Irish Times 06.11.2009 - Apple software allows unauthorised access to Eircom..

Amalgam

I'm sure the situation isn't 'new' to Boardsies, but what is unusual is a national paper going into a fair amount of detail, without resorting to tabloid hysteria. A level headed article.

http://www.irishtimes.com/newspaper/finance/2009/1106/1224258192335.html

Business » Top Story »

The Irish Times - Friday, November 6, 2009

Apple software allows unauthorised access to Eircom broadband networks

JOHN COLLINS

APPLE IS benefiting from sales of a piece of software that provides free access to up to 250,000 home broadband networks without the owners’ knowledge.

The software for Apple iPhones, called “dessid”, which costs €1.59, exploits a flaw in the hardware Eircom provided to its broadband customers and which first came to light in September 2007.

The problem occurred because each Eircom customer’s wireless network broadcast a unique eight-digit code as its network name. The password was derived from these digits.

Since August 2008 all devices shipped to Eircom customers have used a more secure standard which is not susceptible to the misuse. Yesterday an Eircom spokesman said about 50 per cent of its customers were using the newer equipment.

A survey from consultants Deloitte, which is published today, found that 63 per cent of Eircom networks that broadcast the eight-digit network name have not upgraded their security. Given that Eircom had almost 480,000 broadband customers at the end of last June, according to ComReg, up to 250,000 home networks could be accessed using the app.

Once installed, dessid scans for available wireless networks. When the user chooses an Eircom network the password is displayed almost instantly. The software is sold as a way for users to recover their Eircom wireless internet password. Daniel Heffernan, the author of the software, said it was not intended as a way to access free broadband but it was “fairly obvious” it could be used in this way. He was “surprised” Apple had approved it with no queries.

Apple keeps 30 per cent of all revenues for software sold through iTunes. This week the computer maker announced there are 100,000 applications available on iTunes.

Last night Apple did not respond to requests for information on how dessid was approved for sale or its approval policy in general. It has been on sale since October 29th and Mr Heffernan said he was selling about six copies a day.

Accessing wireless networks without permission is a criminal offence in Ireland. The Irish Times yesterday downloaded dessid and was able to get the password for an Eircom network used for testing in our offices.

Eircom reminded customers to upgrade their settings and visit http://wirelesssecurity.eircom.net for details of how to do so.

Sponge Bob

This is a legacy of the WEP key farce which was discussed here around September / October 2007 . This code has essentially been around since Summer 2007

Which one of ye is Daniel Heffernan

MunsterCycling

FFS, If anybody is still using WEP they deserve to be hacked... Still not worth getting a fruit phony though

Cabaal

People PAY for an app to do this!?!

Idiots, Through Cydia you can get "eircom grabber" for free and does the exact same thing

Any end user who has not updated their wifi security after this was announced is a fool and its not much different to not changing your front door lock (for free) after the maker of the lock says it can be opened with a matchstick.

Steffano2002

Sponge Bob wrote: »

This is a legacy of the WEP key farce which was discussed here around September / October 2007 . This code has essentially been around since Summer 2007

Which one of ye is Daniel Heffernan

Were you not the person who caused this media sh!tstorm for eircom back in October '07?

Sponge Bob

Surely you mean 'inform the potential victims of the risk they faced' Steffano. Sadly I did not do a good enough job

eircom continued to ship these for the best part of a year afterwards and there were 10's of 1000's in the channel and generally lying around .

The online version of yoke has been accessed over 170,000 times ...here , put your own router name ( ID) in there . As it is the first item on any google search for ' eircom wep ' I feel there is no point in hiding it. The iphone app does the same thing 'offline' as the online yoke

Sample for testing .

eircom1111 2222

Matt Bauer

As an iPhone owner (no, I didn't get it for the way it looks), I find it amusing that people are complaining that Apple are too lax approving applications for the App Store. If you've followed the news, the typical complaint is that Apple are too strict in their enforcement, for example not approving an ebook reader because it allowed users to access the Kama Sutra.

They later backtracked and approved it.

And like Sponge Bob says, it's not like this is new information at all. Just search for "eircom wep" on Google.

Cabaal

Steffano2002 wrote: »

Were you not the person who caused this media sh!tstorm for eircom back in October '07?

It was hardly a ****storm, eircom were aware of the issue and choose to ignore it instead of addressing it.

Very poor way of offering security to their customers, it was only when the issue was highlighted to the media did eircom bother their arse to do anything about it.

Cabaal

Matt Bauer wrote: »

And like Sponge Bob says, it's not like this is new information at all. Just search for "eircom wep" on Google.

OMG :eek:

Future Breaking News:

Irish Times 07.11.2009 - Google search allows unauthorised access to Eircom..

:rolleyes:

Apple haven't really done anything wrong imho

Steffano2002

Sponge Bob wrote: »

Surely you mean 'inform the potential victims of the risk they faced' Steffano.

Don't get me wrong, what you did was right!

Cabaal wrote: »

It was hardly a ****storm, eircom were aware of the issue and choose to ignore it instead of addressing it.

Very poor way of offering security to their customers, it was only when the issue was highlighted to the media did eircom bother their arse to do anything about it.

It was a ****storm for them! And it was definitely self-inflicted! :rolleyes:

john__long

Cabaal wrote: »

Apple haven't really done anything wrong imho

+1

Eircom are the one's who have done something wrong. They still haven't fixed a problem pointed out to them in every form of the national media in 2007.

They've had two years to get their act together. They didn't.

Nothing to do with Apple. They're just the medium. How were they supposed to know about every security hole in Eircom's services.

Next Larry Wall will be blamed. Sure after all doesn't a perl version of this script exist on my desktop...

TheToast

Still live on the App Store

irishraven

For less than 2euro it was worth it for me! I use my iPhone instead of carrying a laptop around so being able to log on to the eircom signal beside my job when all I get is Edge is a life saver....

Onikage

They ban flash and java from the app store, but permit a tool whose sole purpose is to allow people to steal bandwidth? There's something wrong there.

pistolpetes11

Onikage wrote: »

They ban flash and java from the app store, but permit a tool whose sole purpose is to allow people to steal bandwidth? There's something wrong there.

Thats not its sole purpose but it happens to be a benefit of the product !

TheToast

Flash and Java aren't allowed because of performance/security reasons. Neither apply to dessid.