Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Eircom default wireless configuration is still insecure

  • 19-02-2009 5:22pm
    #1
    Closed Accounts Posts: 407 ✭✭


    I just wanted to point out that as Eircom still send out their routers with WEP enabled by default they are exposing their customers to a significant security risk. It isn't just the internet connection it's the customer's computers that are open to attack, it's like leaving the front door key under the mat.

    I was able to crack a 64 bit WEP key in 13 seconds on a run of the mill laptop.

    It isn't acceptable that Eircom and numerous other ISP's and vendors are still using WEP.

    I am willing to prove my numbers if necessary, I think we should be lobbying these cowboys to sort their act out.

    I am going to get a list together of all the ISP's and vendors in Ireland who use WEP or have it set as default on their wireless equipment.

    Who's with me?


Comments

  • Registered Users, Registered Users 2 Posts: 445 ✭✭johnciall


    in defense of eircom the setup guide does say to disable the AP if your not using it and to change it to WPA if you are going to use it, it also tells you exacly how to do this in pretty straigt forward language

    " It isn't acceptable that Eircom and numerous other ISP's and vendors are still using WEP."

    I'm not sure what you mean by this, i've never heard of any other ISP sending out Preconfigured routers to the extent taht eircom do, If your refering to the fact that wireless routers have an option for WEP security you have to understand some older hardware/operating systems may not be compliant with WPA, and no one forces you to use it, if your going to kick up a fuss over routers being supplied with an option for WEP encryption why not complain that the majority of WIreless Routers are supplied with a Default SSID & no encryption?


  • Closed Accounts Posts: 407 ✭✭jpl888


    in defense of eircom the setup guide does say to disable the AP if your not using it and to change it to WPA if you are going to use it, it also tells you exacly how to do this in pretty straigt forward language

    The reality is that most people just plug and play these boxes without reading the instructions. The wireless and WEP are enabled in this scenario, I don't really think that is a defense. I don't care how straight forward the language is, if you think most people who can just about manage to switch their computers on and off and get into Internet Explorer are going to have any inclination to change the wireless settings then I think you are on a different planet.
    I'm not sure what you mean by this, i've never heard of any other ISP sending out Preconfigured routers to the extent taht eircom do, If your refering to the fact that wireless routers have an option for WEP security you have to understand some older hardware/operating systems may not be compliant with WPA, and no one forces you to use it, if your going to kick up a fuss over routers being supplied with an option for WEP encryption why not complain that the majority of WIreless Routers are supplied with a Default SSID & no encryption?

    All these ISP's either send out their wireless routers with the wireless and WEP enabled OR recommend WEP:-

    Eircom
    BT Ireland
    Perlico – recommend WEP but don't enable wireless by default
    Irish Broadband
    Alpawave - Their entire wireless back bone and infrastructure is based on WEP

    In the case that the OS/hardware (unlikely) is too old people should be warned that to use the router they will have to enable an insecure protocol. No one is "forced" to use Windows or Internet Explorer but most people do because that is what comes on the machine. They either haven't got the knowledge or the inclination to change, it is the same case here.

    I don't know what makes and models of wireless routers you have experience of but it wouldn't be my experience that the majority are enabled with no security. Secondly if Joe Bloggs has enough knowledge to know that he wants a wireless router and to go to PC World or wherever it is to get it, rather than using the supplied one from his/her ISP, I would opin that he/she is going to have some interest in setting it up. Indeed he/she will have to do at least some setup just to get the broadband side connected.

    What I am suggesting is that with instructions freely available on the net on how to crack it, using WEP is as close to having no security enabled it makes very little difference. Anyone with a laptop and a common wireless chipset can sit outside someone's house for an hour and capture enough data to crack the key in under a minute.

    This situation really isn't on any more. WEP is known to be totally inadequate and has been for most of this decade. It's about time the cowboys cleaned up their act!


