Oh my ... that's why we need proper ISP like A&A, who not only generate the password just for your broadband modem, but also go out of their wait to help you set up a better one, if you happen to have one.
Hackers actively stealing Wi-Fi keys from vulnerable routers
Hackers have graduated from planting malware on the vulnerable routers supplied to consumers by various ISPs towards stealing Wi-Fi keys. Andrew Tierney, a security researcher at UK consultancy Pen Test Partners, noticed the switch-up in tactics in attacks against its honeypot network over the weekend. Customers of UK ISP …
COMMENTS
-
Tuesday 6th December 2016 14:14 GMT WolfFan
interesting
I have a router thing from AT&T. It serves up Internet access, TV, and telephone. It has a switch attached which allegedly does 1000baseT. It has a wireless access point attached with allegedly does 802.11n.
This device has a long alphanumeric passcode on its side. The passcode appears to be unique; I've seen multiple AT&T router things and all have different passcodes. In any case, the first thing I did was to change the passcode to something of my choosing, even prior to setting up WPA wireless security and changing the default SSID to one of my choosing. As the silly thing only offered WPA security, I turned the WAP off and connected an Apple AirPort device to the AT&T thing by Ethernet. I put the Apple device into bridge mode and ran WPA2-AES (not, repeat NOT, WPA/WPA2, which uses TKIP and I turned off the AT&T thing's wireless precisely because it was WPA-TKIP) and set up wireless from the Apple device. My AT&T device is no longer visible by wireless. Even if it were vulnerable to this hack, it's not available. The Apple device doesn't use a HTML administration page. In order to administer it, I have to use Apple's AirPort Utility software... and the very first thing that pops up when APU locates a new Apple device is a request that I change the default password. It won't go forward unless there's a new password. I of course changed the passcode, admin name, SSID, etc.
Frankly, I think that everyone should disable the WAP on their ISP-provided devices and put in a 3rd-party WAP, and first thing change the default password, admin username if possible (some systems won't let you change the admin username; Apple will, but Apple, in its infinite wisdom, seems to be dumping AirPorts), the SSID, and, if the system uses an HTML page for admin, the default IP (usually 192.168.1.1 or 192.168.2.1, unless the ISP is AT&T, which uses 192.168.1.254 for reasons which no doubt make sense to them) and anything else that might be easily discoverable. And, unless there's a really good reason why not, I'd use WPA2-AES. And I'd ignore stupidity such as MAC filtering, all that does is create trouble for legit users.
-
-
Tuesday 6th December 2016 18:10 GMT WolfFan
Re: MAC filtering, all that does is create trouble for legit users.
MAC filtering is absolutely completely useless. All legit users broadcast their MAC. Anyone who has a sniffer can and will pick up a valid MAC in a matter of seconds. They can then spoof that valid MAC. MAC filtering will keep attackers out for minutes at best. Meanwhile, if MAC filtering is turned on every time a new legit system shows up (new laptop, new cellphone, new tablet, whatever) the new MAC has to be added to the filter. If I have WPA2-AES turned on, I merely have to ensure that the new hardware can handle WPA2-AES and enter the passcode. Once per new machine. With MAC filtering, I have to play with the router, and hand out the WPA2-AES passcode. I don't see any reason to go to the extra work just to make an attacker take five minutes max extra.
-
Tuesday 6th December 2016 18:31 GMT Anonymous Coward
Re: MAC filtering, all that does is create trouble for legit users.
The way I do it is this: My wireless router is hooked up to several printers and each packet is physically printed. These are checked before being keyed into the main router. Therefore my wireless is fully protected and cannot be hacked. The only downsides are I used a lot of paper and the bandwidth is reduced.
-
Tuesday 6th December 2016 19:39 GMT Muscleguy
Re: MAC filtering, all that does is create trouble for legit users.
