Eircom default wireless configuration is still insecure

in defense of eircom the setup guide does say to disable the AP if your not using it and to change it to WPA if you are going to use it, it also tells you exacly how to do this in pretty straigt forward language

The reality is that most people just plug and play these boxes without reading the instructions. The wireless and WEP are enabled in this scenario, I don't really think that is a defense. I don't care how straight forward the language is, if you think most people who can just about manage to switch their computers on and off and get into Internet Explorer are going to have any inclination to change the wireless settings then I think you are on a different planet.

I'm not sure what you mean by this, i've never heard of any other ISP sending out Preconfigured routers to the extent taht eircom do, If your refering to the fact that wireless routers have an option for WEP security you have to understand some older hardware/operating systems may not be compliant with WPA, and no one forces you to use it, if your going to kick up a fuss over routers being supplied with an option for WEP encryption why not complain that the majority of WIreless Routers are supplied with a Default SSID & no encryption?

All these ISP's either send out their wireless routers with the wireless and WEP enabled OR recommend WEP:-

Eircom
BT Ireland
Perlico – recommend WEP but don't enable wireless by default
Irish Broadband
Alpawave - Their entire wireless back bone and infrastructure is based on WEP

In the case that the OS/hardware (unlikely) is too old people should be warned that to use the router they will have to enable an insecure protocol. No one is "forced" to use Windows or Internet Explorer but most people do because that is what comes on the machine. They either haven't got the knowledge or the inclination to change, it is the same case here.

I don't know what makes and models of wireless routers you have experience of but it wouldn't be my experience that the majority are enabled with no security. Secondly if Joe Bloggs has enough knowledge to know that he wants a wireless router and to go to PC World or wherever it is to get it, rather than using the supplied one from his/her ISP, I would opin that he/she is going to have some interest in setting it up. Indeed he/she will have to do at least some setup just to get the broadband side connected.

What I am suggesting is that with instructions freely available on the net on how to crack it, using WEP is as close to having no security enabled it makes very little difference. Anyone with a laptop and a common wireless chipset can sit outside someone's house for an hour and capture enough data to crack the key in under a minute.

This situation really isn't on any more. WEP is known to be totally inadequate and has been for most of this decade. It's about time the cowboys cleaned up their act!

the part where it says to change security is in the same booklet that tells them how to plug it in and connect it [which is two pages long]

I will have to take your word on that one as I haven't got a booklet to hand. Though I would like to see how it is put, and does it specifically say to use WPA? Even if it does it is in contravention with Eircom's website line on WEP which is available here:- http://home.eircom.net/html/announcement.html

From BT website
BT would recommend that you choose wireless equipment that can use WPA. If you don't password protect your network you may find that people with computers close to your house can connect to your broadband connection wirelessly.

Also from BT website here :- http://www.btireland.ie/AtHome_bb_faq.shtml#24

Voyager modems have WPA, WEP and MAC Address filtering. Modems are shipped with unique WEP code (on bottom of unit) enabled by default. Customers can setup WPA or MAC Address filtering also if they wish. Our tech support team are happy to assist customers on these settings.

Irish Broadband [from their wireless set up guide]
Irish Broadband Reccommends Implementing WPA-PSK as your Security Choice
Some users may be unable to implement WPA-PSK as a result of using some older wireless adapters
(pre-2003) or operating systems. In this case Irish Broadband recommends implementing WEP
security in place of the preferred WPA-PSK securit

Ok I will give you that one although there are other guides in that support section which refer to setting up WEP, which, is confusing for Joe.

Alphawave
While their backbone may be based on a wep encryption that does not mean it's going to be easy to get onto it, Most Wisps back bone links are Point to point liks, on licensed frequencies, So your going to have to get some expensive kit to try anything, ten you'll have to get it directly in the LOS, which are designed to avoid buildings Etc

Well I don't know about other WISP's but I can tell you that all of Alphawave's infrastructure is either 2.4 or 5 Ghz based so they are not using licensed frequencies. If I'm honest although I can't vouch one way or the other on that, however I doubt that many of the smaller WISP's use licensed frequencies, it represents a significant cost. There was no expensive kit involved and I was able to connect to their network yesterday see this thread:-

http://www.boards.ie/vbulletin/showthread.php?t=2055454743

It did take a long time to capture enough data packets to crack the key but that was because I couldn't do an injection attack being too far from the AP, so I just had to wait until the data piled up.

The point I am trying to make overall is that WEP shouldn't even be an option unless it is as a last resort, don't blame us when it blows up in you face and it has nothing to do with us option.

I don't think you can disagree with that and although some of the Irish ISP's do recommend WPA none of them have a strong message telling people they shouldn't use WEP.

Actually I think WEP should be removed from all wireless routers, it is the only way to make sure people won't expose themselves. The industry should take a consesus view on this and do the right thing. It is certainly a more honest way of driving new hardware sales than the usual by a new PC or you can't put the latest Windows Bloatware on line.

And to the fella that posted the WPA can be cracked line. Yes it can but it is an awful lot harder than cracking WEP. We are talking brute force dictionary attack time, which to anybody who knows what that means, can take a long time and still NEVER be broken.