  • Closed Accounts Posts: 407 ✭✭jpl888


    eircom was recently made aware of a potential wireless access security issue with the Netopia Wireless modems. A possible vulnerability with the standard configuration or default setting of the WEP protocol was identified. This vulnerability makes it possible for a person with an advanced working knowledge of encryption and coding techniques to illegally access an eircom customer’s Internet connection. However, when a customer generates their own unique WEP Key or password and does not use the default setting, this security risk is removed.

    The above is from eircom's website, suggesting is is only the default key they sent out that is insecure is nonsense. Also as I already said I managed to crack a 64 bit key in 13 seconds, I do not have advanced working knowledge of encryption or coding. The requirements to be able to crack WEP are actually much lower than that, like being able to following instructions, read and type. These people do not know what they are talking about.


  • Registered Users, Registered Users 2 Posts: 445 ✭✭johnciall


    "The reality is that most people just plug and play these boxes without reading the instructions"

    the part where it says to change security is in the same booklet that tells them how to plug it in and connect it [which is two pages long]


    "All these ISP's either send out their wireless routers with the wireless and WEP enabled OR recommend WEP:-
    Eircom
    BT Ireland
    Perlico – recommend WEP but don't enable wireless by default
    Irish Broadband
    Alpawave - Their entire wireless back bone and infrastructure is based on WEP"


    From BT website
    BT would recommend that you choose wireless equipment that can use WPA. If you don't password protect your network you may find that people with computers close to your house can connect to your broadband connection wirelessly.

    Perlico
    I couldn't find any information about security on their website & i've never had to deal with them so i'll trust you on that

    Irish Broadband [from their wireless set up guide]
    Irish Broadband Reccommends Implementing WPA-PSK as your Security Choice
    Some users may be unable to implement WPA-PSK as a result of using some older wireless adapters
    (pre-2003) or operating systems. In this case Irish Broadband recommends implementing WEP
    security in place of the preferred WPA-PSK securit


    Alphawave
    While their backbone may be based on a wep encryption that does not mean it's going to be easy to get onto it, Most Wisps back bone links are Point to point liks, on licensed frequencies, So your going to have to get some expensive kit to try anything, ten you'll have to get it directly in the LOS, which are designed to avoid buildings Etc


  • Registered Users, Registered Users 2 Posts: 1,460 ✭✭✭Evd-Burner


    Just so ye know wpa is easy enough to crack, it only takes a little bit longer to do is all.


  • Advertisement
  • Closed Accounts Posts: 407 ✭✭jpl888


    the part where it says to change security is in the same booklet that tells them how to plug it in and connect it [which is two pages long]

    I will have to take your word on that one as I haven't got a booklet to hand. Though I would like to see how it is put, and does it specifically say to use WPA? Even if it does it is in contravention with Eircom's website line on WEP which is available here:- http://home.eircom.net/html/announcement.html
    From BT website
    BT would recommend that you choose wireless equipment that can use WPA. If you don't password protect your network you may find that people with computers close to your house can connect to your broadband connection wirelessly.

    Also from BT website here :- http://www.btireland.ie/AtHome_bb_faq.shtml#24
    Voyager modems have WPA, WEP and MAC Address filtering. Modems are shipped with unique WEP code (on bottom of unit) enabled by default. Customers can setup WPA or MAC Address filtering also if they wish. Our tech support team are happy to assist customers on these settings.
    Irish Broadband [from their wireless set up guide]
    Irish Broadband Reccommends Implementing WPA-PSK as your Security Choice
    Some users may be unable to implement WPA-PSK as a result of using some older wireless adapters
    (pre-2003) or operating systems. In this case Irish Broadband recommends implementing WEP
    security in place of the preferred WPA-PSK securit

    Ok I will give you that one although there are other guides in that support section which refer to setting up WEP, which, is confusing for Joe.
    Alphawave
    While their backbone may be based on a wep encryption that does not mean it's going to be easy to get onto it, Most Wisps back bone links are Point to point liks, on licensed frequencies, So your going to have to get some expensive kit to try anything, ten you'll have to get it directly in the LOS, which are designed to avoid buildings Etc

    Well I don't know about other WISP's but I can tell you that all of Alphawave's infrastructure is either 2.4 or 5 Ghz based so they are not using licensed frequencies. If I'm honest although I can't vouch one way or the other on that, however I doubt that many of the smaller WISP's use licensed frequencies, it represents a significant cost. There was no expensive kit involved and I was able to connect to their network yesterday see this thread:-

    http://www.boards.ie/vbulletin/showthread.php?t=2055454743

    It did take a long time to capture enough data packets to crack the key but that was because I couldn't do an injection attack being too far from the AP, so I just had to wait until the data piled up.

