Coward
    Thumb Up

    What can't they...

    do like the Orange Livebox?

    It comes (now) on with WPA on as standard, but even if this was cracked its not a big deal.

    I run WEP (some device don't use WPA), but the box has one great feature.

    The live box is automatically configured to only allow new devices to connect for a couple of minutes after a reset or by pressing a button. After that, even a correctly set up device cannot attach.

  12. Nano nano

    Don't forget the USB ADSL dongles

    which I would imagine are behind most of the zombie botnets connections in the world .... offering as they do a backdoor without firewall into the PC.

  13. Stephane Mabille
    Unhappy

    Thomson fixes

    The biggest problem so far is that Thomson seems unable to fix any of the bugs reported. I'm using a 780WL (was their "top-of-range" box), there are several BIG bugs (like SIP account not registering on router restart), easily reproducible crash bugs, etc.... that have never been fixed.

    If you check the Bethere forum (they are also using the Thomson boxes) you'll see an endless list of bugs...

    I suspect that Thomson took over the product form Alcatel, probably not the team and is now left with was is likely to be a badly documented, hard to debug code. And as long as people like BT are ordering the boxes (and debug/workaround the issues by themself) I'm not really sure they are motivated to do anything!

    The router has a lot of great features (especialy for a consumer box), too sad the support is SOOOOOOO poor.

  14. dervheid
    Thumb Up

    @ stu reeves

    You CAN alter the pairing time on the Orange (Wanadoo) Livebox by going into the configuration. This can be set to up to 60 minutes. (well, it can on mine, the one with the fucking irritating pulsasting light! Thank fuck they let you turn THAT off!) I'd change the default password there too,. but I'd imagine you've already done that. Just a shame you can't change the default username, it's not exactly had a great deal of thought put into it.

    I too have begun to see a profusion of "SKY...." boxes appearing in my neighbourhood. Looks like Uncle Rupe's making inroads in the "Total World Media Domination" masterplan!

  15. Gordon Pryra
    Flame

    People expect some form of security from BT?

    I thought the whole mantra of the company was "zero privacy". Tying in nicely, with their relationship with Phorm.

    These aren’t problems with the home hub; they are designed to be totally open

  16. Jacob Reid
    Alert

    Security risk

    Don't forget that having a BT HomeHub leaves you open to a much bigger security risk - BT selling your browsing data to a spyware company.

    Anyone who still has BT as an ISP almost deserves to get their wireless network cracked.

  17. Anonymous Coward
    Heart

    Netgear

    I luv my netgear router, its got the most secure wireless connection point in the world because i keep it turned off XD

    wireless is overrated nowadays and its still faster to stream vids and music over a hard wire connection

    anonymously post since i don't want ppl cracking my unprotected upnp

  18. Anonymous Coward
    Coat

    Channeling Harry Hill

    But which is faster...

    80 password guesses, or 2 minute WEP password cracking (http://www.youtube.com/watch?v=d7tpl77VwO4).

    FIIIGHT!

  19. Anonymous Coward
    Anonymous Coward

    @ Stu Reeves

    actually the Orange Livebox comes with both WEP and WPA enabled, however this causes confusion to some computers and you often have to turn onef o them off.

    Where the Livebox DOES have an ace card is that you only have a time e to "pair" a wireless network card and the router after you press a button on the back. After the timeout you cannot connect - even with the right WEP/WPA key

  20. paul
    Stop

    WPA support isn't everywhere

    Nintendo DS for example, doesn't support it.

    So many have problems with their WI-FI its not surprising that most dont come with security in mind , but rather ease of setup.

  21. Anonymous Coward
    Anonymous Coward

    @ dervheid - Sky boxes

    you see lots of SKY routers because Sky appear not to tolerate other routers on their Network

    I was recently requested by a customer to set up her existing router on a new Sky account (it was a better model than the SKy-supplied Netgear) and Sky helpdesk refused any information regarding required logn / authentication details. All I got was a comment "you can only use one of our routers on our service. The software of the Sky box has been bastardized so the logon details are hidden: I've not found a way round this yet.

    Any of you Linux bods out there able to hack one and find what is needed to get a non-Sky router working on a Sky ADSL account?

  22. Anonymous Coward
    Anonymous Coward

    @Jacob

    Unfortunately, some of us are still contracted to BT! :(

  23. Simon
    Black Helicopters

    Educate me someone

    Either i'm going to get flamed or someone will not follow my question, umm, here goes.

