Eircom Netopia Routers Are Wide Open

h57xiucj2z946q

anyone wanna post this software? I would like to debug it. The Eircom software that is.

BaconZombie

Kate Narrow Dirt wrote:

anyone wanna post this software? I would like to debug it. The Eircom software that is.

http://broadbandsupport.eircom.net/download/netopia/drivers/3347nwg-setup.exe

h57xiucj2z946q

thanks.

thefinalstage

Kate Narrow Dirt wrote:

thanks.

Fix it and let spongebob look it over than release it. Make sure to put your name on it too.

bartificer

Hi folks, I've just been pointed at this article now. I must say I'm glad to see people have taken note of my blog post. My aim was to bring it to people's attention, so that seems to have worked in a limited way at least.

I have one wee update from today. I got a call from Eircom telling me they are working on a response and that it will be in the post to me soon, probably tomorrow. I will of course let you all know how that goes.

I just want to add a few other small points:

1) WEP is fundamentally broken. It was a little bit broken when the episodes from security now that were linked earlier were released, it is now even more broken. We're talking between 1 and 2 minutes. The new technique uses a replay attack with ARP packets to pump the traffic and quickly pick up the required number of packets to do the crack.

So - bottom line - DON'T USE WEP

Eircom need to make it clear to their customers that WEP is only pretend security, it is not real security.

2) MAC locking achieves NOTHING. It can be trivially by-passed as has already been explained in the thread.

3) Turning off SSID broadcasting is also not an effective protection. The SSID is still in all the transmitted packets. An attacker can still get it so again turning off SSID broadcasting is only pretend security, not actual security.

4) Yes, WPA can be broken and WPA2 is a lot better. HOWEVER, WPA is DRAMATCIALY better than WEP. From what I could see the Netopia routers don't suppor WPA2 but they do support WPA. At the VERY least Eircom need to advise their customers to use WPA if at all possible and explain to their customers that WEP provides almost no actual security. They also need to tell their customers to either change their SSID or their encryption key. Even if people do move to WPA they are still no better off if they continute to us the Eircom generated key!

Oh ... finally ... I would request people not post the code. I have one version and I know of at least two other methods of executing this attack. So, it is clear that there are a lot of people who know this already. Lets not make things worse just yet. If Eircom do not respond in an appropriate way then perhaps it would be understandable to publish code. Personally I will not do it, but I could understand others doing it.

Finally, if Eircom do not respond appropriately I plan to take this issue to the media. Should that happen I'd really appreciate some help and advice, as a sys-admin I'm not really practised at dealing with any media other than tapes and DVDs and stuff

Anyhow, thanks for spreading the word and please pass this link on to any Eircom customers you know.

Bart.

dirtchamber

How many hours left? !!

BloodSugarSex

i just spotted this thread, im shocked, the last four digits of my SSID were changed already but it was on WEP, ive just changed it to WPA, thanks everybody

lonewolf

Sponge bob, please think before you do something you will regret. I thought long and hard about releasing my code, but came to the conclusion that it wouldn't benefit anyone. Think about it..

• Peadophilles suddenly able to access all sorts of perverted material anonymously with someone else getting the blame. Laptop + Car + Exploit = Simple.
• Huge phone bills for families/students/anyone caused by leachers maxing out their download limits.
• Stolen credit card/banking details and identity theft by anyone with the skill and within Wifi range.
• Stolen customer data from small businesses using the service. Imagine for instance a mortgage broker with a Netopia box.

The damage, misery and financial cost of what you are about to do is unreal. Anyone with proper ethics would realise this and see past the 5 minutes of "I'm the guy who screwed Eircom over" fame crap.

Grow up and get a conscience because if you let this bomb off, you will be responsible for all of the above. Sure its Eircom's fault for having the flaw in the first place, but this count down stuff is childish and with such a large company it would take time for them to respond. Just throwing the code into the wild won't fix anything.

If you truly want to help, continue your discussion with them and see if you can work together to find a solution.

ongarite

lonewolf wrote:

Sponge bob, please think before you do something you will regret. I thought long and hard about releasing my code, but came to the conclusion that it wouldn't benefit anyone. Think about it..

• Peadophilles suddenly able to access all sorts of perverted material anonymously with someone else getting the blame. Laptop + Car + Exploit = Simple.
• Huge phone bills for families/students/anyone caused by leachers maxing out their download limits.
• Stolen credit card/banking details and identity theft by anyone with the skill and within Wifi range.
• Stolen customer data from small businesses using the service. Imagine for instance a mortgage broker with a Netopia box.

