James Galvin posted a couple of weeks ago about a recently published exploit which made hacking Eircom’s wireless routers trivial.
As Eircom are the largest provider of residential broadband in Ireland, this is potentially a big deal. As Joe Drumgoole commented at the time:
they have inadvertently created Ireland’s largest free WIFI network. Good man Eircom!
However, BT is now facing an even more serious issue on its wireless routers according to an article in the Register today. At least in Eircom’s case, the vulnerability only exposed the WEP key, allowing use of the wifi on the router.
In the case of the BT router, the Reg is reporting that
a remote attacker can quietly gain full administrator control over a device simply by social engineering a user into visiting a website. The exploit makes it possible to steal a user’s WPA key, listen in on VoIP calls, steal VoIP credentials or change DNS settings so users are silently redirected to fraudulent websites
This is a far more serious an issue then the Eircom one and the number of routers this affected is likely to be orders of magnitude greater.
The one saving grace is that the hack hasn’t been published in the wild, as was the case with Eircom. Yet.
That’s a bit nasty. I have a BT account but the router they sent me is a Zyxel model, not one of the ones mentioned in that article. Could be they’re only UK subscriptions?
Tom,
That is not more serious. The eircom routers come by default without an administrator password.
If a eircom customer hasn’t changed the default wep key, it is unlikely they have or know how to access their router administration panel to change its password.
Once you’re on an eircom network due to the WEP issue chances are you have full control.
John
The amount of people that don’t put a password on there wireless router really astounds me.
The reason they don’t put passwords on is that the majority of people buying new pc’s and broadband packages just don’t have a clue that they need to change away from wep or how to go about it.
It’s the same for malware/anti-virus/firewall protection.
Personally I think there should be a introductory course to computers given to people before/after they buy to tell them how do set up their system properly. Or something like that.
What astounds me is the amount of people who reply to phishing emails