Eircom Netopia Routers Are Wide Open

Rozie

You know, this isn't really a problem since the method for doing this isn't readily available online. That's the thing with Ireland; we don't tend to post everything around, we're very "small" internet-wise.

Sponge Bob

It is Rozie but you probably live somewhere rural more than 100m from your nearest neighbour and are safe becauzse of distance .

watty

If it can be found by Googling for less than 15min, then its readily available. Anything online at all is readily available.

paul666

is there an easy way to change this wep key i tried changing it and it said i had the wrong wep key when i changed it i ended out having to change the box
sorry im useless with this kinda thing i shouldnt of gone at it at all tbh

watty

You have to change to the same new key on everything. If you only change your PC, then you will have the wrong key.

But really you need to change the router and the PC/Laptops to WPA.

Sponge Bob

BT ( UK) are this weeks news.

http://www.theregister.co.uk/2007/10/09/bt_home_hub_vuln/

Still I doubt if they are as widely deployed in the UK as the Netopias are here .

Eircom told the Irish Times they have deployed 250k of them, a figure I find hard to believe myself to be honest so they should go smack that eircom PR person for saying that .

As there are 1.5m inhabited households in Ireland that translates into 1 household in 6 with a Netopia if one discounts businesses having them.

I personally thought that 1 in 10 with a leaky Netopia , by christmas, was a totally unacceptable risk requiring that the public be informed forthwith ( well, within a week )

There is a comment to that article on the Reg down about a BT Voyager flaw ....after once changes the default password you find it has not changed the default password all over.

However the number of BT Voyagers out there is dwarfed by the number of Netopias out there. One would think 10-20x is the ratio in Ireland

The lesson is still the same. Wireless is highly risky and should not be deployed in the home unless required. Carriers must have some regard for the safety of their customers personal data and their customers good name.

There is no point having Firewalls in Netopias and Firewalls in XP deployed inside the front door if the back door is wide open anyway .

The simplest security solutions for MOST people in MOST cases is to TURN THE BLOODY WIRELESS OFF and not use it.

limklad

To summarize the scenario:
Eircom router provided by Eircom with WEP encryption (An easily hacked security encryption despite the code mishap and was hackable for years) as default with their own generated wireless code.
The new owner (Customer) installs their new router with their broadband, incompetent in how to make changes to the default enable wireless connection, or found out that they will be charge more if they upgrade the firmware for better encryption (if available). Beside the obvious that the hacker is breaking the law.

Is the Customer breaking the Law or has broken the Terms and Conditions with Eircom or any provider when?

1. If someone hacks your wireless connection for fraudulent/attack for other networks or pornography use, then the owner of the Wireless network is at fault, for not denying them access?

After all, the terms & Conditions do not allow for the hacker scenario!
I have moved this to a new thread, so don't bother replying to this here

Sponge Bob

A firmware update does not improve the security if thats what you mean. You need not upgrade firware to improve security

Ideally turn off wireless, if you need wireless change to wpa

Cabaal

limklad, please try to not use coloured text on this forum as it can be hard to read for people using different theme's on boards,

Sponge Bob

More on the BT flaw here

Its worse in some ways than the Netopia one ...except that its executed over the web not by proximity. Does this sound familiar ????

"Last year, I found a way to dump the BT Voyager 2091's config file without credentials," he explains. "Even though I forwarded them my findings they never responded at all."

and as for the most recent one, BT are 'investigating' AFTER the publicity . Sound familiar ???

BT has opened an investigation into an alleged vulnerability in its Home Hub router, which apparently allows hackers to disable wireless access and steal the WEP or WPA security encryption key.

The flaw was reported by hackers' blog GNUCitizen, which claims that it is able to take complete ownership of the device by enabling a backdoor.

"We can hijack any action with full admin privileges or steal any info returned by a router's page," says Adrian Pastor, who discovered the flaw.

"This means the evilness of the exploits are only limited by the attacker's imagination. Other examples of evil attacks include eavesdropping VoIP conversations, stealing VoIP credentials, exposing internal hosts on the DMZ, changing the DNS settings for stealing online banking credentials, disabling auto updates, etc."

According to Pastor, to enable the exploit all that a potential hacker needs to do is persuade a user to visit a malicious website. He says that the hacker doesn't even need the admin password as an authentication bypass bug has been discovered.

Unlike Netopia and Eircom

BT says in a statement that it is "actively investigating the alleged vulnerability", adding that it is currently delivering a firmware update that addresses security in a number of areas.

Hmm

bushy...

Another (popular-ish) brand of router has the charming feature of not setting any password on the telnet interface when you set one through the web interface.

watty

telnet???
should be disabled when you set a password and then only allow SSH in a better world.

standbyme

Yesterday & today the letters only come out now, the postmark on it says 10th Oct.
I didnt bother to look at yesterday's, but now they're gonna spam me now!