The damage, misery and financial cost of what you are about to do is unreal. Anyone with proper ethics would realise this and see past the 5 minutes of "I'm the guy who screwed Eircom over" fame crap.

Grow up and get a conscience because if you let this bomb off, you will be responsible for all of the above. Sure its Eircom's fault for having the flaw in the first place, but this count down stuff is childish and with such a large company it would take time for them to respond. Just throwing the code into the wild won't fix anything.

If you truly want to help, continue your discussion with them and see if you can work together to find a solution.

I disagree on a few counts.

As you have already mentioned in previous posts, the WEP security that nearly all Eircom routers can be easily discovered in 2 mins with well known and available tools. Releasing the code that Sponge Bob has is just going to make it a little easier to leech into somebodies router.
Little or nobody has ever been charged for going over the DL limits with Eircom or resellers of Eircom DSL lines.
If businesses are using WEP security knowingly then thats pretty stupid.

Eircom are going to stay quiet and pretend / hope this never happened and that people like you will be too scared to release it.

I say fair play to Sponge Bob for having the balls to go through with this.

Its like MS Windows security patches, they're never fixed proactively, only retroactively when the flaw is out in the open and has to be patched.

Martyr

i agree with lonewolf on this one.

the arguement from those who want to know the details and say something like "please tell me, WEP is so easily broken anyway" is bogus - because owners of the routers might not actually be using wireless access provided by it in the first place.

but lamers don't need to worry about that anyway.. since if they want the key, its no problem, Sponge Bob will help them by publishing the minor details of it & some code before giving eircom a chance to tell everyone through the proper channels.

from what i understand, Sponge Bob has issues with eircom. And now that he's got something to upset them, he's gonna use it, regardless of the problems that will cause for the customers he pretends to care about.

if he really was concerned about the customers, as lonewolf has already said, he'd just work out some kind of solution and allow eircom to respond.

Its like MS Windows security patches, they're never fixed proactively, only retroactively when the flaw is out in the open and has to be patched.

Microsoft have automatic updates, am i mistaken in saying there are none for these eircom routers?

Hobart

This is like a very badly written version of War Games. Most people, tbh, would not know or do not care what a wep code is. By other people taking advantage of their wireless network, they will think they have a virus, d'internet is broke, etc....

Releasing this will not bring the world to a stop, nor will it result in every house being hacked.

At 12:01 today I'm hoping to have a program written that will allow me to farm multiple wireless routers (my neighbours actually) and give me a virtual upload and download speed of 10GB b 17:00 today. I will then switch off the internet ay 18:00, unless muck decides to stop this folly.

You have been warned! 10 and 1/2 hours to doomsday!!

dirtchamber

I reckon it should be released so Eircom have to change the way they 'secure' their Wireless Routers.

bartificer

I'm going to chime in again against releasing the code.

Yes, those with some good techie skillz can crack WEP trivially. But that's a pretty nerdy thing to do. Running a program is a pretty trivial thing to do. Run this, type the SSID, get the key. Just about anyone can manage that!

So, although WEP provides no signifficant barrier to someone who knows what they are doing, it does deter casual would-be-leechers much more than a simple program would.

Bart.

knuth

bartificer wrote:

I'm going to chime in again against releasing the code.

Yes, those with some good techie skillz can crack WEP trivially. But that's a pretty nerdy thing to do. Running a program is a pretty trivial thing to do. Run this, type the SSID, get the key. Just about anyone can manage that!

So, although WEP provides no signifficant barrier to someone who knows what they are doing, it does deter casual would-be-leechers much more than a simple program would.

Bart.

Wrong. Those who have the ability to observe flash movies can crack WEP & WPA. There is nothing technical in setting up VMWARE and loading an iso. As pointed out earlier, it takes roughly 5 minutes to succesfully crack most routers using WEP with the pen testing tools available on hand, give or take a few minutes on your typing skills. :P

Eircom done the bad thing by using WEP in the first place, they _should_ of changed to WPA over due time but they didn't.

Spongebob: Threatening to release damaging code in one week to an ISP that has shipped over "100k" of these modems is nothing more than a weak stab of obtaining fame. They can not fix anything in that ammount of time.

paulm17781

lordlame wrote:

Spongebob: Threatening to release damaging code in one week to an ISP that has shipped over "100k" of these modems is nothing more than a weak stab of obtaining fame. They can not fix anything in that ammount of time.

