New Scary iPhone App

philiporeilly

Saw a new #1 App under Paid Apps last night on the iTunes App Store called "dessid".

Basically this App decodes WEP encryption keys for Eircom routers. I was walking into work this morning passing houses and it gave me about 90% of WEP keys within 2 secs.

That's a scary thought for any Eircom customer!

With that info you easily get free broadband or even worse, change their router settings or see shared files on home networks. How did that get by Apple and their so called App Approval process?

Big Lar

Jesus that's terrible. :eek:

You didn't get a chance to see if it works with Eircom hot spots by any chance ?

philiporeilly

Havent tried one yet but I doubt it. I presume the App is using some form of key generator which Eircom uses to make the WEP keys.

Apparently if you change the default WEP key and settings you should be okay but not good news for Eircom or their customers!

Owen

No idea how Apple approved it TBH, but there's been a jailbroken version for a while now, and a site that lets you do the same. I don't think it should be on the appstore, it should be hidden - otherwise it won't be an exploit for long.

philiporeilly

You can change the default settings to secure your network if using Eircom but let's be realistic, the vast majority wouldnt have a clue how to do it.

My parents would be like the majority of Eircom customers, get the nice man to come out to install the 'thingy' so we can get on the 'interweb'. They havent a clue about 192.168.1.254 or WEP/WPA encryption keys etc etc and prefer to stay ignorant of those issues once the 'interweb' was okay.

Karoma

Which is why Eircom rang their customers and talked them through changing the security on their router aaages ago when the exploit was first widespread (and available on J2ME and a host of other platforms). It's old and pointless at this stage.

mickoneill30

PaintDoctor wrote: »

I don't think it should be on the appstore, it should be hidden - otherwise it won't be an exploit for long.

It's been an exploit for a couple of years and you don't just need an Ipod to crack it.
I'm presuming it's not on any current equipment. It requires a user to change their keys or change to WPA but many users don't. You only have to turn on wireless to see standard eircom ssids popping up all over the place.

Edit: beaten to it by philiporeilly & Karoma

philiporeilly

Karoma wrote: »

Which is why Eircom rang their customers and talked them through changing the security on their router aaages ago when the exploit was first widespread (and available on J2ME and a host of other platforms). It's old and pointless at this stage.

As I said earlier I was able to access 90% of Eircom WEP keys on my way to work. Hardly pointless!

Dades

Wow! That app can't be around for long if it does that. Strange it's there at all!

/runs to download before it's pulled

http://www.apps.ie/app-list/companies/Daniel-Heffernan/apps/dessid.html

Big Lar

Big Lar wrote: »

Jesus that's terrible. :eek:

You didn't get a chance to see if it works with Eircom hot spots by any chance ?

So does it work with the Eircom Hotspot or not ? Or does anyone know of an app that does ? Its just that I fear for Eircom's security

Owen

mickoneill30 wrote: »

It's been an exploit for a couple of years and you don't just need an Ipod to crack it.

I didn't say you had to have an iPod, and I didn't say it was a recent phenomeon. I did say that it shouldn't be on the Appstore, alluding to the fact that if it remains on the appstore, it's only a matter of time before it hits Joe Duffy/Marian and Eircom are forced to call out to everyone's house, or something similar - hence ending the exploit.

philiporeilly

PaintDoctor wrote: »

I didn't say you had to have an iPod, and I didn't say it was a recent phenomeon. I did say that it shouldn't be on the Appstore, alluding to the fact that if it remains on the appstore, it's only a matter of time before it hits Joe Duffy/Marian and Eircom are forced to call out to everyone's house, or something similar - hence ending the exploit.

Realistically Eircom replacing or physically updating routers is the best solution as many customers wouldn't have a clue about it. U

It will take a very long time to update up to 250,000 routers according to the Irish Times which means this exploit will be in use possibly for years to come.

http://www.irishtimes.com/newspaper/finance/2009/1106/1224258192335.html

mickoneill30

PaintDoctor wrote: »

I didn't say you had to have an iPod, and I didn't say it was a recent phenomeon. I did say that it shouldn't be on the Appstore, alluding to the fact that if it remains on the appstore, it's only a matter of time before it hits Joe Duffy/Marian and Eircom are forced to call out to everyone's house, or something similar - hence ending the exploit.

Hmmm. So having it on an iPod will mean the eircom will update all the dodgy keys. Despite the fact that software has been on the PC for years to crack the keys. Which is more popular, PC or iPod? If they haven't done it by now they're not going to speed up because of the iPod app. You can do way more with a network when you use a laptop to crack the key.

