interesting
I have a router thing from AT&T. It serves up Internet access, TV, and telephone. It has a switch attached which allegedly does 1000baseT. It has a wireless access point attached with allegedly does 802.11n.
This device has a long alphanumeric passcode on its side. The passcode appears to be unique; I've seen multiple AT&T router things and all have different passcodes. In any case, the first thing I did was to change the passcode to something of my choosing, even prior to setting up WPA wireless security and changing the default SSID to one of my choosing. As the silly thing only offered WPA security, I turned the WAP off and connected an Apple AirPort device to the AT&T thing by Ethernet. I put the Apple device into bridge mode and ran WPA2-AES (not, repeat NOT, WPA/WPA2, which uses TKIP and I turned off the AT&T thing's wireless precisely because it was WPA-TKIP) and set up wireless from the Apple device. My AT&T device is no longer visible by wireless. Even if it were vulnerable to this hack, it's not available. The Apple device doesn't use a HTML administration page. In order to administer it, I have to use Apple's AirPort Utility software... and the very first thing that pops up when APU locates a new Apple device is a request that I change the default password. It won't go forward unless there's a new password. I of course changed the passcode, admin name, SSID, etc.
Frankly, I think that everyone should disable the WAP on their ISP-provided devices and put in a 3rd-party WAP, and first thing change the default password, admin username if possible (some systems won't let you change the admin username; Apple will, but Apple, in its infinite wisdom, seems to be dumping AirPorts), the SSID, and, if the system uses an HTML page for admin, the default IP (usually 192.168.1.1 or 192.168.2.1, unless the ISP is AT&T, which uses 192.168.1.254 for reasons which no doubt make sense to them) and anything else that might be easily discoverable. And, unless there's a really good reason why not, I'd use WPA2-AES. And I'd ignore stupidity such as MAC filtering, all that does is create trouble for legit users.
Biting the hand that feeds IT