In his defense he only asked Eircom to notify customers, even in the media. So far they have done nothing.

bartificer

lordlame wrote:

Wrong. Those who have the ability to observe flash movies can crack WEP & WPA. There is nothing technical in setting up VMWARE and loading an iso. As pointed out earlier, it takes roughly 5 minutes to succesfully crack most routers using WEP with the pen testing tools available on hand, give or take a few minutes on your typing skills. :P

I'd argue that running VMWare is a pretty nerdy thing to do compared to just running a program. The barrier to entry strikes me as being a lot lower if this code gets released than if it doesn't.

Bart.

lynchie

Eircom have been given notice of this issue. They have not acknowleged there is an issue so far nor will they do anything about it unless the issue is put in the spotlight. The only way to do that is to release the code. Otherwise they will sit on the arses doing feck all about this issue.

Antilles

Eircom are interested exclusively in covering their own asses. If the code is not released, they will do nothing.

Of course, knowing them as I do, even if the code is released, it is also quite possible that they will do nothing except issue a press release half-assedly advising people to upgrade security and then do nothing to improve things on their end.

I honestly have never seen a company with such disregard for its customers. It is astounding. The staff all know how bad it is, but management do absolutely nothing to improve the situation.The information on Bart's blog was given to senior eircom management weeks ago, so Sponge Bob's threat is not the first they have heard of it, either.

Mark my words - any action Eircom take will be to cover themselves legally, and nothing more. Any further movement would just be to the benefit of their customers, and that is something utterly unheard of with Eircom.

fl4pj4ck

lonewolf wrote:

Peadophilles suddenly able to access all sorts of perverted material anonymously with someone else getting the blame. Laptop + Car + Exploit = Simple.

have you heard about The Onion Routing?

lonewolf

fl4pj4ck wrote:

have you heard about The Onion Routing?

Yes I have and that wasn't what I was getting at. I meant that if everyone had an easy "click click heres the wep key" program, anyone with basic computer experience could take advantage.

Antilles

So I am guessing nothing came of this one week thing?

Martyr

thats cool, lonewolf.
how did you know it was SHA-1?

lonewolf

Well this way everyone wins.

• The information about the Flaw is released.
• The Technical guys on the web get a good insight into the problem and get a good laugh.
• Joe Soap knows theres a problem and has info on how to fix it, but doesn't get to use the flaw.
• Eircom are put in a position to fix it, ignore it, or advise people on how to do it themselves.

Martyr

no what i meant was, how did you know SHA-1 was used to generate the WEP keys?
like, what programs did you use to identify it? did you just reverse the binaries and realise SHA-1 was used?

lonewolf

Average Joe wrote:

thats cool, lonewolf.
how did you know it was SHA-1?

Well my knowledge of assembly code is quite limited.
In my early attempts I tried MD5 but it didn't work out at all.

In the end, it was thanks to a friend we found out it was SHA1.

Martyr

hmm - if theres one thing i hate, lonewolf, its people taking credit for someone elses work, and you know what i'm talking about.

thehomeofDob

I work for a major retailer who is involved with eircom. I think I'll hand a print out of your blog to the rep next time she's in.

lonewolf

Average Joe wrote:

hmm - if theres one thing i hate, lonewolf, its people taking credit for someone elses work, and you know what i'm talking about.

This information was compiled by the hard work of many people. I can’t take credit for it in all good conscience. To all those who worked hard to find it, I envy your knowledge and skill. May it take you to many places of luck and fortune.

h57xiucj2z946q

I was already working on this :-)
My eyes are blood shot now, but i can rest now.. finally!:D

lonewolf

I would also like it to be known that I did offer you credit for the discovery on my blog along with anyone else who was currently working on the problem...

Yes I did send you the binaries from the install CD-ROM and at the time I only knew that the key generator was somewhere in QuietXMLWiz.exe.

I'm still learning assembly language so extracting the crypto routines etc would have been a huge undertaking for me. I did however, find like everyone else I know, the steps involved in changing an ssid to a serial number.


Quote: "Hes even gone as far as taking complete credit for the whole discovery himself..."

No where on the blog post do I say I discovered XYZ, all mine no one else etc..


It doesn't matter who discovered what or how. The point is we have uncovered a flaw that effects a lot of people and we are closer to helping them. Fighting among ourselves will not help anyone.