Spark, the least secure part of your home network?

Forums › Spark New Zealand (including Skinny and BigPipe) › Spark, the least secure part of your home network?

NZtechfreak

4649 posts

Uber Geek

Trusted

#160062 22-Dec-2014 11:36

Curious to know people's thoughts on this situation.

I arrive at my parents house yesterday and the WiFi SSID and password have changed. The SSID has reverted to the factory default, and when I log into the router the administration password has also reverted to stock. Check devices that have logged on and lo and behold my nieces iPod has been logged onto to the network, along with a bunch of other devices whose names are friends of hers (you have to love the vanity). Call Telecom and she phoned them and asked for a new WiFi password in August. They obliged. She is not authorized to do this, and the account holder did not authorise this.

Honestly I'm flabbergasted that this could happen. Not only did they allow someone access who was excluded from accessing the network *by design*, in doing so they made the network incredibly vulnerable by returning the routers administration password to the factory default.

This strikes me as completely unacceptable. Any different takes?

Oh, should mention that during my call they made no attempt to verify that I was entitled to be given information on the account either...

Twitter: @nztechfreak
Blogs: HeadphoNZ.org

1 | 2 | 3

6701 posts

Uber Geek

Trusted

Subscriber

#1201925 22-Dec-2014 11:39

How can Spark change passwords and settings on the router? Surely that's something that has to be done locally?

NZtechfreak

4649 posts

Uber Geek

Trusted

#1201927 22-Dec-2014 11:41

alasta: How can Spark change passwords and settings on the router? Surely that's something that has to be done locally?

Actually, that's a good point, maybe they talked her through it - they told me when I spoke to them that they changed the password (presumably I was taking to low level phone staff). Still, unbelievable.

Twitter: @nztechfreak
Blogs: HeadphoNZ.org

lxsw20

3552 posts

Uber Geek

Subscriber

#1201928 22-Dec-2014 11:42

I think they may be able to access their own routers via the WAN interface. The other thing is they may have just talked her through a factory reset which would have the same result.

Andib

1363 posts

Uber Geek

ID Verified

Trusted

#1201929 22-Dec-2014 11:42

Most of the ISP supplied modems now can be remotely managed by the ISP.
Makes changing wifi passwords for users MUCH easier. Imagine trying to guide your Grandmother to change the WPA key over the phone.

<#
.DISCLAIMER
Anything I post is my own and not the views of my past/present/future employer.
#>

trig42

5809 posts

Uber Geek

ID Verified

#1201931 22-Dec-2014 11:43

It is unacceptable is Telecom/Spark told the niece over the phone how to reset the router - because that is all that has happened - without confirming she was the account holder.

But, I would say, it is not hard to impersonate the account holder - just need full name and DOB usually, and your daughter should know that :)

Having said that, it is not hard to poke a needle into the reset button of most routers - and Spark ones will not need setting back up (do not need a specific username and password entered for PPPoA).

I don't think getting angry at Spark is fair really - they are not the digital babysitter, they just provide the connection. If you.they want better security, don't be using the free router that came with your connection. I'd be surprised if any more than 5% of Spark routers (actually, 1% even) had the default admin password changed, let alone the WiFi password changed from the sticker on the bottom of them.

NZtechfreak

4649 posts

Uber Geek

Trusted

#1201932 22-Dec-2014 11:45

Andib: Most of the ISP supplied modems now can be remotely managed by the ISP.
Makes changing wifi passwords for users MUCH easier. Imagine trying to guide your Grandmother to change the WPA key over the phone.

Totally understand customer need for them having this capability, but there surely had to be some check with the account holder? I think I might check the SSIDs near my home and find some Telecom routers and get them to change the password for me, could do with more bandwidth this month...

Twitter: @nztechfreak
Blogs: HeadphoNZ.org

NZtechfreak

4649 posts

Uber Geek

Trusted

#1201945 22-Dec-2014 11:50

trig42: It is unacceptable is Telecom/Spark told the niece over the phone how to reset the router - because that is all that has happened - without confirming she was the account holder.
But, I would say, it is not hard to impersonate the account holder - just need full name and DOB usually, and your daughter should know that :)

Having said that, it is not hard to poke a needle into the reset button of most routers - and Spark ones will not need setting back up (do not need a specific username and password entered for PPPoA).

I don't think getting angry at Spark is fair really - they are not the digital babysitter, they just provide the connection. If you.they want better security, don't be using the free router that came with your connection. I'd be surprised if any more than 5% of Spark routers (actually, 1% even) had the default admin password changed, let alone the WiFi password changed from the sticker on the bottom of them.

Given its her grandfather's home and account, I doubt she could have impersonated the amount holder convincingly.