It's the same principle as getting a decent lock for your bike. The idea is not that your lock will be inviolable but that faced with a rank of bikes a thief is going to go for the easiest locks first. So, provided my neighbours are as lazy as you then a wifi thief will go for them first and in preference, time is money, and the chance of being caught.
I have WPA2-AES turned on as well AND our wifi does not broadcast. You to have to know it is there and it's precise, non standard, name.
-
Tuesday 6th December 2016 23:29 GMT Roland6
Re: MAC filtering, all that does is create trouble for legit users.
I have WPA2-AES turned on as well AND our wifi does not broadcast.. You to have to know it is there and it's precise, non standard, name.
Turning off the broadcast of SSID is even more pointless than MAC filtering. It was discredited as a security mechanism pre-2006...
-
Wednesday 7th December 2016 06:01 GMT JohnG
Re: MAC filtering, all that does is create trouble for legit users.
"The idea is not that your lock will be inviolable but that faced with a rank of bikes a thief is going to go for the easiest locks first."
Yes but like thieves, the intentions/ambitions of the thieves may vary. Faced with a row of bikes, some thieves may ignore them and go for a nearby Mercedes. More effort may be required but reward vs effort vs risk calculation is different. Some hackers may see increased security as a challenge and imagine the promise of something more worthwhile than access to someone's willy photos.
-
-
-
Tuesday 6th December 2016 16:00 GMT Anonymous Coward
Re: interesting
How the above sounds... "Look at me, look at me. I did it this way and therefore anyone else who did it differently is stupid and deserves to be hacked"
Most people (ie non-techies) don't want multiple devices and a mass of wires linking them all. The supplied hardware SHOULD be good enough and where default credentials are included, they are all changeable by those of us who see a need to change them.
-
Tuesday 6th December 2016 16:03 GMT Lee D
Re: interesting
MAC Filtering is pointless. You are advertising your MAC over the airwaves all day long and if it's visibly associated with a WAP, it's likely that that MAC is in the allowed MAC list.
And faking any MAC (once you know what one to fake), wireless or wired, takes precisely seconds.
If you've even bothered to turn on MAC filtering, I judge you.
-
Tuesday 6th December 2016 18:33 GMT WolfFan
Re: interesting
How the above sounds... "Look at me, look at me. I did it this way and therefore anyone else who did it differently is stupid and deserves to be hacked"
Most people (ie non-techies) don't want multiple devices and a mass of wires linking them all. The supplied hardware SHOULD be good enough and where default credentials are included, they are all changeable by those of us who see a need to change them.
Son, I don't give a flying fuck at a rolling doughnut on the deck of a tanker in a thundering typhoon what you do or don't do. I am saying that those who don't take reasonable precautions will get hacked, whether or not they deserve it, because they'll be the low-hanging fruit. Anyone who does not use any kind of key will have their systems accessed by the general public at will. Anyone who uses WEP will be hacked in under five minutes. Anyone who uses WPA-TKIP will be hacked in a few hours. WPA2-AES is noticeably harder to hack. Unless someone has a reason to specifically go for my network, they'll have a look, notice that it's hard to hack, and go hunting easier targets elsewhere. I operate on the principle that there are tigers out there... but I don't have to be faster than the tigers, I just have to be faster than you.
Having a 'mess of wires' means that I can, if necessary, turn wireless completely off, making it quite difficult for outsiders to access my network. I do not operate by what some people might think ISPs 'should' do. I operate by what they actually do, and what they actually do is provide equipment which is of distinctly lower quality that is available relatively cheaply elsewhere. AT&T's device only does WPA-TKIP, and runs at 802.11n, max. Apple (and D-Link, and Netgear, and Linksys, and others) makes devices which do 802.11ac and WPA2-AES and they don't cost that much either. I'm not about to hold my breath waiting for AT&T to hand out better devices; the current AT&T device replaces one which did 802.11g and was in service for a very long time. Indeed, the fact that it only did 802.11g and WPA-TKIP is exactly why I bought my first Apple device in the first place, the current one being my second, the first did 802.11n. Should someone elect to not get better quality equipment, well, that comes under the heading of Not My Problem. And it means that there is a lot of low-hanging fruit around to keep the hackers busy, and far away from me. You no like? Me no care.
