Eircom Netopia Routers Are Wide Open

the_syco wrote:

Surely you're taking the piss? Because someone found a way to quickly crack WEP, it's bad? WPA is more secure, but not uncrackable. Should that also be removed?

you're a fool, were not talking wep in gereral here, were talking eircoms ssid naming and their wep codes,

News Flash: wake up n stop been an azz

Arse.

I couldn't find a way to stop broadcasting the SSID on my own netopia router without disabling wireless completely. :-/

WPA + MAC addy wifi access only + changed SSID I have already.

we've all dealt with eircom in the past, we all know what they like, and tbh i dont even know what youre waiting for, as in the words of Nike, Just Do It

Wow, I didn't think that post on Bart's blog would cause this much action. Lets just get a few things in order.

1. Yes I am the source mentioned
2. No I'm not going to release the code
3. I think Sponge Bob is a fool if he releases his copy.

Having this kind of exploit in the wild would cause big trouble for everyone on a default setup Eircom broadband box. If you want to stay safe from the exploit, just change the last 8 digits of your Eircom SSID (eircom1234 1234). That's it. Exploit defeated.

The code will not be released.

I know at least twenty people (good friends and acquaintances) with their own variants of the ssid to wep key generator and I can assure you none of them are, as you put it, gob****es.

So you have your own version of the generator. It's not that hard to write and certainly not worth flapping about on forums.

anyone wanna post this software? I would like to debug it. The Eircom software that is.

thanks.

Hi folks, I've just been pointed at this article now. I must say I'm glad to see people have taken note of my blog post. My aim was to bring it to people's attention, so that seems to have worked in a limited way at least.

I have one wee update from today. I got a call from Eircom telling me they are working on a response and that it will be in the post to me soon, probably tomorrow. I will of course let you all know how that goes.

I just want to add a few other small points:

1) WEP is fundamentally broken. It was a little bit broken when the episodes from security now that were linked earlier were released, it is now even more broken. We're talking between 1 and 2 minutes. The new technique uses a replay attack with ARP packets to pump the traffic and quickly pick up the required number of packets to do the crack.

So - bottom line - DON'T USE WEP

Eircom need to make it clear to their customers that WEP is only pretend security, it is not real security.

2) MAC locking achieves NOTHING. It can be trivially by-passed as has already been explained in the thread.

3) Turning off SSID broadcasting is also not an effective protection. The SSID is still in all the transmitted packets. An attacker can still get it so again turning off SSID broadcasting is only pretend security, not actual security.

4) Yes, WPA can be broken and WPA2 is a lot better. HOWEVER, WPA is DRAMATCIALY better than WEP. From what I could see the Netopia routers don't suppor WPA2 but they do support WPA. At the VERY least Eircom need to advise their customers to use WPA if at all possible and explain to their customers that WEP provides almost no actual security. They also need to tell their customers to either change their SSID or their encryption key. Even if people do move to WPA they are still no better off if they continute to us the Eircom generated key!

Oh ... finally ... I would request people not post the code. I have one version and I know of at least two other methods of executing this attack. So, it is clear that there are a lot of people who know this already. Lets not make things worse just yet. If Eircom do not respond in an appropriate way then perhaps it would be understandable to publish code. Personally I will not do it, but I could understand others doing it.

Finally, if Eircom do not respond appropriately I plan to take this issue to the media. Should that happen I'd really appreciate some help and advice, as a sys-admin I'm not really practised at dealing with any media other than tapes and DVDs and stuff

Anyhow, thanks for spreading the word and please pass this link on to any Eircom customers you know.

Bart.

i just spotted this thread, im shocked, the last four digits of my SSID were changed already but it was on WEP, ive just changed it to WPA, thanks everybody

I'm going to chime in again against releasing the code.

Yes, those with some good techie skillz can crack WEP trivially. But that's a pretty nerdy thing to do. Running a program is a pretty trivial thing to do. Run this, type the SSID, get the key. Just about anyone can manage that!

So, although WEP provides no signifficant barrier to someone who knows what they are doing, it does deter casual would-be-leechers much more than a simple program would.

Bart.

lordlame wrote:

Spongebob: Threatening to release damaging code in one week to an ISP that has shipped over "100k" of these modems is nothing more than a weak stab of obtaining fame. They can not fix anything in that ammount of time.

In his defense he only asked Eircom to notify customers, even in the media. So far they have done nothing.

lonewolf wrote:

Peadophilles suddenly able to access all sorts of perverted material anonymously with someone else getting the blame. Laptop + Car + Exploit = Simple.

have you heard about The Onion Routing?