Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Eircom Netopia Routers Are Wide Open

  • 20-09-2007 05:40PM
    #1
    Banned (with Prison Access) Posts: 25,234 ✭✭✭✭


    If you follow a few simple steps that I will not go into. Basically the Router Name contains part of the Encryption Key.

    http://www.bartbusschots.ie/blog/?p=511
    The information I was given included a very short piece of computer code (in C++) that takes an Eircom default SSID as input and effectively instantly gives the default WEP key as output. The algorythm to do this is shockingly and frighteningly trivial. The author claims he was able to generate this code using some very basic reverse-engineering techniques on the Eircom install CD

    Eircom won't talk to him about it or publish a security advisory for the minimum 100k of these out there. There are about 50k of these things in the supply chain between now and christmas so it will be 2008 before they fix it .

    All Together Now Duhhhh!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    Thank phuck I always use WPA


«13456789

Comments

  • Moderators, Technology & Internet Moderators Posts: 12,454 Mod ✭✭✭✭dub45


    Surely it is an issue worthy being brough to the attention of Comreg or perhaps even the data commissioner?

    I have always thought it silly anyway that they come with the wireless switched on as the default. It is causing unnecessary congestion of the airwaves never mind the security issue>


  • Registered Users, Registered Users 2 Posts: 14,869 ✭✭✭✭dulpit


    Quick question - our router is an Eircom Netopia one, but we have it set up so that only certain MAC addresses (my laptop, my brother's wii) can access it wirelessly...

    I presume this is as safe & secure as you can get??


  • Registered Users, Registered Users 2 Posts: 37,308 ✭✭✭✭the_syco


    dub45 wrote:
    Surely it is an issue worthy being brough to the attention of Comreg or perhaps even the data commissioner?
    Surely you're taking the piss? Because someone found a way to quickly crack WEP, it's bad? WPA is more secure, but not uncrackable. Should that also be removed?

    Wait: news flash: if it gives access to a business, someone will try to crack it.
    dulpit wrote:
    Quick question - our router is an Eircom Netopia one, but we have it set up so that only certain MAC addresses (my laptop, my brother's wii) can access it wirelessly...

    I presume this is as safe & secure as you can get??
    Nope. Your MAC address is broadcasted as plain text. Then I just have to spoof your MAC address (make your router think I'm actually your computer), and in I go.


  • Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    Well as someone living in the country I don't feel as strongly about that dub45 but deriving the SSID from the WEP key and then broadcasting it is stupido!


  • Moderators, Technology & Internet Moderators Posts: 12,454 Mod ✭✭✭✭dub45


    Sponge Bob wrote:
    Well as someone living in the country I don't feel as strongly about that dub45 but deriving the SSID from the WEP key and then broadcasting it is stupido!

    I agree with you on the latter but as regards the former it is truly amazing how many Eircom networks you can pick up in Dublin and I would guess that a fair few of them are not being used as part of a wireless network.


  • Advertisement
  • Moderators, Technology & Internet Moderators Posts: 12,454 Mod ✭✭✭✭dub45


    dulpit wrote:
    Quick question - our router is an Eircom Netopia one, but we have it set up so that only certain MAC addresses (my laptop, my brother's wii) can access it wirelessly...

    I presume this is as safe & secure as you can get??

    You should change the security to WPA - easily done if you are capable of the mac stuff.


  • Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    I agree with you Dub45 in that the advisory that eircom will eventually release will advise persons that

    1. they are not to broadcast the SSID if wireless is on ( trivial)
    2. they are to turn off the wireless altogether ( trivial) if wireless is not used on the premises .


  • Registered Users, Registered Users 2 Posts: 32,461 ✭✭✭✭watty


    make up your own SSID and key at the least, WPA at better, only use cables if paranoid.


  • Closed Accounts Posts: 106 ✭✭bungholio


    the_syco wrote:
    Surely you're taking the piss? Because someone found a way to quickly crack WEP, it's bad? WPA is more secure, but not uncrackable. Should that also be removed?

    you're a fool, were not talking wep in gereral here, were talking eircoms ssid naming and their wep codes,

    News Flash: wake up n stop been an azz


  • Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    Righty Ho!

    Unless eircom publish a proper advisory in the national press by next friday morning, one weeks time, I will publish the detailed exploit here .....and elsewhere .....in order to make them publish a proper advisory.

    There is no point in hiding this issue any more .

    They have one week from now . As for the stuff in the pipeline they can tell the shops to print the advisory and sellotape it to the boxes .

    There are well over 100k of these things out there, either deployed in use or in the pipeline :(

    Even telling everyone to change the last 2 digits of the SSID, forthwith, would do the trick.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,497 ✭✭✭Nick_oliveri


    Sure there was a default WEP key for a lot of routers not so long ago. This doesn't surprise me tbh.