Downvote away.
-
Wednesday 7th December 2016 00:00 GMT asdf
Re: interesting
>How the above sounds... "Look at me, look at me. I did it this way and therefore anyone else who did it differently is stupid and deserves to be hacked"
It really isn't complicated for IT folks who frequent this site. Don't buy a home router until you check there is open source firmware for it. Once you buy it put said open source firmware on it immediately (I really like Gargoyle and OpenWRT but if really hard core about security the BSD based solutions pfSense, m0n0wall, etc are the way to go). Also with DSL modems put them into transparent bridging mode and do the PPP through your home not the ISP provided router. Not that difficult if you do have IT chops.
-
Wednesday 7th December 2016 01:30 GMT asdf
Re: interesting
For record yes yes open source is not a panacea but a quick search of past articles on here will show a hell of a lot more of these type of issues with factory firmware than with the open source firmware projects out there. Not to mention when a big security issue is found in say OpenWRT a new firmware image will be issued more than likely that day not to mention with usually years of support past the manufacturer who is all too happy to move on to selling new kit. Even with open source you still need to properly secure the router but at least with open source you start with a more likely than 5 eyes free and no obvious back door, slate.
-
-
Wednesday 7th December 2016 16:04 GMT asdf
Re: @asdf interesting
>Thought everybody on here would use Cisco or Juniper at home TBH?
Ha good one. Maybe if you are a network guy and can long term borrow one from work. Like I said if I am going to drop big coin on a appliance server home router I am going with something that will run one of the BSDs. Cisco and Juniper OSs aren't more secure or even stable they just scale better (and have more fancy enterprise and ISP centric features) which isn't much of an issue for a home router.
-
-
-
-
-
-
-
Tuesday 6th December 2016 15:57 GMT Anonymous Coward
If you have such difficulty remembering the wifi password that you have to resort to the label each time, you might as well:
a) change the password to something you stand a chance of remembering
b) write the new password on a sticky label and affix it to the router, where you'll be able to find it when you do forget.
-
Tuesday 6th December 2016 17:46 GMT Anonymous Coward
But what if:
a) You have such a bad memory that any password YOU try will be easy to break?
AND/OR
b) The router is in a communal location (say the bedroom hallway, somewhere near the center of the house for maximum coverage area), meaning ANYONE who can see the router can jot down the password AND the default one for good measure?
PS. If you MUST put the router in a publicly-accessible location, PLEASE disabled WiFi Protected Setup COMPLETELY. INCLUDING the Push-Button Control.
-
-
-
Tuesday 6th December 2016 17:21 GMT dajames
Re: "...the situation is under control..."
Every time I ask my ISP about security issues, they give me this reply, but have no further information on the matter. Essentially a brush-off and an admission nothing is being done.
... and why does this not make you wonder whether you might do better with a different ISP?
-
-
-
Tuesday 6th December 2016 15:50 GMT Anonymous Coward
Re: Talk Talk Spokesperson
They don't actually have a spokesperson. All they have is an old ice cream tub with some stock phrases that someone paste to a piece of paper and hands out as a press statement.
The phrases include:
Small minority of customers
A few customers
We have no evidence of any misuse of personal information
We have not noticed any attacks in the wild
This is an industry-wide problem
We take security very seriously
We take data protection very seriously
We take our responsibilities very seriously
We have put training in place
We have made sure the necessary steps have been taken
We don't believe this is a significant issue
We completely refute any allegations that we are totally clueless
Our CEO is a conservative life peer and a friend of David Cameron so whatever you say about her will be ignored
-
-
Tuesday 6th December 2016 17:28 GMT Seanmon
What?