    The point I am trying to make overall is that WEP shouldn't even be an option unless it is as a last resort, don't blame us when it blows up in you face and it has nothing to do with us option.

    I don't think you can disagree with that and although some of the Irish ISP's do recommend WPA none of them have a strong message telling people they shouldn't use WEP.

    Actually I think WEP should be removed from all wireless routers, it is the only way to make sure people won't expose themselves. The industry should take a consesus view on this and do the right thing. It is certainly a more honest way of driving new hardware sales than the usual by a new PC or you can't put the latest Windows Bloatware on line.

    And to the fella that posted the WPA can be cracked line. Yes it can but it is an awful lot harder than cracking WEP. We are talking brute force dictionary attack time, which to anybody who knows what that means, can take a long time and still NEVER be broken.

    The moral of the story with WPA is to use the full length key with as many different characters (including signs and stuff) as possible that way they could sit outside your house or business until the cows come home and they won't get anywhere.
    There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.

    The above quote is from here:- http://www.aircrack-ng.org/doku.php?id=cracking_wpa


  • Registered Users, Registered Users 2 Posts: 445 ✭✭johnciall


    "Actually I think WEP should be removed from all wireless routers, it is the only way to make sure people won't expose themselves. The industry should take a consesus view on this and do the right thing. It is certainly a more honest way of driving new hardware sales than the usual by a new PC or you can't put the latest Windows Bloatware on line"



    When i mentioned older operating systems /Hardware i was actually refereing to an issue i had on a Linux laptop where i couldn't get it to Authenticate WPA with a brandnew Wifi adaptor, I managed to solve this later on with a distro upgrade but i would still rather have the option to use *some* security as supposed to nothaving a WEP option and being left with the AP being open or not haivng Wifi.


    For refrence i'm not a fan of Wireless AP's unless you need to use them, because of how much of a security weakness they are, Even with a AP secured with WPA, using MAc fileting & with a Hidden SSID it's still a weakness if someone's determined, when it comes down to it you can't Beat plain old Cat5e Laid out properly with a bit of forethought


  • Closed Accounts Posts: 407 ✭✭jpl888


    When i mentioned older operating systems /Hardware i was actually refereing to an issue i had on a Linux laptop where i couldn't get it to Authenticate WPA with a brandnew Wifi adaptor, I managed to solve this later on with a distro upgrade but i would still rather have the option to use *some* security as supposed to nothaving a WEP option and being left with the AP being open or not haivng Wifi.

    Well Linux wireless drivers have come on an awful lot in the last year, I'll wager you aren't likely to come across the same problem if you are installing a current distro (i.e with 2.6.27 or newer), so it is a moot point.
    For refrence i'm not a fan of Wireless AP's unless you need to use them, because of how much of a security weakness they are, Even with a AP secured with WPA, using MAc fileting & with a Hidden SSID it's still a weakness if someone's determined, when it comes down to it you can't Beat plain old Cat5e Laid out properly with a bit of forethought

    I agree 2.4Ghz wireless is crap and I can't see 5Ghz being leaps and bounds better, you are always going to have issues using unlicensed frequencies.

    I disagree with WPA being a weakness, as I pointed out in the last post if you put a long key in there with special characters in it would not be practical, and would probably be, impossible to crack.

    So I think we are in agreement then that ISP's and vendors should at the very least treat WEP as a last gasp option and should probably remove it altogether. So how do we get them to do it?

    Should I go around the country cracking WEP networks and leaving a calling card "The Cracking Crusader" until these idiots start taking it seriously?

    Perhaps some high profile scalps would raise awareness.


