Eircom Netopia Routers Are Wide Open

Martyr

lonewolf wrote:

No where on the blog post do I say I discovered XYZ, all mine no one else etc..

when i asked, how did you find out it was sha-1, you replied by "trial and error", and monitoring communication between the client and router with kismet.

i've removed that comment now anyway, i just wasn't overly impressed by no mention of my details forwarded to you.

Sponge Bob

Very well done guys....and if anybody takes the slightest issue with the publication of these proof of concepts I am entirely to blame for it .

Were it possible to change these SSIDs using some automated update procedure then it would of course be possible to patch the issue quietly and centrally .

It is not possible and only publicity .....and lots and lots of publicity....will help the over 100k+ individuals and the 10k+ Irish businesses that are at risk today .

The only issue I have with any of the disclosures is that someone has put the eircom logo .....of ALL things ...into their gen app.

Any chance that logo could be replaced by a picture of that Marketing Rat of theirs ???

lonewolf

Average Joe wrote:

when i asked, how did you find out it was sha-1, you replied by "trial and error", and monitoring communication between the client and router with kismet.

i've removed that comment now anyway, i just wasn't overly impressed by no mention of my details forwarded to you.

You have my deepest apologies. I never meant to anger anyone.

Martyr

forget it - its just nice to get a little credit..thats all.i'm not angry.

h57xiucj2z946q

i have to say i found reversing the above project in question quite difficult. I wouldt like anyone stealing my work.

watty

Security by obscurity shown to be worthless again.
yes, WEP and "non-enterprise non-Radius WPA" are both broken, but not by an easy 10second Win GUI like this is.

If you are really needing security (or don't want people downloading Prune on your connection), turn off the WiFi and use ethernet cables.

watty

For effective WPA I think you need a Radius server.

h57xiucj2z946q

i needed to debug it, i wasnt really able to follow it by just reading the dissasembled code.

Also as i had no netopia router, i was invoking the rouines by sending them xml like command to the listening socket that the executable creates.

uncle_sam_ie

watty wrote:

Security by obscurity shown to be worthless again.
yes, WEP and "non-enterprise non-Radius WPA" are both broken, but not by an easy 10second Win GUI like this is.

If you are really needing security (or don't want people downloading Prune on your connection), turn off the WiFi and use ethernet cables.

But Watty, if you are using WPA and have very long and random password shouldn't you be secure? I thought only a brute force attack could hack that after a billion years of going at it?

watty

Nope. It's flawed too, but mostly because the setup will let users do silly thinks.

http://www.ciscopress.com/articles/article.asp?p=370636&rl=1
Cracking Wi-Fi Protected Access (WPA)

Cracking WPA is do-able if they use PSK. Since you mentioned that you're working on your companies wireless network, I'm assuming they're using the Enterprise WPA. I don't think you can crack that. The weakness with WPA is PSK for home users.

Enterprise WPA = use of a Radius server.
If you use a full length random password it will be difficult. Sadly often many people don't and then it is only a couple of minutes.

If your key is greater than 20 characters and really random, it's unlikely that plain WPA-PSK will be cracked. Additional protection would be changing the key every month.

watty

Security approaches on WiFi:

No Use
:: WEP open key = 20 seconds
:: WEP shared Key = 3 minutes
:: WPA-PSK without long random characters = 10min
:: Set an obscure SSID and disabled broadcasting it = 0
:: Enabled MAC Filtering = spoof mac address 5mins
:: Disabled DHCP and changed the default LAN IP setup. = 0

Important
* Set an long random password for the router admin.
* Disable router admin via wireless
* WPA with 32 random character key, but better is Radius + random Key
* minimum 8 character random passwords all Computer logon accounts.
* No Win9x or Win Me with File/Printer share
* Nothing with MS Client or MSFile/Printer share connected DIRECT to the Internet.

Problems
Nintendo DS doesn't have WPA, only WEP.

uncle_sam_ie

watty wrote:

Nope. It's flawed too, but mostly because the setup will let users do silly thinks.

http://www.ciscopress.com/articles/article.asp?p=370636&rl=1
Cracking Wi-Fi Protected Access (WPA)


Enterprise WPA = use of a Radius server.
If you use a full length random password it will be difficult. Sadly often many people don't and then it is only a couple of minutes.

If your key is greater than 20 characters and really random, it's unlikely that plain WPA-PSK will be cracked. Additional protection would be changing the key every month.

Ok, I have an eircom router (Silver) and using WPA PSK . I changed the last four numbers of the SSID and I'm using an extremely long random password.So how safe am I really? How long would it take to hack my home network? If not long what does one need to do to make it secure (I need to be wireless in my house)?

watty

If your key is 32 to 63 characters and random and changed monthly, you are OK for now. Google WPA crack time occasionally to make sure

Once you aren't using the eircom generated WEP key the SSID doesn't matter. You could leave it original for amusement.

uncle_sam_ie

watty wrote:

If your key is 32 to 63 characters and random and changed monthly, you are OK for now. Google WPA crack time occasionally to make sure

Once you aren't using the eircom generated WEP key the SSID doesn't matter. You could leave it original for amusement.