I was gonna ring the no. it had if i had any problems, yeah dont spam me!
as i got the info from the site that found out the problem, then realised who i was ringing & hung up

BloodSugarSex

standbyme wrote: »

Yesterday & today the letters only come out now,

the letter says only to change your WEP key, it doesnt tell you to change it to WPA :rolleyes:

Sponge Bob

Anybody able to scan the letter and post it up here. The advice sounds useless overall . Did they tell their many customers who do not need wireless at all to simply turn wireless off , and how ??

s4dd

http://s4dd.yore.ma/eircom/eircom-bs.jpg

(red circle for hilarity purposes)

Sponge Bob

what a stupid pack of *****

bartificer

s4dd wrote: »

http://s4dd.yore.ma/eircom/eircom-bs.jpg

(red circle for hilarity purposes)

*head -> desk*

What a load of ass-covering BULL!

WEP is derided by security experts. It SUCKS, like totally. From an ISP who should be fully aware of security issues this approaches out-right lying. The letter is full on inaccuracies.

And there I was giving them some credit for doing the right thing. Well, that's sure shown me up to be a fool.

Bart.

Sponge Bob

They have lied to all their customers about 'caring deeply' for security issues
They refused to recommend WPA which is known to be safer
They did not inform their customers of genuinely random key generators 'out there'on the net
They did not stress that for many , if not most, of their customers the product is always hard wired so the best solution is to turn off wireless altogether.
They have no committed to shipping future netopias with WPA, mainly becuase they will continue to ship them with WEP and with wireless on by default

Its just like your insurance company telling you your insurance is invalid BECAUSE you had a crash

watty

Obviously they have shares in Nintendo. The DS needs WEP.


Also more WEP problems. ... Just having WEP profiles on your laptop is a problem
http://news.bbc.co.uk/1/hi/technology/7052223.stm

standbyme

Sponge Bob wrote: »

Anybody able to scan the letter and post it up here. The advice sounds useless overall . Did they tell their many customers who do not need wireless at all to simply turn wireless off , and how ??

That was never explained or hinted at, there's me fretting about it the feckin eejits & i didnt find out for hours reading all the documentation & listening to the radio & i found out the answer here, (the site that exposed it)-but took a while as i was overwhelmed with all the info.

And after all that, it only took me 5 feckin mins to turn off the wireless
:rolleyes:

watty

Sponge Bob wrote: »

They have lied to all their customers about 'caring deeply' for security issues
They refused to recommend WPA which is known to be safer
They did not inform their customers of genuinely random key generators 'out there'on the net
They did not stress that for many , if not most, of their customers the product is always hard wired so the best solution is to turn off wireless altogether.
They have no committed to shipping future netopias with WPA, mainly becuase they will continue to ship them with WEP and with wireless on by default

Its just like your insurance company telling you your insurance is invalid BECAUSE you had a crash

But the Routers DO have WPA. Or do you mean pre-configured?

Sponge Bob

If wireless is to be on its should be WPA...but wireless should be off IMO

s4dd

http://s4dd.yore.ma/eircom/eircom-bs2.jpg

bartificer

s4dd wrote: »

http://s4dd.yore.ma/eircom/eircom-bs2.jpg

That's very disappointing. No mention of the fundamental flaws in WEP, no suggestion to use WPA. At least they are telling people who don't actually use the WiFi to turn if off though.

Where's that scan from?

Bart.

s4dd

Little leaflet that comes with netopia router for new eircom broadband signups

Schwammy

bartificer wrote: »

*head -> desk*

What a load of ass-covering BULL!

WEP is derided by security experts. It SUCKS, like totally. From an ISP who should be fully aware of security issues this approaches out-right lying. The letter is full on inaccuracies.

And there I was giving them some credit for doing the right thing. Well, that's sure shown me up to be a fool.

Bart.

I totally agree!

alexiadexia

have broaband with eircom & just realised all of this and found out our neighbours are using our internet. I am shocked at how simple it was for them to do so. I stupidly assumed the code we had was safe. SO is that actually illegal for them to do? ANd also we have gone over our download allowance as a result of them using it willy nilly, am I liable to pay?

Utterly clueless!

yoyo

alexiadexia wrote: »

have broaband with eircom & just realised all of this and found out our neighbours are using our internet. I am shocked at how simple it was for them to do so. I stupidly assumed the code we had was safe. SO is that actually illegal for them to do? ANd also we have gone over our download allowance as a result of them using it willy nilly, am I liable to pay?

Utterly clueless!

Eircom don't charge for going over the allowance so that shouldn't be a issiue, it is illegal for your neighbour to use the WEP Keygen to access your network, but I would say you'd need more evidence than that to pin point it to them, just change encryption to WPA and a random password and forget it I would think, that will protect you against this happening again.

Nick

dub45

alexiadexia wrote: »

have broaband with eircom & just realised all of this and found out our neighbours are using our internet. I am shocked at how simple it was for them to do so. I stupidly assumed the code we had was safe. SO is that actually illegal for them to do? ANd also we have gone over our download allowance as a result of them using it willy nilly, am I liable to pay?

Utterly clueless!

If you have bb from Eircom you dont have to worry about your download allowance. Change your security to WPA and thank Eircom for allowing you to find out that your neighbours are not nice people and get on enjoying your internet. You are hardly going to prosecute your neighbours so the legality of it does not matter.