Home Wi-Fi security's just as good as '90s PC security! Wait, what?
UK home Wi-Fi security is as bad as PC security was in the 1990s, according to a new study. Security software firm Avast found that more than half of all routers are poorly protected by default or common, easily hacked password/ID combinations. Easily hacked password combinations such as admin/admin or admin/password, or even …
COMMENTS
-
Monday 8th December 2014 12:59 GMT TRT
Well...
I use a separate WiFi access point, router and DHCP/DNS server. So they'd have to guess at least two passwords to change the DNS setting. And I don't use the defaults anyway. But at least Sky etc have been blowing unique default passwords into their kit for the last few years, so it's not quite as bad as it used to be. I think this is more scaremongering headline grabbing demi-marketing by Avast.
-
Monday 8th December 2014 13:32 GMT ElNumbre
Re: Well...
Except a lot of vendors use algorithms to generate the "random" uniqueness, and when clever people figure out what that algorithm is, the gates fall.
I guess though its difficult from a support perspective to have truly random values, as what if the config is lost, how can you get back into the device, unless said mfr then maintains a database of settings, and well, think of the world of problems that leakage can create.
-
Monday 8th December 2014 14:47 GMT Anonymous Coward
Re: Well...
Sky's current 'best ever router' piece of crap only accepts alpha-numeric wifi passwords. Their router is the main reason I'm about to ditch them. Easy enough to pick any old shortcut, or text file - preferably unique - and use it's SHA-1, but I like squiggly bits and cartoon profanity too much.
-
Monday 8th December 2014 19:23 GMT Anonymous Coward
Re: Well...
If it's alphanumeric, then it may be limited to hexadecimal character (0-9, A-F). I use a hexidecimal key, but it's also 64 characters long: reaching the key's size limit of 256 bits (it's not worth making a password that digests to something larger than the actual key). I also prudently only allow WPS by push-buton (which requires physical presence to engage).
-
-
-
Monday 8th December 2014 18:38 GMT Stacy
Re: HomeHub 5 is the most secure system in the WORLD
My parents router does this often (meaning they cant use their Skype cam to see their grandchild - almost the only reason they have an Internet connection)
The only solution I found is to turn it off, wait then turn it back on. Wait for all the connection lights to come on. Then (no that doesn't fix it!) perform a soft reset and wait again.
Why off and on doesn't work, or why the soft reset on its own doesn't work, I have no idea (except that it's the worst router I've ever had the misfortune to use! WiFi performance is so poor that we don't bother trying any more when we visit - just use the ethernet cable and he off of the grid for most of the visit).
Called BT but they have no idea what a Dhcp server is, let alone how to fix I. One of their engineers (their to fix a broken BT vision box) even said the problem was caused by network cables being plugged into the router and that only the WiFi should be used (forgetting that the BT vision box *has* to be plugged in via cable and screwing up the Skype cam in the process).
-
Monday 8th December 2014 19:25 GMT Charles 9
Re: HomeHub 5 is the most secure system in the WORLD
Sounds like the router's overloading. I noticed many old routers start giving up the ghost or going berserk when newer security protocols were mandated. I had to retire an old D-Link because it kept resetting. It was my cue to move up to more recent hardware.
I'd have a good long look at it. If it keeps crashing or resetting, it's probably overloaded and it may be time to replace the kit.
-
Tuesday 9th December 2014 06:39 GMT Stacy
Re: HomeHub 5 is the most secure system in the WORLD
Seeing that BT insist on updating it OTA (which then kills the configuration) I wouldn't be surprised if they have done something. But it has never worked well since they got it. If I lived closer I would sort it for them (or replace it with a decent Adsl router - assuming that wouldn't kill their BT vision box). But only going once a year makes that hard to do.
-
-
-
Monday 8th December 2014 13:30 GMT Rabbit80
How many routers are configured to allow external access?
To break into the router, first you have to hack the WiFi - and if the WiFi is broken, the attacker can cause all sorts of mischief anyway!
Seems like a non-issue to me unless external access is granted to your router configuration.
-
-
-
Monday 8th December 2014 15:04 GMT Khaptain
@TRT
But aren't those routeurs also the ones that provide the 16 character random Wifi keys, they are not so easy to attack using rainbow/dictionary attacaks. They would actually require a much more determined attack in which case user home security is not a major problem for the hacker anyway.