The moral of the story with WPA is to use the full length key with as many different characters (including signs and stuff) as possible that way they could sit outside your house or business until the cows come home and they won't get anywhere.

There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.

The above quote is from here:- http://www.aircrack-ng.org/doku.php?id=cracking_wpa

When i mentioned older operating systems /Hardware i was actually refereing to an issue i had on a Linux laptop where i couldn't get it to Authenticate WPA with a brandnew Wifi adaptor, I managed to solve this later on with a distro upgrade but i would still rather have the option to use *some* security as supposed to nothaving a WEP option and being left with the AP being open or not haivng Wifi.

Well Linux wireless drivers have come on an awful lot in the last year, I'll wager you aren't likely to come across the same problem if you are installing a current distro (i.e with 2.6.27 or newer), so it is a moot point.

For refrence i'm not a fan of Wireless AP's unless you need to use them, because of how much of a security weakness they are, Even with a AP secured with WPA, using MAc fileting & with a Hidden SSID it's still a weakness if someone's determined, when it comes down to it you can't Beat plain old Cat5e Laid out properly with a bit of forethought

I agree 2.4Ghz wireless is crap and I can't see 5Ghz being leaps and bounds better, you are always going to have issues using unlicensed frequencies.

I disagree with WPA being a weakness, as I pointed out in the last post if you put a long key in there with special characters in it would not be practical, and would probably be, impossible to crack.

So I think we are in agreement then that ISP's and vendors should at the very least treat WEP as a last gasp option and should probably remove it altogether. So how do we get them to do it?

Should I go around the country cracking WEP networks and leaving a calling card "The Cracking Crusader" until these idiots start taking it seriously?

Perhaps some high profile scalps would raise awareness.

Most of the existing available decoding tools all use 0x000FCC by default, which is why it gives wrong key.

I also want to reiterate, as the above quote may give the impression Eircom routers are now impervious to WEP attack, you can break any WEP key on any router, regardless of whether it is Eircom, BT or USISP's are US using freely available tools and step by step idiot guides.

So the current status is Eircom are shipping WPA enabled by default. However there are many many people and businesses still using WEP as a result of Eircom's previous policy towards wireless.

Additionally some of the information on the website is misleading and inaccurate regarding WEP and as long as at least some part of the website is saying WEP is ok there is a good chance users will continue to use it.

can you or someone else please explain how to recover a WEP key of access point when it has no authenticated clients??

Are you asking for a step by step tutorial or do you just want pointers?

Over and above a "standard" attack you do a fragmentation or chop chop attack to generate a PRGA file, which, can be used for packet injection.

It may be that the AP has ethernet ports connected to machines which will be generating ARP requests anyway so even with no clients it's possible to do standard ARP packet injection.

genuinely interested to know how this is done - using the key generator doesn't require WEP traffic, knowledge of attacking WEP using tools..etc

I will give you an overview. Basically you need a decent installed GNU/Linux or GNU/Linux LiveCD with a recent kernel (older kernels don't support a lot of wireless chipsets in monitor mode) I use Gentoo but you could use the Beta Ubuntu CD as that has a pretty up to date kernel.

You put the wireless card in monitor mode and start capturing IV packets on the channel your interested in (kisment is a good visual tool to identify networks and channels).

You then do a fake authentication which lets you inject ARP packets into the wireless network. This then makes the AP generate loads of IVs (the more IVs you have the more chance you have of breaking the key).

Finally you run the command to give you the key itself.

I'm not going to reinvent the wheel so here are links to 2 very good tutorials on the aircrack-ng site:-

http://www.aircrack-ng.org/doku.php?id=simple_wep_crack

http://www.aircrack-ng.org/doku.php?id=how_to_crack_wep_with_no_clients

i was responding to your comment on available keygens not working... arguing that just because the WEP generators don't work with new model of routers using static WEP keys(based on serial number) - doesn't mean the WEP key generation algorithm has changed in any way.

That wasn't my comment, I did know where you were coming from, but I thought that others might take what you wrote to mean that Eircom had done something "special" with WEP so that it couldn't be broken on their modems. It was only to clarify to other people and I wasn't trying to invalidate what you said.

also, just because you're using WPA, doesn't mean you're secure either.

Even with a crap pre-shared key i.e. one based just on a dictionary word WPA is still orders of magnitude harder to crack than WEP. The attacker has to go to the effort of sourcing/generating a dictionary and then actually trying to associate to the AP trying a different word each time. I don't know how quickly you can attempt reassociation but I would imagine it would take a fair old time to rinse and repeat ad length of dictionary. It would look fairly conspicuous for somebody to be sat outside your house in their car for that amount of time.

As a side note I did manage to create a WEP key that aircrack couldn't get even with 3 million IVs, it had an ampersand in. I'm assuming because I'm using a non-standard locale and UTF-8 on my system that it was a character that aircrack just didn't understand or try. It was an interesting excercise.

Even if you can create a key like that actually inputting it into a doze machine so that it can connect I would imagine to be challenging.