Ok, thanks Watty.

Niall1234

Guys thanks for highlighting this.

I wouldn't be up on Wireless security. Switched from WEP to WPA2 on my router.

Tazzle

Is there not a difference between issuing details of the flaw and openly advocating the exploitation of the flaw by offering to supply any punter on the street with a tool to go off and steal/abuse their neighbors network. I don't agree with this 'assessing' of networks business, script kiddies wet dream here.

h57xiucj2z946q

anyone can easily make their own tool from details of the flaw already available.

i'll remove the post if you feel necessary?

Tazzle

The ordinary joe soap wouldn't really have a clue where to start, for people with some knowledge of java,vb or even php sure it's easy enough, but it's going to limit the amount of people who can take advantage to a miniscule amount compared to just lobbing a finished product out there for any 12year to go logging onto their neighbours network and printing out a load of pr0n as a funneh.

I personally think it's just plain irresponsible to post a finished product on a public forum when it opens a whole set of doors to people with less honest intentions than yourself using it for sinister means.

bartificer

Tazzle wrote:

The ordinary joe soap wouldn't really have a clue where to start, for people with some knowledge of java,vb or even php sure it's easy enough, but it's going to limit the amount of people who can take advantage to a miniscule amount compared to just lobbing a finished product out there for any 12year to go logging onto their neighbours network and printing out a load of pr0n as a funneh.

I personally think it's just plain irresponsible to post a finished product on a public forum when it opens a whole set of doors to people with less honest intentions than yourself using it for sinister means.

I'd have to agree. It comes down to the barrier to entry. Sure, anyone who's really determined could make their own, but when you can just go to a web page and type in the SSID to get the key it's a different matter. Even my mum could manage that (though she wouldn't because it would be stealing).

Bart.

dirtchamber

Any news from the Eircom camp about this?

h57xiucj2z946q

doubt, for ages they were distributing routers with out WEP security when they first started wireless and they did nothing about it.

s4dd

Okay, so the word on the street.

Eircom already have a letter formed and are going to be sending it on the next billing cycle to all customers detailing the issue and a fix. Apparently.

bartificer

s4dd wrote:

Okay, so the word on the street.

Eircom already have a letter formed and are going to be sending it on the next billing cycle to all customers detailing the issue and a fix. Apparently.

Excellent. I just hope it's a real fix.

Bart.

Sponge Bob

what eircom need to do is to inform their own customers of a risk caused by lazy order fulfilment procedures within eircom .

They need to tell their customers to change their ssid and their wep key ( both ) or to change the ssid and use wpa instead or wep

genuinely random 128 bit keys may be generated here

http://www.andrewscompanies.com/tools/wep.asp

wpa is a password , something like

76u-098-970148e1-9479-18743148e09184-1904u1[30487-1414104&&301e4018

is long enough

anyone who does not use wireless should be told to simply turn the bloody thing off . Thats maybe half of all persons with a Netopia.

watty

I've noticed with some Routers a Firmware update or a "press the button inside hole" reset can switch everything back on.

Sponge Bob

right watty

so its turn off the wireless and unscrew the 2 black aerials too .

Vexorg

Guys, I have removed a number of posts with links that claim to exploit a vunerability in a wireless network router.

Please do not post anymore links, I am sure that your point has been made. Feel free to continue the discussion.

s4dd

Well, i guess if one were to be pedantic about it, it could be said that provided code doesn't exploit a vunerability in the router, it exploits a vunerability in eircom's key generation logic... as in, none of the code or the exploitation is run on (or near!) the router in question.

Saying this i can appriciate that people wouldn't be any legal headaches!

Regards,
P

paulm17781

http://www.siliconrepublic.com/news/news.nv?storyid=single9323

siliconrepublic.com wrote:

Eircom has confirmed a “security issue”, adding that it has passed on information to Netopia, the product vendor, and has begun to contact all of its broadband customers directly to inform them of this issue.

Well done Sponge Bob, I doubt this would be out there if it weren't for your threat. (Obviously the guy who cracked it deserves credit too.)

Xcellor

I have about 3 eircom routers in my area which is apparently not DSL enabled... I'm thinking they have FWA. Anyway, I tried to connect to them using default WEP key just to see if it was possible but when I get connected I get limited or no connectivity like I am not being assigned an IP.

If I manually specify an IP i get fully connected but don't seem to be able to access anything. Is this because the signal is too weak or because these routers are just on without being connected which is why I cannot see the Internet.

Not intending to leech just want to check how someone in my neighbourhood has broadband when Eircom say it's not possible.

X