    There is a lot of talk about WIFI cracking, someone will say "Yeah, theres a website that says it can be done", or "Everyone knows it's not secure" or "It can be cracked in 30 seconds" But all I hear is anecdotes, or I get pointed to some old website showing how to crack a fairly old set up.

    Ive talked in person to people who have told me how easy they are to crack, then I ask them how would they do it and they shrug.

    But has anyone here actually cracked a WIFI signal being generated by a modern up-to-date hub or computer and got in? Is there an epidemic of people having their connections compromised or is it just hype? I'm curious.

    B.T.W I don't use WIFI myself, so i'm asking the question from a "New to the WIFI signal subject".

    First person who points me to a five year old website gets a poke in the eye ;-)

  24. Anonymous Coward
    Stop

    Nintendo only support WEP

    on the DS. So what can anyone do - throw the device away and get a PSP ?

    Mario Karts and other games are better online, my kids would like to continue to be able to play online DS games.

    I guess I could lock down the device by MAC address... though I understand even that is not secure (i.e. can be faked) ?

  25. TimM

    There is a reason

    As I understand it, WPA causes too many headaches for ISPs like BT who would have to deal with people struggling to connect their Wii, PS3, mobile phone, and whatever else. WEP is just simpler to deal with from a support point of view.

    As for security, yes it's a risk, but as 99% of the public are clueless in this regard I should think they're pretty safe as the 1% who might want to go round hacking everyone else is going to have a hard time getting round that 99%. It's like having a Yale lock on your front door. Most burglars can get past them easily but relatively few people really get burgled. Sure you can put deadlocks on your door just in case.

  26. Andy Barratt

    Not as bad as it was

    It used to be the case like previous posters point out that no-one secured their networks, so a quick sniff would result in a list of networks named Linksys etc, all default and unsecured.

    It's not like that at all anymore. I live in a condominium, where I can usually see around 30 to 40 networks at any given time, and not a single one of them is insecure.

  27. Tibb the Cat

    @ simon

    see http://www.grape-info.com/doc/win2000srv/security/airsnort.html

  28. Tibb the Cat

    @ Simon

    heres a dedicated WEP cracking utility, this version dates from 2007

    http://www.security-database.com/toolswatch/AiroScript-Wep-Cracking-Utility-V.html

  29. Anonymous Coward
    Thumb Down

    lol

    less secure than a 2-digit [0-9] combination lock? LOLHAX

  30. Anonymous Coward
    Pirate

    @anon coward hacking sky boxes

    Quick web search will give you the required info. Basically ping the router and save result to a config file to extract the password.

    Your user name is very easy to find. It is the router mac address (handily on the router label) @skydsl.com making it something like

    a3;13;df;4g;5e;1e@skydsl.com.

    Not that I've ever hacked a sky box of course.

    You can even use the sky box with this info. once of course you've flashed the crippleware (sorry firmware) with a newer Netgear version.

  31. George Johnson
    Happy

    The most insecure bit?

    The pillock "plugging" in another device!

    As an exercise, do an NMAP scan of you local subnets outside your firewall at home and you'll see at least 2 in every 100 routers with open ports to remote desktop, open ftps with default passwords, open routers still left with default passwords, I even found a HP printer/scanner plugged straight into an router with no password. There are lists of default passwords for all the major models and makes of routers, it really doesn't take a degree in IT and ten years of security knowledge to break into most home routers.

  32. Clive Smith

    Not quite that easy

    If anyone has actually tried to do a WEP or other crack, they would know that you need the right wifi hardware. You cant just use the cracking software on any old card, they only support certain chipsets. I tried various cards and gave up. Manufactureres stopped making cards with the chipsets and promiscuous drivers ages ago. Simon is right - most people have no idea whats involved.

  33. chris

    I'll challenge anyone

    There's not a hacker in this world who could get onto my wireless network, even if I left it open. Nothing gets through my walls! Seriously, nothing... wireless is only good for the room I am in and if I want to use my mobile I have to go outside. I had to run cat5 to my bedroom so I can use my laptop in bed.

  34. Mark
    Flame

    Most networks have a WEP device.

    Meaning that home networks can't adopt WPA.

    I would love to move to WPA, but my Terratec Noxon boxes are WEP only. I wonder what the legal stance is, for these companies that refuse to do updates or exchange programs for hardware that make your network insecure.

    Are they liable for producing insecure products which open up your home network?

    Despite several emails to Terratec, about Noxon not supporting WEP, they just brush the problem under the carpet...