Their obligation to the security, surely, is not allowing for something like this to happen. Seems completely justified being pissed at then from where I'm sitting. Sad to say, but she isn't bright enough to do this on her own and it is extremely unlikely she'd have managed it without their assistance.

The proportion of Spark customers who have changed the default router passwords is irrelevant here, since this one was changed.

Twitter: @nztechfreak
Blogs: HeadphoNZ.org

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

Batman

Mad Scientist
29760 posts

Uber Geek

Trusted

Lifetime subscriber

#1201946 22-Dec-2014 11:51

Don't blame spark completely. Teens are the least secure bit. If spark didn't tell her she could have figured it out herself

NZtechfreak

4649 posts

Uber Geek

Trusted

#1201948 22-Dec-2014 11:52

joker97: Don't blame spark completely. Teens are the least secure bit. If spark didn't tell her she could have figured it out herself

See above post, she's left high school to move to Oz in the hopes of getting a part in The GC 2. I'm serious. Of course Telecom isn't completely to blame here, but if they held up their end they'd at least have made the outcome rest on her intellect.

Twitter: @nztechfreak
Blogs: HeadphoNZ.org

trig42

5809 posts

Uber Geek

ID Verified

#1201959 22-Dec-2014 12:01

Never underestimate the cunning of a teenager. If she herself didn't work it our, someone in her social circle certainly could have.

But, as I said, Spark should not have helped her out without confirming she or whoever was on the phone to them was the account holder.

dafman

3925 posts

Uber Geek

Trusted

#1201963 22-Dec-2014 12:16

And if copyright material has been illegally downloaded, do spark send the copyright infringement notice to your parents or to themselves???

plambrechtsen

1948 posts

Uber Geek
Inactive user

#1201985 22-Dec-2014 12:59

If it was a Spark supplied modem then there is a default admin username & password, or no authentication required if you plug in via a wired connection. This would be the same for the vast majority of all modems sold throughout the entire world. And I would say it would be less than 1% of all customers who change the admin username & password to the router from the default.
In regards to the Wifi WPA(2) PSK shared key, this is written onto the bottom of all modems and a secure SSID and password, and the odd's of being able to guess it or brute force it is extremely remote.

There is WPA "Protected" Setup (and I use the quotes around protected since it does the exact opposite) which does have known issues but all modems supplied by Spark for the last 4+ years have be setup to use "Push Button" setup, which is more immune than the normal PIN based setup which has been shown to be completely insecure.

So in this regards there are a number of things the said teenager could have done without any assistance from a Spark CSR.

1) Reset the modem to factory default using a pin and then used the SSID & Password printed on the bottom of the modem
2) Replaced the modem with her own one and just unplugged the current modem as that would have just authenticated and she would have received service
3) Plugged in via using a laptop into the ethernet port and reset the SSID & Password to whatever she wanted.

All of which would require physical access into the house and to the modem. If she wasn't permitted to be in the house then that's a case for the police as it's breaking and entering in my personal view.

Physical security of the modem is vital otherwise any security procedures are a complete waste of time in my personal view.

NZtechfreak

4649 posts

Uber Geek

Trusted

#1201994 22-Dec-2014 13:09

dafman: And if copyright material has been illegally downloaded, do spark send the copyright infringement notice to your parents or to themselves???

This is part of the issue here. I would say Spark assumed responsibility for whatever happened on the connection the moment they aided a non-authorised person gain access.

Twitter: @nztechfreak
Blogs: HeadphoNZ.org

NZtechfreak

4649 posts

Uber Geek

Trusted

#1201998 22-Dec-2014 13:12

plambrechtsen: So in this regards there are a number of things the said teenager could have done without any assistance from a Spark CSR.

Agreed, but that is utterly irrelevant here since they *were* aided by a CSR.

I do appreciate that your response as a Spark representative was not to acknowledge that this a $*#& up on Sparks part *at all*, but instead to point out this could have been done without your company falling to live up to their obligations. Nice.

If you're going to post here as a Spark person, you could probably do with brushing up you own customer service skills - in the event of a definite mistake you should first and foremost acknowledge that and make an apology, then you can start trying to help the situation and towards getting things in a positive frame. Just so you know for future reference.

Twitter: @nztechfreak
Blogs: HeadphoNZ.org

cbrpilot

955 posts

Ultimate Geek

Trusted

Spark NZ

#1202039 22-Dec-2014 13:59

NZtechfreak Not trying to sound defensive, but I would suggest that you raise a complaint via a formal channel (i.e. not Geekzone) if you feel that we have failed to live up to our obligations in regards to privacy and security of your information. That way the issue can be formally looked into in an appropriate setting.

My views are my own, and may not necessarily represent those of my employer.

1 | 2 | 3