  • Closed Accounts Posts: 2,486 ✭✭✭Redshift


    I moved house last week and new router eircom sent me had WPA enabled by default with a 20 digit alpha numeric key on a sticker on the underside.

    20022009.jpg

    Don't use this router and would change key if I did so i'm not bothered blocking it


  • Closed Accounts Posts: 336 ✭✭Darth Maul


    I would install quite alot of eircom routers for companies and individuals, in about October or November they started sending out netopia routers with WPA installed and they key on a sticker on the back of the unit and the front of the user guide, and for a few weeks before that they were sending them out with a wep key that was using a different algorithim than the one that was cracked so that you couldn´t use the eircom key cracker to get the key from the ssid.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 6,026 ✭✭✭Amalgam


    Redshift wrote: »
    I moved house last week and new router eircom sent me had WPA enabled by default with a 20 digit alpha numeric key on a sticker on the underside.

    20022009.jpg

    Don't use this router and would change key if I did so i'm not bothered blocking it

    Same here, our neighbour had WPA enabled by default, Eircom. A move in the right direction.


  • Closed Accounts Posts: 1,567 ✭✭✭Martyr


    and for a few weeks before that they were sending them out with a wep key that was using a different algorithim than the one that was cracked so that you couldn´t use the eircom key cracker to get the key from the ssid.

    the algorithm to generate WEP key is actually the same as before.
    its the SSID generation that changed because now netopia are owned by motorola, OUI in MAC is different.

    for example, Farallon were 0x0000C5, most of Netopia routers were 0x000FCC, motorola used 0x001D6B and upwards..so in order to generate a valid WEP key, you need to take this into consideration.

    Most of the existing available decoding tools all use 0x000FCC by default, which is why it gives wrong key.

    As for WPA key generation, from my own snooping around, it appears to use an algorithm based on HMAC-SHA-1, quite possibly a modified variant of PBKDF 2.0, but nobody has confirmed what actual input goes into it.

    if someone were able to successfully extract the firmware from the router and disassemble it, then no doubt they would know what the algorithm is.

    for that reason, i would change the default WPA key..but you should always do that anyway, with any hardware device.


  • Closed Accounts Posts: 407 ✭✭jpl888


    As for WPA key generation, from my own snooping around, it appears to use an algorithm based on HMAC-SHA-1, quite possibly a modified variant of PBKDF 2.0, but nobody has confirmed what actual input goes into it.

    if someone were able to successfully extract the firmware from the router and disassemble it, then no doubt they would know what the algorithm is.

    for that reason, i would change the default WPA key..but you should always do that anyway, with any hardware device.

    Effectively the only way to break WPA is to brute force it, so if you have a long key with letter, numbers and symbols in you are in effect making it logistically impossible to crack.

    Anywho got a reply from Eircom today and they still haven't changed there blurb. I am urging them to point out how weak WEP is and that it should only be used as last resort.

    I will let you know how I get on.


  • Closed Accounts Posts: 407 ✭✭jpl888


    Most of the existing available decoding tools all use 0x000FCC by default, which is why it gives wrong key.

    I also want to reiterate, as the above quote may give the impression Eircom routers are now impervious to WEP attack, you can break any WEP key on any router, regardless of whether it is Eircom, BT or USISP's are US using freely available tools and step by step idiot guides.

    So the current status is Eircom are shipping WPA enabled by default. However there are many many people and businesses still using WEP as a result of Eircom's previous policy towards wireless.

    Additionally some of the information on the website is misleading and inaccurate regarding WEP and as long as at least some part of the website is saying WEP is ok there is a good chance users will continue to use it.


  • Closed Accounts Posts: 1,567 ✭✭✭Martyr


    I also want to reiterate, as the above quote may give the impression Eircom routers are now impervious to WEP attack, you can break any WEP key on any router, regardless of whether it is Eircom, BT or USISP's are US using freely available tools and step by step idiot guides.

    can you or someone else please explain how to recover a WEP key of access point when it has no authenticated clients??

    genuinely interested to know how this is done - using the key generator doesn't require WEP traffic, knowledge of attacking WEP using tools..etc

    i was responding to your comment on available keygens not working... arguing that just because the WEP generators don't work with new model of routers using static WEP keys(based on serial number) - doesn't mean the WEP key generation algorithm has changed in any way.

    all that has changed is the SSID generation, and all that was ever required was the MAC anyway...

    also, just because you're using WPA, doesn't mean you're secure either.

    not everyone will be using complex passwords, most are likely to use something thats easy to remember, as always.

    even the "professionals" use crap passwords.