  35. Andy Moore
    Black Helicopters

    Keeping jobs for the boys

    Whilst in no way questioning the intellect of the boys at this Security think tank, out in the real world I see few unsecured networks anymore.

    At a friends flat in Streatham, London a total of 17 networks are visible on my thinkpad and the only 1 not secured with 128bit WEP or WPA (most were WPA) was the local Oxfam shop (Yes I went down there and helped them get WPA up and running).

    I agree most were running default SSID but does that really matter that much. I use WPA2 with AES but stopped hiding my SSID in the end because it was a pain having to type the SSID and the password on my N95 :-)

    This security think tank sound a bit like the Government to me, lets scare everyone than we can get more funding.

  36. Robin
    IT Angle

    re: Netgear

    > the most secure wireless connection point in the world because i keep it turned off

    Instead of leaving the Wi-Fi permanently switched off, why didn't you just buy a wired router?

  37. Anonymous Coward
    Anonymous Coward

    re: sky routers

    Here's a handy little guide for you AC, courtesy of sky users forum.

    http://www.skyuser.co.uk/forum/extracting-sky-router-passwords/19915-how-obtain-your-username-password-sky-router.html

    Hope this is helpful.

  38. Simon
    Black Helicopters

    @Tibb the Cat

    Thanks for the links.

    Well one piece of software is 3 years old, the other, hmm, slightly newer.

    So have you used them? Did they work? On current equipment I could buy in the shops?

    @El Reg, how about one of you guys have a go. This would be the greatest IT news website ever if one of your writers tried it and wrote an article about it. We need to confirm the truth or dispel the myth about WIFI cracking.

    Me myself (Also what Clive Smith is saying) think this is something the WIFI manufacturers maybe caught onto years ago and have solved.

    Anyhow, continue my education someone.

  39. Anonymous Coward
    Happy

    @Robin

    unfortunately i needed a router badly since my last 1 burned out from all the downloading so i had to do the dirty and get it from Pc World (never again)

    at least now im looking for some proper netgear hardware for a separate dual wan firewall and a stand alone modem to upgrade my net

  40. Steve Renouf
    Linux

    MAC

    I see people constantly going on about the WEP/WPA angle but very few people seem to mention about locking the connection down to specific allowed devices via their MAC addresses. If a hacker can't even connect to the router, how is he going to crack the WEP/WPA key anyway?

    Someone did mention about the possibility of spoofing MAC addresses but they would need to know what MAC addresses are allowed to connect and their associated NAME.

    Well, because I would use Ubuntu all the time if I could.

  41. N

    BT home flub...

    WEP can be cracked in around 1 to 8 minutes with Back Track Linux,

    WPA is more secure but can still be cracked, WPA is not available to BT home flub users unless you flash it to open up their locked down options

    This is, quite frankly not good enough why, is that band of tossers known as BT peddling such junk in the first place?

  42. Anonymous Coward
    Anonymous Coward

    @simon

    Yes, aircrack-ng works fine these days, with fake authentication and ARP injection it cracked my neighbours 128-bit WEP key in a surprisingly quick 4 minutes.

    You'll need an Atheros chipset wireless card (amazon) and have to be comfortable fiddling with Linux.

  43. Tibb the Cat

    @ Simon

    Just fround these, I think they answer your points

    WEP cracking using modern equiment

    http://www.smallnetbuilder.com/content/view/30114/98/

    how the feds do it - a demonstration

    http://www.smallnetbuilder.com/content/view/24251/100/1/1/

    Cracking WPA

    http://www.smallnetbuilder.com/content/view/30278/98/

  44. Tibb the Cat

    @ N

    WPA IS available to Home Hub users - you just have to log onto the advanced admn page and change the settings. No need to flash it

    Its not obvious, but it IS there

  45. Xander Dent
    Stop

    MAC Addresses

    Was going to simply state here that this whole discussion is a waste of time, as blocking all but allowed MAC addy's is far simpler than setting up any sort of encryption, and for the purposes of restricting who's using the wireless connection is more than adequate.

    But, someone beat me to it..

  46. The Mysterious Panda
    Paris Hilton

    @ Xander Dent

    ...oh gosh, you're serious aren't you?

    I'll get my coat - and nip round yours to airodump-ng* your MAC...

    Paris, because for all her (de)faults, I'd still wouldn't say no to airodumping her MAC.

