Spark, the least secure part of your home network?

Forums › Spark New Zealand (including Skinny and BigPipe) › Spark, the least secure part of your home network?

1 | 2 | 3

4649 posts

Uber Geek

Trusted

#1202055 22-Dec-2014 14:05

cbrpilot: NZtechfreak Not trying to sound defensive, but I would suggest that you raise a complaint via a formal channel (i.e. not Geekzone) if you feel that we have failed to live up to our obligations in regards to privacy and security of your information. That way the issue can be formally looked into in an appropriate setting.

That's already done, thanks. I've never felt that encouraging people to complain was defensive, in fact encouraging people who are upset with the treatment they've received is generally good practice.

Twitter: @nztechfreak
Blogs: HeadphoNZ.org

fahrenheit

757 posts

Ultimate Geek

#1202177 22-Dec-2014 16:17

lxsw20: I think they may be able to access their own routers via the WAN interface.

Can we have some official clarification on this one please?

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1202213 22-Dec-2014 16:59

Maybe the daughter asked how to reset the password and they said "by the reset button at the back" - she didn't ask for any account details or anything but this is a flaw with most routers. Technically Spark did nothing wrong as this information is also freely available on the internet.

Since Spark use line auth the modem will work "as-is" but to better protect it you're best to fill the reset hole with hot glue and change the passwords on it. If the password resets back then you know Spark have sent the reset command to the modem but I highly doubt they will do that.

The amount of times I've seen parents blame their ISP's for things like this is ridiculous - the child will hardly ever own up to how they did it.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

nathan

5695 posts

Uber Geek
Inactive user

#1202215 22-Dec-2014 17:02

One of the 10 immutable laws of computer security is physical security as pointed out

nakedmolerat

4629 posts

Uber Geek

Trusted

Lifetime subscriber

#1202217 22-Dec-2014 17:06

The only way to 'secure' the router is to physically put it in a steel cage with multiple padlocks.

If you can reset it, then you can access it readily by using the manuals available online.

Batman

Mad Scientist
29760 posts

Uber Geek

Trusted

Lifetime subscriber

#1202229 22-Dec-2014 17:17

NZtechfreak:
joker97: Don't blame spark completely. Teens are the least secure bit. If spark didn't tell her she could have figured it out herself

See above post, she's left high school to move to Oz in the hopes of getting a part in The GC 2. I'm serious. Of course Telecom isn't completely to blame here, but if they held up their end they'd at least have made the outcome rest on her intellect.

Maybe she flirted and then lied convincingly? Or evaded questions pretending to be a demented woman? Just putting it out there you know. People are different than you and me

MrTomato

149 posts

Master Geek

Lifetime subscriber

#1202232 22-Dec-2014 17:23

fahrenheit:
lxsw20: I think they may be able to access their own routers via the WAN interface.

Can we have some official clarification on this one please?

http://en.wikipedia.org/wiki/TR-069

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

richms

28168 posts

Uber Geek

Trusted

Lifetime subscriber

#1202270 22-Dec-2014 18:17

If someone called and asked how to reset a password on a certain type of spark supplied modem I would not expect any ID checks to be done as they are not asking about information on the account.

That spark have a record of the call is troubling, as that means they asked or some details and should have assesed who was asking that information.

We only have one side of the story, we will probably only ever have one side of the story as spark have to honor privacy terms even when the other side of the story is able to put all the misinformation and conclusions they have jumped to out on the internet for all to read.

Richard rich.ms

nathan

5695 posts

Uber Geek
Inactive user

#1202273 22-Dec-2014 18:23

Cool story bro

There are seldom technical solutions to people problems

eXDee

4032 posts

Uber Geek

Trusted

#1202301 22-Dec-2014 18:59

MrTomato:
fahrenheit:
lxsw20: I think they may be able to access their own routers via the WAN interface.

Can we have some official clarification on this one please?

http://en.wikipedia.org/wiki/TR-069

Once you've read that, look up the defcon talks on it, its good fun! :D

NZtechfreak

4649 posts

Uber Geek

Trusted

#1202328 22-Dec-2014 20:59

richms: If someone called and asked how to reset a password on a certain type of spark supplied modem I would not expect any ID checks to be done as they are not asking about information on the account.

That spark have a record of the call is troubling, as that means they asked or some details and should have assesed who was asking that information.

We only have one side of the story, we will probably only ever have one side of the story as spark have to honor privacy terms even when the other side of the story is able to put all the misinformation and conclusions they have jumped to out on the internet for all to read.

Not sure how much of the call detail was noted down, the person I spoke to said that the log only said that the person who called requested a password change and it was done. I don't think you can make any case that they shouldn't have assessed whether the person on the line was entitled to make that request, given the nature of the request.

The fact that the modem wasn't physically secured here is a distraction, that doesn't make what happened acceptable - it's akin to saying 'well what was she doing out that late at night, and wearing those clothes?'.

Twitter: @nztechfreak
Blogs: HeadphoNZ.org

DarkShadow

1647 posts

Uber Geek

#1202376 22-Dec-2014 23:57

How hard is it to stick a pin in a hole and hold it for 15 seconds?

As pointed out, if the adversary has physical access, consider that device pwned.

NonprayingMantis

6434 posts

Uber Geek

#1202378 23-Dec-2014 00:08

NZtechfreak:
richms: If someone called and asked how to reset a password on a certain type of spark supplied modem I would not expect any ID checks to be done as they are not asking about information on the account.

That spark have a record of the call is troubling, as that means they asked or some details and should have assesed who was asking that information.

We only have one side of the story, we will probably only ever have one side of the story as spark have to honor privacy terms even when the other side of the story is able to put all the misinformation and conclusions they have jumped to out on the internet for all to read.

Not sure how much of the call detail was noted down, the person I spoke to said that the log only said that the person who called requested a password change and it was done. I don't think you can make any case that they shouldn't have assessed whether the person on the line was entitled to make that request, given the nature of the request.

The fact that the modem wasn't physically secured here is a distraction, that doesn't make what happened acceptable - it's akin to saying 'well what was she doing out that late at night, and wearing those clothes?'.

You don't need to prove Id to give instructions on how to reset a modem, since there is no info given away that could be considered private. There is no privacy breach here imho.

NZtechfreak

4649 posts

Uber Geek

Trusted

#1202386 23-Dec-2014 00:57

NonprayingMantis: You don't need to prove Id to give instructions on how to reset a modem, since there is no info given away that could be considered private. There is no privacy breach here imho.

That wasn't what was asked for though, even according to Telecom's logs of the call - the request was for a password change. That isn't quite the same as asking how to reset the modem, I would think that a request of the kind that was made would warrant checks. It's not a privacy breach here, it is a network breach facilitated by the ISP, who failed in their duty to credential a caller adequately.

Twitter: @nztechfreak
Blogs: HeadphoNZ.org

NZSpides

155 posts

Master Geek

#1202388 23-Dec-2014 01:20

Sort of on topic...

One of the first things I did when I got my new shiny Orcon modem was to change the SSID, change the default Admin name and password, and turn off WAN access.
So when I shifted and they tried to access it they said they couldn't access it to check some things to help an issue I was having

It turned out to be an account name - would have been easily solved had the help desk techs actually said what they were looking for and saved me three days of frustration!!!
Could they simply look at the logs and see the same user trying to log in and see the denied access login?

So they wanted remote access to my internal network, I said no. Simple enough.

Anyhow it got sorted.

As for the security of the router - Definitely turn off the WAN access of your own router and change all the passwords (don't forget them. :-)
I have my router in the ceiling (its fairly easy for me to get access to it, not for the kids though...

1 | 2 | 3