Ghost Train

Don't see an issue with it because eircom know about the problem and they must feel they have taken significant action by writing to there customers about it

Is a bit cheeky to be charging 1.59€ for an application like this, but I guess some work was put into it

Just to state as well that it can work both ways... somebody could set up an eircom wifi connection or an open wifi connection and monitor who connects and any traffic they send over the connection

Owen

mickoneill30 wrote: »

Hmmm. So having it on an iPod will mean the eircom will update all the dodgy keys.

I'm trying to figure out why you're insistent on arguing.

What I'm trying to say is that the Media love sensationalism. Having this on the jesus phone is fuel for sensationalism.

Now if you want to pick apart that argument, feel free. But you'll just be doing this :

blackbetty69

whoever designed this is a genius! is it only eircom it works on tho?

mickoneill30

PaintDoctor wrote: »

I'm trying to figure out why you're insistent on arguing.

What I'm trying to say is that the Media love sensationalism.

Ahh witty reply. You started arguing. My original post just said you could do it on PCs and it's been around for a while. I'm sorry if that seemed argumentative to you. I'll hold my breath for the media reports. So that's the end of my argument.

fdevine

If I remember correctly from when this exploit first surfaced, you do not need to change your WEP key. Simply changing your SSID stops the decryption tool from establishing what the WEP key is.

Great little app though. Tried it in work, where we don't have WIFI and was able to join to several 'secure' connections.

philiporeilly

mickoneill30 wrote: »

Hmmm. So having it on an iPod will mean the eircom will update all the dodgy keys. Despite the fact that software has been on the PC for years to crack the keys. Which is more popular, PC or iPod? If they haven't done it by now they're not going to speed up because of the iPod app. You can do way more with a network when you use a laptop to crack the key.

Fair enough its been on PCs a while but the iPod version is main streaming it for general public use. Its #1 in the official iTunes charts and some people may purchase it just for that reason.

mickoneill30

blackbetty69 wrote: »

whoever designed this is a genius! is it only eircom it works on tho?

Yep. Eircom generated their keys based on an algorithm that anybody can reproduce. If you know the SSID and the algorithim you can recreate the key. The keys should have been totally random.

Leiva

Sure "eircomgrabber" has been around for months and it's free .

AntoSRFC

So does this mean that someone is able to log into password protected wireless internet without knowing the password?

Leiva

U still need a password but this app will generate it for you . It knows all the pre defined wap keys and let's you generate them on the go .
If the eircom account holder has not change the encryption to the factory set one then thus app will tell you the key .

AntoSRFC

Alright sound. So would you be able to hazard a guess on what % of wireless set ups this will work on and does it just work on eircom? and does anyone know if it works at hotspots? Sorry for the truck load of queistions.

TheToast

Irish Times says "A survey from consultants Deloitte, which is published today, found that 63 per cent of Eircom networks that broadcast the eight-digit network name have not upgraded their security."

http://www.irishtimes.com/newspaper/finance/2009/1106/1224258192335.html

This does not work on Eircom hotspots.

Mellor

AntoSRFC wrote: »

Alright sound. So would you be able to hazard a guess on what % of wireless set ups this will work on and does it just work on eircom? and does anyone know if it works at hotspots? Sorry for the truck load of queistions.

Basically, the eircom CD generates a password originally, based on network ID
this program does the same generation process, and gives the original ID

So unless you've changed it, it works fine

Maldini2706

Highest grossing app on iTunes now

blackbetty69

TheToast wrote: »

Irish Times says "A survey from consultants Deloitte, which is published today, found that 63 per cent of Eircom networks that broadcast the eight-digit network name have not upgraded their security."

http://www.irishtimes.com/newspaper/finance/2009/1106/1224258192335.html

This does not work on Eircom hotspots.

ah shoot:mad:

TheToast

Interesting article about the legality of dessid in Ireland:

http://www.tjmcintyre.com/2009/11/irish-law-on-hacking-tools-dual-use.html

banquo

It's a great app. Eircom are the problem.

It's great for:

a) Putting in your own ssid (in case you've to restore your device, saves you trying to enter it 5 times before getting it right)
b) Getting on a friend's network when you're over for a beer
c) Embarassing Eircom.

''c)'' is my favorite reason.

Mellor

The fact is, if it brings awareness to security flaws, its good.

And banquo, if A or B above works for you, you (or your mate) should really change your WEP key

blahblah06

I use this all the time. It's great when out and about

faceman

I doubt the app will be pulled unless Eircom files a complaint with Apple.

TheToast

Last week in the Sunday Business Post Eircom said that they will contact Apple but it still seems to be up there...