Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
ForumsSpark New ZealandSpark, the least secure part of your home network?


4649 posts

Uber Geek
+1 received by user: 470

Trusted

Topic # 160062 22-Dec-2014 11:36
2 people support this post
Send private message

Curious to know people's thoughts on this situation.

I arrive at my parents house yesterday and the WiFi SSID and password have changed. The SSID has reverted to the factory default, and when I log into the router the administration password has also reverted to stock. Check devices that have logged on and lo and behold my nieces iPod has been logged onto to the network, along with a bunch of other devices whose names are friends of hers (you have to love the vanity). Call Telecom and she phoned them and asked for a new WiFi password in August. They obliged. She is not authorized to do this, and the account holder did not authorise this.

Honestly I'm flabbergasted that this could happen. Not only did they allow someone access who was excluded from accessing the network *by design*, in doing so they made the network incredibly vulnerable by returning the routers administration password to the factory default.

This strikes me as completely unacceptable. Any different takes?

Oh, should mention that during my call they made no attempt to verify that I was entitled to be given information on the account either...




Twitter: @nztechfreak
Blogs: HeadphoNZ.org

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
4088 posts

Uber Geek
+1 received by user: 732

Trusted
Subscriber

  Reply # 1201925 22-Dec-2014 11:39
One person supports this post
Send private message

How can Spark change passwords and settings on the router? Surely that's something that has to be done locally?



4649 posts

Uber Geek
+1 received by user: 470

Trusted

  Reply # 1201927 22-Dec-2014 11:41
One person supports this post
Send private message

alasta: How can Spark change passwords and settings on the router? Surely that's something that has to be done locally?


Actually, that's a good point, maybe they talked her through it - they told me when I spoke to them that they changed the password (presumably I was taking to low level phone staff). Still, unbelievable.




Twitter: @nztechfreak
Blogs: HeadphoNZ.org

2184 posts

Uber Geek
+1 received by user: 661

Subscriber

  Reply # 1201928 22-Dec-2014 11:42
One person supports this post
Send private message

I think they may be able to access their own routers via the WAN interface. The other thing is they may have just talked her through a factory reset which would have the same result. 

910 posts

Ultimate Geek
+1 received by user: 595

Trusted

  Reply # 1201929 22-Dec-2014 11:42
2 people support this post
Send private message

Most of the ISP supplied modems now can be remotely managed by the ISP.
Makes changing wifi passwords for users MUCH easier. Imagine trying to guide your Grandmother to change the WPA key over the phone.

Banana?
4455 posts

Uber Geek
+1 received by user: 1059

Subscriber

  Reply # 1201931 22-Dec-2014 11:43
Send private message

It is unacceptable is Telecom/Spark told the niece over the phone how to reset the router - because that is all that has happened - without confirming she was the account holder.

 

But, I would say, it is not hard to impersonate the account holder - just need full name and DOB usually, and your daughter should know that :)

Having said that, it is not hard to poke a needle into the reset button of most routers - and Spark ones will not need setting back up (do not need a specific username and password entered for PPPoA).

I don't think getting angry at Spark is fair really - they are not the digital babysitter, they just provide the connection. If you.they want better security, don't be using the free router that came with your connection. I'd be surprised if any more than 5% of Spark routers (actually, 1% even) had the default admin password changed, let alone the WiFi password changed from the sticker on the bottom of them.



4649 posts

Uber Geek
+1 received by user: 470

Trusted

  Reply # 1201932 22-Dec-2014 11:45
Send private message

Andib: Most of the ISP supplied modems now can be remotely managed by the ISP.
Makes changing wifi passwords for users MUCH easier. Imagine trying to guide your Grandmother to change the WPA key over the phone.


Totally understand customer need for them having this capability, but there surely had to be some check with the account holder? I think I might check the SSIDs near my home and find some Telecom routers and get them to change the password for me, could do with more bandwidth this month...




Twitter: @nztechfreak
Blogs: HeadphoNZ.org



4649 posts

Uber Geek
+1 received by user: 470

Trusted

  Reply # 1201945 22-Dec-2014 11:50
One person supports this post
Send private message

trig42: It is unacceptable is Telecom/Spark told the niece over the phone how to reset the router - because that is all that has happened - without confirming she was the account holder.
But, I would say, it is not hard to impersonate the account holder - just need full name and DOB usually, and your daughter should know that :)

Having said that, it is not hard to poke a needle into the reset button of most routers - and Spark ones will not need setting back up (do not need a specific username and password entered for PPPoA).

I don't think getting angry at Spark is fair really - they are not the digital babysitter, they just provide the connection. If you.they want better security, don't be using the free router that came with your connection. I'd be surprised if any more than 5% of Spark routers (actually, 1% even) had the default admin password changed, let alone the WiFi password changed from the sticker on the bottom of them.


Given its her grandfather's home and account, I doubt she could have impersonated the amount holder convincingly.

Their obligation to the security, surely, is not allowing for something like this to happen. Seems completely justified being pissed at then from where I'm sitting. Sad to say, but she isn't bright enough to do this on her own and it is extremely unlikely she'd have managed it without their assistance.