    NTL router in the brothers apartment had wireless and no security turned on by default. I'd say a few people in Raheny were happy for those few months. They even managed to change the admin password.

    Anyone ever heard of the Linux distro "Backtrack"?


  • Registered Users, Registered Users 2 Posts: 8,814 ✭✭✭BaconZombie


    If we can get this on the front page of Digg they "may" so something about it....

    http://digg.com/security/Eircom_Exposes_Its_Broadband_Customers_to_Serious_Security_Risks


  • Closed Accounts Posts: 16,392 ✭✭✭✭kaimera


    Arse.

    I couldn't find a way to stop broadcasting the SSID on my own netopia router without disabling wireless completely. :-/

    WPA + MAC addy wifi access only + changed SSID I have already.


  • Registered Users, Registered Users 2 Posts: 4,051 ✭✭✭bealtine


    Sponge Bob wrote:
    Righty Ho!

    Unless eircom publish a proper advisory in the national press by next friday morning, one weeks time, I will publish the detailed exploit here .....and elsewhere .....in order to make them publish a proper advisory.

    I say publish now.


  • Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    No! Its only fair that they should have a chance to tell people.

    Next friday 28/09 , midday, is their deadline .


  • Closed Accounts Posts: 4,858 ✭✭✭paulm17781


    Sponge Bob wrote:
    No! Its only fair that they should have a chance to tell people.

    Next friday 28/09 , midday, is their deadline .

    Have you put this to Eircom?


  • Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    It was put to eircom over a week ago

    http://www.bartbusschots.ie/blog/?p=511
    Bart B on September 11th, 2007 2:50 pm Paul, who in Eircom would I send it to? You remember trying to get in touch with anyone competent in there back when we were trying to get them to give up the SU’s domain a few years back. I’ve had a few dealings with them since, they are every bit as impenetrable as ever they were. Emails go un-answered and when you phone them they play a game of ‘pass the call’ with you. I don’t have an hour of my life to piss down the toilet ATM. Best I can do is warn users on this blog so that’s what I’m doing.

    Bart B on September 11th, 2007 3:12 pm Just as a little update on this. For ****s and giggles over lunch I decided to play a game of pass the call with Eircom. As I expected I got passed all round the place and eventually ended up with tech support who were none too keen to help unless I was the customer. Thankfully the guy was reasonable and in the end agreed to take my name and number and ask his supervisor to ring me. He insisted he couldn’t transfer me. I’m dead curious to see if I ever hear back.

    I also contacted comreg who told me it’s not their area because broadband is Ireland is not regulated. They suggested I contact the National Consumer Agency and were kind enough to give me the number. So I’m gonna give them a shout now.

    Some time later a crack appeared in the glacier . Eircom :eek: Rang Back :eek:
    Eircom tech support left me a voice mail while I was talking to the NCA to tell me it’s a matter for Eircom Customer Service and left a number. Lets see what becomes of this!

    Bart B on September 11th, 2007 3:38 pm OK, got on to Eircom Customer care. Took a little while and, as Des would put it, I had to be the opposite of a door matt but a call has been logged and they took all the details of my complaint. I suggested adding the URL to this post into the call but the guy didn’t seem keen. Anyhow, now we play the waiting game again.

    And thats it . I left it a week to see if anybody in eircom gave a sh1t before starting this thread.

    They are now 6 days and 23 hours away from full disclosure . Eircom read this board all the time :)


  • Registered Users, Registered Users 2 Posts: 2,762 ✭✭✭oleras


    Sponge Bob wrote:
    Righty Ho!

    Unless eircom publish a proper advisory in the national press by next friday morning, one weeks time, I will publish the detailed exploit here .....and elsewhere .....in order to make them publish a proper advisory.

    There is no point in hiding this issue any more .

    They have one week from now . As for the stuff in the pipeline they can tell the shops to print the advisory and sellotape it to the boxes .

    There are well over 100k of these things out there, either deployed in use or in the pipeline :(

    Even telling everyone to change the last 2 digits of the SSID, forthwith, would do the trick.


    Yeah Eircom !!! Listen up,or else...............oh yeah, sponge bob left out you also better enable the patrickswell exchange, or its gona hit the fan....BIG TIME BABY !!!


  • Closed Accounts Posts: 106 ✭✭bungholio


    we've all dealt with eircom in the past, we all know what they like, and tbh i dont even know what youre waiting for, as in the words of Nike, Just Do It


  • Closed Accounts Posts: 1,567 ✭✭✭Martyr


    this is a big problem that can't just be solved overnight or with a phone call.
    @SpongeBob, i think it would be highly irresponsible to discuss the details of the key generation proces on a public forum.
    yes, i know i mentioned on the security forum about it, but i was just ..testing the waters so to speak, not asking if anyone knew how to do it.

    yes, it is wise to inform people..but posting a 'how to do it'?? thats crazy, and is not going to solve anything.

    you're only going to have thousands of people around the country using other peoples internet access for all kinds of illegal activity.

    please atleast consider the trouble you will causing by telling people how to do it.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 164 ✭✭GreyAlien


    WEP can be so easily cracked in 5 minutes or so, I don't really see how this adds anything new to that. I think it'd be far easier to packet sniff a network, then to write an app algorithm to get the key.