    ----------

    *Ever since 'Google', I've been exploring the beauty of 'verbing' - randomly converting nouns to verbs

  47. Andy
    Happy

    not being funny

    i just wasted 10 minutes concisely and susynctley typing an argument that covered every point made, showing you lot how paranoid you all are, then realised that would take away my fun of watching an afternoons stupidity in the comments section. so who is the more foolish, the fool or the fool that follows him?

    carry on!

  48. Matt
    Paris Hilton

    How about...

    1. Providing a default key (as it is now)

    2. Redirecting the first www connection to the router in order to input a passphrase

    3. Creating a stronger key to cut'n'paste? (WPA unless specified)

    ... This could all be fixed in a simple software update, could it not? (just like the "we changed your admin password to the HH serial number" thing)

    @ All the people with Belkin, Netgear, etc - at least there is *some* security with the Homehub out of the box - think about the average customer here - I've set up over 500 routers and think that Netgears etc are pretty OK - but where's the default security?!!! Even WEP discourages casual connections from the neighbours looking for their daily pr0n.

  49. Graham Bartlett

    Prefer to default to "no protection at all"

    So you get your wireless router. "Great", you think, "now I can work wirelessly." Not so fast, young padawan, because first you need to configure it. "No problems, it's wireless." And you know the passcode to talk to it? "Ah..." Where's your PC? "Upstairs." Where's the router? "Downstairs." And you don't know the passcode, so your PC can't talk to the router? "Err..."

    The sad truth is that unless your wireless router defaults to "wide open, come and get me", there ain't any way your PC upstairs can talk to the wireless router downstairs. If you've got an Ethernet port on your PC then you can bring the router upstairs, plug it in with a Cat5 and set it up that way, then bring it back downstairs. But if you haven't (and many PCs don't come with Ethernet), you're right out of luck.

    Unless your PC can guess what the passcode is. And that's presumably where this comes in. Sure, it ain't bombproof, but it's shipping with enough security that out-of-the-box it's protected, instead of being wide open for a while until you get round to configuring your security.

    Which, per Steve and Xander, should include a MAC address whitelist for most home users.

  50. Anonymous Coward
    Anonymous Coward

    SSID

    One of the things that was mentioned above is hiding your SSID - but surely if you're going to be hacked they really don't need this anyway. And if you do have an obvious SSID (such as an address) any friendly tech can at least easily find you and maybe help fix it?

    As you didn't ask, I use:

    -WPA PSK

    -MAC address filtering

    -default router password changed

    -obscure model of router

    -(hidden SSID)

    That should do the trick shouldn't it?

  51. Matthew
    Paris Hilton

    But I want to be Open

    I actually want to have an unsecured wireless access point to provide a public service for passing phones, DS'es, laptops even. It's easy to set the hardware up so my own network (including another wireless AP but with WPA2) is seperate from it. Is there any way to sensibly achieve this? Do I need hotspot software? RADIUS?

  52. Anonymous Coward
    Anonymous Coward

    Re: SSID

    -WPA PSK (how long is the phrase you used? Ideally 20+ chars and not dictionary-friendly. Using WPA2, if its available? )

    -MAC address filtering (fairly trivial to bypass for any non-casual hacker - basic sniffer and MAC-spoof capable card needed)

    -default router password changed (great, its amazing how often they do this and yet WEP is the old horse that gets beaten to death by the news rags)

    -obscure model of router ( sure why not )

    -(hidden SSID) (utterly trivial to bypass/learn with a sniffer because legitimate clients must specify the SSID in plaintext in probes and associates; it is only useful to hide this to prevent it from being identified in the Windows Wireless Networks list where the slobbering masses can see it and try to connect)

    Forgot: Change the default SSID!!! The SSID can often tell hackers clues about the router brand, the ISP, and even the serial number. Changing it does more for anonymizing you than hiding it. Assuming you're not making it into your full name or SSN.

    Bottom line, WPA-PSK (esp WPA2) with a good key is about as robust as you can get for home use. If they are as capable and determined to crack that, none of the other Mickey Mouse security is comparable. As people have pointed out, they don't ship WPA default because of backward compatibility issues with all the old WEP crapola.

  53. Charles Manning

    @Mark Otway

    The reason routers don't default/force people to be secure is because of resulting tech support costs.

    By defaulting to no security (as all devices I have purchased do), they make the installation easy. If someone gets into trouble they can just poke the "factory reset" thingummy and generally get going easily.

    As others have noted, many/most home setups just run unsecured networks.

This topic is closed for new posts.

Other stories you might like