The proportion of Spark customers who have changed the default router passwords is irrelevant here, since this one was changed.




Twitter: @nztechfreak
Blogs: HeadphoNZ.org

Mad Scientist
19012 posts

Uber Geek
+1 received by user: 2469

Trusted
Lifetime subscriber

  Reply # 1201946 22-Dec-2014 11:51
2 people support this post
Send private message

Don't blame spark completely. Teens are the least secure bit. If spark didn't tell her she could have figured it out herself



4649 posts

Uber Geek
+1 received by user: 470

Trusted

  Reply # 1201948 22-Dec-2014 11:52
One person supports this post
Send private message

joker97: Don't blame spark completely. Teens are the least secure bit. If spark didn't tell her she could have figured it out herself


See above post, she's left high school to move to Oz in the hopes of getting a part in The GC 2. I'm serious. Of course Telecom isn't completely to blame here, but if they held up their end they'd at least have made the outcome rest on her intellect.




Twitter: @nztechfreak
Blogs: HeadphoNZ.org

Banana?
4455 posts

Uber Geek
+1 received by user: 1059

Subscriber

  Reply # 1201959 22-Dec-2014 12:01
Send private message

Never underestimate the cunning of a teenager. If she herself didn't work it our, someone in her social circle certainly could have.

 

But, as I said, Spark should not have helped her out without confirming she or whoever was on the phone to them was the account holder.

2378 posts

Uber Geek
+1 received by user: 1102

Trusted
Subscriber

  Reply # 1201963 22-Dec-2014 12:16
One person supports this post
Send private message

And if copyright material has been illegally downloaded, do spark send the copyright infringement notice to your parents or to themselves???

1948 posts

Uber Geek
+1 received by user: 469
Inactive user


  Reply # 1201985 22-Dec-2014 12:59
Send private message

If it was a Spark supplied modem then there is a default admin username & password, or no authentication required if you plug in via a wired connection. This would be the same for the vast majority of all modems sold throughout the entire world. And I would say it would be less than 1% of all customers who change the admin username & password to the router from the default.
In regards to the Wifi WPA(2) PSK shared key, this is written onto the bottom of all modems and a secure SSID and password, and the odd's of being able to guess it or brute force it is extremely remote.

There is WPA "Protected" Setup (and I use the quotes around protected since it does the exact opposite) which does have known issues but all modems supplied by Spark for the last 4+ years have be setup to use "Push Button" setup, which is more immune than the normal PIN based setup which has been shown to be completely insecure.

So in this regards there are a number of things the said teenager could have done without any assistance from a Spark CSR.

1) Reset the modem to factory default using a pin and then used the SSID & Password printed on the bottom of the modem
2) Replaced the modem with her own one and just unplugged the current modem as that would have just authenticated and she would have received service
3) Plugged in via using a laptop into the ethernet port and reset the SSID & Password to whatever she wanted.

All of which would require physical access into the house and to the modem. If she wasn't permitted to be in the house then that's a case for the police as it's breaking and entering in my personal view.

Physical security of the modem is vital otherwise any security procedures are a complete waste of time in my personal view.



4649 posts

Uber Geek
+1 received by user: 470

Trusted

  Reply # 1201994 22-Dec-2014 13:09
One person supports this post
Send private message

dafman: And if copyright material has been illegally downloaded, do spark send the copyright infringement notice to your parents or to themselves???


This is part of the issue here. I would say Spark assumed responsibility for whatever happened on the connection the moment they aided a non-authorised person gain access.




Twitter: @nztechfreak
Blogs: HeadphoNZ.org



4649 posts

Uber Geek
+1 received by user: 470

Trusted

  Reply # 1201998 22-Dec-2014 13:12
2 people support this post
Send private message

plambrechtsen: So in this regards there are a number of things the said teenager could have done without any assistance from a Spark CSR.


Agreed, but that is utterly irrelevant here since they *were* aided by a CSR.

I do appreciate that your response as a Spark representative was not to acknowledge that this a $*#& up on Sparks part *at all*, but instead to point out this could have been done without your company falling to live up to their obligations. Nice.

If you're going to post here as a Spark person, you could probably do with brushing up you own customer service skills - in the event of a definite mistake you should first and foremost acknowledge that and make an apology, then you can start trying to help the situation and towards getting things in a positive frame. Just so you know for future reference.





Twitter: @nztechfreak
Blogs: HeadphoNZ.org

681 posts

Ultimate Geek
+1 received by user: 222

Trusted
Spark NZ

  Reply # 1202039 22-Dec-2014 13:59
4 people support this post
Send private message

NZtechfreak Not trying to sound defensive, but I would suggest that you raise a complaint via a formal channel (i.e. not Geekzone) if you feel that we have failed to live up to our obligations in regards to privacy and security of your information.  That way the issue can be formally looked into in an appropriate setting.




My views are my own, and may not necessarily represent those of my employer.

 1 | 2 | 3
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.