    Changing to WPA would be one solution, but not every single device supports this. Keeping it on WEP does make some sense for compatibility.
    Most people don't have the knowledge to crack a WEP network anyway, so it should stop the casual person trying to connect.


  • Closed Accounts Posts: 1,567 ✭✭✭Martyr


    WEP can be so easily cracked in 5 minutes or so, I don't really see how this adds anything new to that. I think it'd be far easier to packet sniff a network, then to write an app algorithm to get the key.

    no, unfortunately it wouldn't be easier to do what you just said, otherwise there would be little to worry about.

    as said in Barts post, you only need the default SSID to discover the default WEP key.

    in the hundred thousands - these eircom routers exist and being used everyday.. it would be irresponsible to publish details of the flaw before eircom have had a chance to address it.

    IMHO 1 week is not adequate time, 1 month wouldn't even be enough..thats assuming eircom plan to fix it.

    Even if they don't, can't see what good it will do telling everyone how to get the WEP key from the SSID.


  • Closed Accounts Posts: 9 lonewolf


    Wow, I didn't think that post on Bart's blog would cause this much action. Lets just get a few things in order.
    1. Yes I am the source mentioned
    2. No I'm not going to release the code
    3. I think Sponge Bob is a fool if he releases his copy.

    Having this kind of exploit in the wild would cause big trouble for everyone on a default setup Eircom broadband box. If you want to stay safe from the exploit, just change the last 8 digits of your Eircom SSID (eircom1234 1234). That's it. Exploit defeated.

    The code will not be released.


  • Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    lonewolf wrote:
    Wow, I didn't think that post on Bart's blog would cause this much action. Lets just get a few things in order.
    1. Yes I am the source mentioned
    2. No I'm not going to release the code
    3. I think Sponge Bob is a fool if he releases his copy.
    1. you are A source for the assertion that the code reversing can be programmed Lonewolf.
    2. Did you write the Polish variant of the key reverse generator
    3. if not who did write the Polish variant I saw ...this month actually .
    4. I did not say who showed me the english language interface reverse generator I saw, I will say it was not Lonewolf and if Lonewolf has not released his copy to anybody then there is another variant . It seemed utterly different to the very neat Polish one I also saw.
    5. There are therefore 3 generators around that I know of now .
    Having this kind of exploit in the wild would cause big trouble for everyone on a default setup Eircom broadband box. If you want to stay safe from the exploit, just change the last 8 digits of your Eircom SSID (eircom1234 1234). That's it. Exploit defeated.

    I did say that changing the last 2 digits _should _ defeat the generator . Are you in agreement or was I wrong on that Lonewolf .

    Either way the exploits are out there now and 100k poor sobs think that they are totally protected by the wep key .

    Any gob****e who knows what a keygen is can crack the crypto now .

    Thats a far far greater level of risk than someone who knows what 'promiscous' means .

    Eircom have less than 6 days to publish an 'adequate' advisory in the national media. They have already bough the advertising slots so its simply a matter of producing the content for the slots. They are the ones who caused the problem .


  • Closed Accounts Posts: 9 lonewolf


    I know at least twenty people (good friends and acquaintances) with their own variants of the ssid to wep key generator and I can assure you none of them are, as you put it, gob****es.

    So you have your own version of the generator. It's not that hard to write and certainly not worth flapping about on forums.


  • Registered Users, Registered Users 2 Posts: 3,189 ✭✭✭uncle_sam_ie


    Anyone concerned about their security should listen to this podcast( episodes 11 and 13). http://www.grc.com/securitynow.htm
    If you take precautions there is nothing to fear.


  • Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    Righty Ho

    There are 23 Programs out there

    Publish


  • Registered Users, Registered Users 2 Posts: 67 ✭✭supervixen


    what is the problem ? I changed my SSID to XXXX, end of story :)

    actually the whole thing is the perfect excuse for exceeding the cap...........


  • Closed Accounts Posts: 1,567 ✭✭✭Martyr


    supervixen wrote:
    what is the problem ? I changed my SSID to XXXX, end of story :)

    no, you must stop using WEP to fix this i'm afraid.
    i've no doubt sponge bob will have all the gory details revealed by friday..which i can't say is a good idea, but its doubtful he'll listen to me!

    there are 3 ways to recover the default key, and the only temporary solution is to use WPA instead of WEP or switch it off altogether.


  • Advertisement
  • Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    Still no advisory to the customer base not that it surprises me :(

    52 hours to go !!!!!


This discussion has been closed.
Advertisement