-
-
-
-
-
Monday 8th December 2014 13:49 GMT K
Have an upvote for mentioning about firmware updates. But I'd disagree on the support front, Netgear have been quite good with this, I've seen upgrades 2-3 years after I brought the equipment.. though finding the firmware can be a little tricky.
One interesting question off the back of this is educating users to life expectancy and maintenance of equipment, older generations pride themselves on "looking" after stuff and use it until its given up the ghost. Whilst this is good from a resource usage perspective, most of them will not be aware of the pitfalls.. i.e. the risks!
-
Monday 8th December 2014 14:10 GMT Anonymous Custard
Or alternatively DD-WRT or OpenWRT.
Have to say also no complaints about my Netgear - it even seeks and downloads new firmware itself, and when all is ready lets me know that it's available to pull the trigger on the upgrade (or not if you so wish). OK the quality of the firmware has a couple of times given issues (killing 5GHz connectivity at worst), but older firmware is downloadable from their website.
-
Tuesday 9th December 2014 09:03 GMT John Tserkezis
"Or alternatively DD-WRT or OpenWRT."
Honestly, I've never seen them as options. Any and all firmwares they have available are for hardware revisions that are no longer available, or if you're *really* lucky, there might be a highly expermental version.
Don't get me wrong, they all do bloody good work, all very worthy and valuable, but, I'm not buying second hand gear with the risk of the hardware revision being one sub-number off, just to get a feature I might be able to get elsewhere anyway.
-
-
-
Monday 8th December 2014 14:51 GMT Anonymous Coward
@k
Granted things have a certain end of life, but netgear really peed me off with no updates for DGN3500 in less than a year, however North America firmware got a little longer. Decided to buy a Draytek in the end. Solid router and get firmware updates for a long time, eg 2820 still getting firmware updates after 7 years !
@AC
Would have loved to put DD-WRT or OpenWRT. on the DGN3500 but it's not supported by any open firmwares.
-
Monday 8th December 2014 19:30 GMT Anonymous Coward
Same for my R7000 (at the time I got it, it was pretty top of the line for a home router, with triple-antenna ac wireless and a beefy CPU). Alternative firmware is sketchy and seems to be missing things I get now and use. The stock firmware's fine for now, and since it's a high-end they're still updating it regularly. I just can't use its VPN mode at present because OpenVPN on Android only has preliminary TAP mode support.
-
-
-
Monday 8th December 2014 13:39 GMT frank ly
MAC address whitelist filter
That's what I use on my old router, but I realise that many people wouldn't have a clue where to start. I also realise that a serious and well equiped hacker would be able to sniff my WiFi devices MAC addresses; but there are further layers of protection as well as a 'strong' password.
-
Monday 8th December 2014 14:01 GMT Anthony 13
Is there a legal advantage to your neighbour ...
... using your WiFi* i.e. an IP address is not a person! Should we all in fact be running open guest networks with the bandwidth locked right down?
This is not advice, merely an observation ... I take no responsibility for any negative repercussions...
* To be a pedant, this article (despite its headline) is really about router security not WiFi.
-
Monday 8th December 2014 17:32 GMT Ken Hagan
Re: Is there a legal advantage to your neighbour ...
It depends where you live. In the UK, you'd probably be busted for negligently helping terrorists in some way.
Joking apart (hey, Mrs May, I *was* joking, whatever you might think) the main downside of this approach is that your neighbours will use up your monthly bandwidth allowance downloading stuff.
-
-
-
Monday 8th December 2014 15:15 GMT Khaptain
Re: begin flaming
When a Paedo Terrorist Wife Beating Police and Government Hater hacks your home network and starts downloading/uploading some nasty child/woman/torture pics and or terroristic bomb making instructions using your email address and details, along with photos of your wife/children/dog all having an intimate moment and then uses your personal banking details to pay for some underage drug dealing prostitute to come over to your house in a stolen Mercedes, then you might start to realise how important your Wifi password truly is.
Yes, Sir, that truly is a daily, nigh hourly, occurence in some parts of Britain. We really do live in dangerous times.