"If customers have an issue connecting to the internet, they should visit our help site."
Sigh.
I long for the days when your ISP was just an ISP. I just want the fastest connection you can give me. Thats all. I do not need you ten thousand shite TV channels or your telephone service or your cheap set-top box. And I want to chose my own router, thanks.
-
-
Tuesday 6th December 2016 18:49 GMT WolfFan
Re: Is Talk Talk Real?
They are, unfortunately, real. https://www.talktalkgroup.com/
They are also so bad that they make AT&T and even Comcast look, well, a lot less like the pirates they are. And they're not the worst ISP in Britain. That's probably BT, unless they've improved considerably, something I doubt.
-
-
-
Tuesday 6th December 2016 19:30 GMT David 132
Re: HOW??!?
You're overestimating TalkTalk's desire to help their customers.
Note that for those who can't get to the help site, TT have of course, what do you take them for? provided an alternative source of support - it's in a locked filing cabinet, in a disused lavatory, in the basement, behind a sign saying "beware of the leopard"...
-
Wednesday 7th December 2016 00:16 GMT Youngone
Long Ago
10 or 12 years ago I worked in a central city high rise next to a high rise student hostel.
Said hostel was packed to the rafters with students, each with their own ISP supplied Wi-Fi router.
One slow afternoon my boss and I had a lot of fun logging on to every one we could using the default admin logon (admin/admin in case you were wondering) then changing the Wi-Fi setup.
Probably illegal, but we had a laugh. A few days later one of the (fixed) access points was broadcasting it's SSID as "Fuck off Gary" so I guess Gary got the blame.
-
Wednesday 7th December 2016 04:58 GMT Infernoz
Simples, buy your own better router and secure it properly.
Relying on fixed ISP provided router WiFi passwords was always a stupid idea because it is probably in an ISP database or easily calculated, which may get stolen/cracked eventually.
I parked the unreliable 2 Chinese boxes, and installed a combined Draytek VDSL2 and WiFi router, use my own long-random alpha-numeric WPA2 AES passwords for its WiFi names, and have configured the transmission power to only be enough to get reliable reception inside my house, so people outside will have a tough time getting a reliable signal outside for mischief attempts.
-
-
Wednesday 7th December 2016 12:39 GMT Charles 9
That don't even make sense. As Pi is an irrational number, there's no such thing as a last digit: not even a repeating one. If Pi terminated or repeated, it could become rational and could be expressed exactly as a ratio.
Besides, under AES-256, you probably couldn't get away with more than 32 digits (32 characters * 8 bits = 256 bits), maybe 64 if you go the hex route. I personally use a 64-hex-character scramble, which also hits the limit.
-
-
Thursday 8th December 2016 11:50 GMT Andrew Findlay
Physical proximity not needed
As in several other articles on this subject, the author has accepted the idea that "The hacker has to be physically close to the router to compromise the Wi-Fi". That is not true: they just need to have control of a nearby device; they don't even need to know *where* the device or network actually is.
Imagine a row of houses with compromised WiFi keys where one of them contains a device that is part of a botnet. That device can probably see the networks belonging to several other houses, so all it has to do is to look them up in some central database and it can get inside another net, making it *much* easier to compromise more devices, steal traffic etc. Repeat.
-
Thursday 8th December 2016 13:21 GMT Charles 9
Re: Physical proximity not needed
"Imagine a row of houses with compromised WiFi keys where one of them contains a device that is part of a botnet."
ONLY if the device itself has WiFi capabilities. If they're on a landline, they wouldn't have the capability to see the other networks. That reduces the potential victims and makes a remote exploit difficult since you'd have to query any given bot to see if it has WiFi capabilities AND is near a vulnerable spot. Not to mention since most WiFi-capable devices can only latch onto ONE network at a time, you run the risk of cutting the bot off the net because at best it'll get a new IP and you'll have to reconnect and at worst it fails and gets cut off completely.
-