foobar on computers, software and the rest of the world


People, don't be stupid: Secure your WiFi!

, posted: 16-Jan-2008 14:55

On a recent trip through the New Zealand country side we stayed in a youth hostel somewhere. Sitting there, I switched on my laptop and scanned for available networks. Sure enough, there were a few of them. One of them was the access controlled and overpriced WiFi of the hostel itself. But there was also a network with the rather ominously named ESSID 'linksys'. Uh, oh! That's usually not a good sign. Someone left their router at the default settings. Tsk, Tsk.

Of course, no encryption or other security was set up, which allowed me to connect to the network without problem. Speedtest revealed that I had an excellent connection, 8 MBs (or so) down, around 1 MB up. Nice. Better than what I get at home. If I would have been a file sharer, I would have enjoyed that.

Free bandwidth in itself is not a terrible security risk, and providing it to the public is rather nice, actually. Even though I doubt that this was the intention of the 'provider' in question. Bruce Schneier wrote about that just the other day. He did mention that an open network is not terribly problematic, but that at least the systems on that network should be properly secured. Well, did they do that in my case here?

So, let's see what else - besides the ESSID - was left at the default setting. Maybe I could find out who was the kind donor of the bandwidth? Looking at the IP address that I had been assigned (or also just using the 'route' command) I could quickly find the IP address of the gateway router: 192.168.1.1. Well, that was difficult to guess, wasn't it?

Next on the list: Telnet to the device. It asks me for a username. Let's try 'admin'. Now for the password. Hm. How about I just leave it blank? Bingo! I'm in, with full administrative access to their router. Imagine what their surprise would have been, had I enabled encryption on their network, changed the router's password or enabled MAC filtering?

Mind you, so far I haven't used any 'hacking' tool or network security tool at all. Only telnet. I then directed my web-browser at the gateway's IP address and am rewarded with full access to the router's web-based administration interface. How convenient, indeed. In some countries they are now trying to ban software that could be used to break into networks. Does that include browsers as well?

Anyway, I digress. I still wanted to know who it was that operated the network. I clicked on the 'ADSL' (or similarly named) tab in the browser interface and - sure enough - there were the complete login details for the ADSL account. Ah, nice! I now had the ADSL user-name. Turns out that it was the hotel next door, which used its hotel name as the account name with its ADSL provider (a well known ISP in New Zealand, who shall remain nameless).

Fortunately, the browser-based interface displayed the password only as '*****', so at least that was secure? Not quite. The obfuscated display of the password field is something that's done in the browser! So, all I needed to do was hit CTL+U and Firefox showed me the HTML of the page. And there, of course, was also the clear-text value of the password field. Sigh...

Now, mind you: At this point I not only have full administrative access to their router, but also full access to all their account information with their ISP. A small test revealed that I could now access their bandwidth usage information from the ISPs web-site, for example.

Even though I still had not used any special hacking tool - or actually 'broken' into anything - this was beginning to get a bit too creepy for my taste, so I left it at that. I am presently in the process of authoring an e-mail to the hotel in question, informing them of their security issues.

People, please! If you want to offer free bandwidth to your fellow humans then I really applaud that! That is very kind. Just be aware of possible snooping attacks, ARP spoofing and other things which you could be exposed to.

But at the very least - the VERY least! - please set a good password on your router! You do not want a malicious attacker to have access to that piece of equipment, lest you find yourself in a world of pain and trouble.

Other related posts:
Skype surveillance: You can't trust closed-source software
Fake popup study: Users are idiots? I don't think so...
Google anonymises IP addresses in their logs? Not really...






Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and placed in the moderation queue for the blog owner's approval.

Your name:

Your e-mail:

Your webpage:

foobar's profile

 
New Zealand


  • Who I am: Software developer and consultant.
  • What I do: System level programming, Linux/Unix. C, C++, Java, Python, and a long time ago even Assembler.
  • What I like: I'm a big fan of free and open source software. I'm Windows-free, running Ubuntu on my laptop. To a somewhat lesser degree, I also follow the SaaS industry.
  • Where I have been: Here and there, all over the place.




Google Search


Recent posts

Attack on net neutrality right...
Munich already saved millions ...
Iceland's public administratio...
More Apple madness (follow up)...
Apple demonstrates: With great...
Smooth sailing with the Karmic...
Censorship in New Zealand: Wid...
Image roll-over effects withou...
How about: Three strikes and Y...
UK government supports open so...


Top 10

How to write a Linux virus in ...
(11-Feb-2009 06:33, 345230 views)
Follow up: How to write a Linu...
(12-Feb-2009 08:10, 46159 views)
A truly light-weight OS: Writt...
(3-Feb-2009 10:39, 41301 views)
The 'Verified by Visa' fiasco ...
(20-Jun-2008 09:59, 18085 views)
EEE PC with XP is cheaper than...
(9-May-2008 06:50, 18080 views)
11 reasons to switch to Linux...
(4-Feb-2009 09:24, 17414 views)
Would you use Google App Engin...
(8-Apr-2008 20:02, 16254 views)
Censorship in New Zealand: Wid...
(16-Jul-2009 12:11, 15368 views)
Django Plugables: Tons of plug...
(11-Apr-2008 03:24, 15262 views)
Slow file copy bug in Vista: A...
(21-Dec-2007 12:18, 14240 views)