Signed
The Daily Mail Reader Club President
-
-
Monday 8th December 2014 14:11 GMT Anonymous Coward
New modem/router and securit
Recently had to get a new modem/router as lightening took the old one out in spectacular style. Could not connect to the new one over wifi as it needed to be "set-up". Required a load of fields to be input and the you had to set a new admin password and this was all before connecting to the ISP. Looks like it used the form fields to identify name, address, area, etc and all these were banned from the password, or any combinations of them. Also insisted on a password of 8 characters or more with the usual 1 capital letter, 1 number, 1 special character and what knocked me, no numbers or letters in sequence in either alphabet or on the keyboard. Really had me thinking before I could come up with a decent one (password, that is). Still after setup, discovered I could only log into the modem/router through the cat5 cabling as wifi would not allow you to login - login to modem / router was disabled over wifi. Had to enable it. Talk about locking something down. Best I have seen so far and since I got it up and working, no issues, no re-boots, things just work and everybody in the house loves it. Also, its a nice looking black box, with green leds to indicate what is going on. Leave it sitting there in the corner doing its own business and firmware updates are as simple as anything. But bugger me, I cannot remember who makes the thing.
-
Monday 8th December 2014 14:37 GMT Mark Allen
The default IP Addresses just as bad
Most routers sit on 192.168.1.1 or 192.168.0.1 by default. A small number are on 192.168.1.254. And Belkins are (used to be) on 192.168.2.1
This makes it trivial to send commands to the routers from a web page from the User's own PC from within the LAN. Visit a website, and it could well be issuing a command to your router using plain old HTML.
-
Monday 8th December 2014 19:38 GMT Anonymous Coward
Re: The default IP Addresses just as bad
Well, the address ranges can't be helped. 192.168/16 is the designated C-class private address range. Any router outside yours that gets such an address is supposed to drop it, so it's a security feature. Even if your router tried a different address (BTW, most allow you to set it within reason), it wouldn't be hard for a malware to do an exhaustive search of 65,536 possible IPs, plus most can figure it out based on the victim's own IP (which normally has to have the same subnet to be visible on the router's network). The attack you describe appears to be based on cross-site scripting and can probably be mitigated by two things: (1) a router with a short timeout period, meaning an attempt to hit the router discretely results in either a password prompt or a 401 error, and (2) a browser savvy to XSS attempts.
-
Tuesday 9th December 2014 09:10 GMT John Tserkezis
Re: The default IP Addresses just as bad
"This makes it trivial to send commands to the routers from a web page from the User's own PC from within the LAN."
I'll give you a hint, it doesn't matter. If someone has physical access to your equipment, they already own it.
This is why corporates lock up their servers from all but the few key personel. If your only option is to break in via the network, it's much harder.
-
-
-
-
-
Tuesday 9th December 2014 09:19 GMT John Tserkezis
Re: Confustion
"That's why they tell you to back up the settings before applying an upgrade."
I've just upgraded the firmware on a box that warned me if I had a stored setup file that was created with an earlier firmware version, it won't be accepted now, due to certain security change requirements.
So, you write things down, resulting in a long winded and painful restore - worse still if you didn't read the firmware revision notes beforehand. Ironicaly, that's what the stored setup file was supposed to cure.
A forehead slap moment if there ever was one.
-
-
-
-
Monday 8th December 2014 19:51 GMT R0b07
Virgin Media
Im using the credentials written on the back of my Virgin media "HomeHub" because every time I change any settings it resets itself within two hours and all of my devices loose connection. I tried putting it in modem only mode and using my tomatoed WRT54g instead but for some reason even that did not work. I decided that it was a faulty modem so it err fell on the floor and stopped working, Richard sent me a new one and it does the same thing.
-
Tuesday 9th December 2014 08:30 GMT Anonymous Coward
my modem/router is 'telco property'
and my newest device has an unknown amount of admin accounts on the WAN side. so I turn off its Wi-Fi/remove antenna & use its capacity as a router to connect a single cat5e to my 'real' ASUS dual-core cpu router, which then DHCP supplies all the devices in the house, double NAT of course. This seems to be the best compromise between safety & security. in-home Wi-Fi obviously uses WPA2+AES, (not AES+TKIP as there's a downgrade attack) with "Correct Horse Battery Staple" as the password. With really thick house-walls I gave up trying to blast watts of Wi-Fi through them & replaced the kilometre of TV coax run through the walls with cat5e instead, now using multiple old routers, about 6 of them, as low-power Wi-Fi access points. DD-WRT on those that support it allow great flexibility.
remember, should you occasionally use bit-torrent to update/upgrade your linux distros that crappy routers can't really handle the 200+ threads that a BT session opens - so they choke - requiring a power-cycle to erase the NAT table; whereas for the same device with DD-WRT firmware this can handle 4k threads, and a well resourced new router considerably more!