  • Closed Accounts Posts: 407 ✭✭jpl888


    can you or someone else please explain how to recover a WEP key of access point when it has no authenticated clients??

    Are you asking for a step by step tutorial or do you just want pointers?

    Over and above a "standard" attack you do a fragmentation or chop chop attack to generate a PRGA file, which, can be used for packet injection.

    It may be that the AP has ethernet ports connected to machines which will be generating ARP requests anyway so even with no clients it's possible to do standard ARP packet injection.
    genuinely interested to know how this is done - using the key generator doesn't require WEP traffic, knowledge of attacking WEP using tools..etc

    I will give you an overview. Basically you need a decent installed GNU/Linux or GNU/Linux LiveCD with a recent kernel (older kernels don't support a lot of wireless chipsets in monitor mode) I use Gentoo but you could use the Beta Ubuntu CD as that has a pretty up to date kernel.

    You put the wireless card in monitor mode and start capturing IV packets on the channel your interested in (kisment is a good visual tool to identify networks and channels).

    You then do a fake authentication which lets you inject ARP packets into the wireless network. This then makes the AP generate loads of IVs (the more IVs you have the more chance you have of breaking the key).

    Finally you run the command to give you the key itself.

    I'm not going to reinvent the wheel so here are links to 2 very good tutorials on the aircrack-ng site:-

    http://www.aircrack-ng.org/doku.php?id=simple_wep_crack

    http://www.aircrack-ng.org/doku.php?id=how_to_crack_wep_with_no_clients
    i was responding to your comment on available keygens not working... arguing that just because the WEP generators don't work with new model of routers using static WEP keys(based on serial number) - doesn't mean the WEP key generation algorithm has changed in any way.

    That wasn't my comment, I did know where you were coming from, but I thought that others might take what you wrote to mean that Eircom had done something "special" with WEP so that it couldn't be broken on their modems. It was only to clarify to other people and I wasn't trying to invalidate what you said.
    also, just because you're using WPA, doesn't mean you're secure either.

    Even with a crap pre-shared key i.e. one based just on a dictionary word WPA is still orders of magnitude harder to crack than WEP. The attacker has to go to the effort of sourcing/generating a dictionary and then actually trying to associate to the AP trying a different word each time. I don't know how quickly you can attempt reassociation but I would imagine it would take a fair old time to rinse and repeat ad length of dictionary. It would look fairly conspicuous for somebody to be sat outside your house in their car for that amount of time.

    As a side note I did manage to create a WEP key that aircrack couldn't get even with 3 million IVs, it had an ampersand in. I'm assuming because I'm using a non-standard locale and UTF-8 on my system that it was a character that aircrack just didn't understand or try. It was an interesting excercise.

    Even if you can create a key like that actually inputting it into a doze machine so that it can connect I would imagine to be challenging.


  • Registered Users, Registered Users 2 Posts: 469 ✭✭knuth


    Eircom routers always generated arps once you tried a fake authentication.

    Did any one actually try cracking an Eircom router with the original aircrack (Chris Devine)?

    The key used to be returned after 100-200K IV's - even though most 128bit's required at least 600K IV's for the key to be found. This was evident on over 20+ routers that were tested.


  • Closed Accounts Posts: 54 ✭✭Eoinsheehy


    Use this link http://s4dd.yore.ma/eircom/ to crack the WEP by just having the ssid numbers handy that webpage will crack the WEP on any Eircom Wireless router with a WEP password, I don't think that Eircom could have spent less time on the security of the network. Typical of eircom couldnt be lazzier if they tried, it would serve them right to go bankrupt.:mad::mad::(:mad:


Advertisement