Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[parkdale]

Oh dear... Some one (not house holder) has used their router to access naughty sites:(

https://www.bbc.co.uk/news/technology-57156799

After reading this, I know that a lot of BT routers have open BT Wifi Turned on by default, unless you know how to turn it off. Would this be a security risk?

[tubaman]

... I know that a lot of BT routers have open BT Wifi Turned on by default, unless you know how to turn it off. Would this be a security risk?

It is not 'open' as such as you either have to be a BT broadband customer or have paid to use it, so there is some degree of traceability. I would not be particularly concerned about it.

[stevebrass]

The article mentioned tracing by IP address. If you don't have a static IP address, how would that work?

[niemand]

Court order to the ISP compelling them to inform which customer had the IP in question at the time of the infraction.

[Alex Atkin UK]

"First, a hacker would need to 'crack' the wi-fi password - and if that hasn't been changed from the one written on a sticker on the side of the router, and the router is more than a year or two old - then it would take a matter of minutes to crack it," he said

That would allow the hacker on to a private individual's home network - although they would have to be within about 20 metres of the house.

If they're in a car sure, but clear line of sight I can still use my WiFi well into the local park 200-300m away.

Second, to do anything particularly sinister on the home network, the hacker will need to change the router configuration. That needs the router admin password," explained Mr Munro.

Except they DIDN'T do anything sinister on the home network, they simply used their broadband to do something sinister which ONLY needed the WiFi password.

So what I guess has happened here, is that the hacker has cracked the wi-fi password and then made changes to the router configuration, so their illicit activities on the internet appear to be coming from the innocent party.

Ummm no, you're talking p00, no modification of the router required here. Ken Munro, security consultant with Pen Test Partners seems to not have a clue what he is talking about.

[Bowdon]

It seems an odd situation.

I didnt think there was a 'default' router/wifi password these days, i.e. the same password used on every router/wifi.

I've heard about the wifi attacks before. That the attacker has to be within reach. I think someone just sitting on the road would be enough, as I can see a lot of wifi networks around me if I scan.

I wonder if the wifi even had a password? Some didn't used to around my area.

[kitz]

>> Except they DIDN'T do anything sinister on the home network, they simply used their broadband to do something sinister which ONLY needed the WiFi password.

I thought the same thing when reading the article.    There was no need for them to access the router config to enable them to upload an image from their own device.  All they needed was to be on the WLAN.

"So what I guess has happened here, is that the hacker has cracked the wi-fi password and then made changes to the router configuration, so their illicit activities on the internet appear to be coming from the innocent party."

Rubbish. -  As already mentioned re his first statement (that was also wrong),  they only needed to be on the WLAN.  ie got the wifi password.



>>  I've heard about the wifi attacks before.

Wifi passwords have alway been a weak link.   Even if you set a strong password there's still a chance it can be hacked.     WEP is supposedly relatively easy to crack and whilst WPA-PSK keys are generally assumed as safe and much harder to brute force, it's not totally impossible.  It entirely depends on how determined the hacker is and the type of encryption.

>> I wonder if the wifi even had a password?

It will have done - it was a Vodafone HHG2500.   
This is the modem-router that our members had fun with and finally managed to hack it to be able to get the Vodafone account details, so that members were able to use a router of their choice and/or access line stats. Once members of the kitz community did manage to hack into this modem, it was a direct result that Vodafone changed their mind about letting their customers have their login info.  It was actually quite well locked down and wasn't particularly easy to get the login info. 
iirc wifi was using WPA encryption - more info in the router hacking section (not visible to non-members of the forum)....  and if I remember correctly it did have the wifi password stored in the router config files...  but you'd already need to be on the WLAN anyhow and using certain cracking tools to view it.   

[meritez]

The Vodafone THG3000 comes with a guest WiFi that you can't disable

[kitz]

I wonder if they have a way of tracking these guest accounts.   
In the same way that with BT HH offer wifi hotspots for other BT customers.   Surely they must have to track the guest users for those who opt into these network hotspots.

[gt94sss2]

I believe the BT WiFi system gives users IP addresses on a separate subnet (10.*) rather than the usual 192 IP range and then tunnels the data so the location of the hotspot is not revealed.

They also require hotspot users to login to access the BT WiFi functionally.

[kitz]

Thanks gt, sorry if I didn't make myself clear.    I knew that the BT hotspots require a login and that they must also share a portion of their own bandwidth to be able to participate in the (free) BT hotspot system.    I wasn't quite sure how the Vodafone Guest System works as it seems rather more vague. 

What is Guest WiFi

Guest WiFi lets you set up a separate connection to your router that can be used by your guests.

This means that guests can connect to your WiFi without needing the router password. You can also control who has access to the network, and for how long.

At first, I'd thought it was something like the BT system, but it seems not.   Going off that description alone, it looks like anyone could access your network if they were close enough.    Just done a quick scan locally, but no-one nearby is on vodafone broadband for me test.    I wonder if that setting is enabled by default.   If so then it could leave you wide open.   No hacking required.     

I notice Vodafone are keeping stum  - quote

Vodafone told them that it did not have a record of their internet activity. It has not responded to the BBC's request for comment.

I guess I just answered my own question too.  As these guest accounts are what looks like to be general guests on [your]  WLAN and supposedly under your control, then they will be using your IP.  So no tracking by Vodafone.

>> a guest WiFi that you can't disable

In which case it will be on by default and I bet most users wont have a clue its there.   What about password control.   I hope that by default its password protected because "Choose if you want to have Password protection, and what the password will be" sounds rather ominous.   I wonder how many are set up without a password and could be giving free internet access to neighbours etc.

[parkdale]

My thoughts were along the lines of Guest Wifi being active. I have a THG3000 and the Guest Wifi is off by default, don't know about HHG2500 never had one.
I did ponder on whether they had Vodafone Sure Signal as part of the package... now that is on by default..... I think Vodafone are dropping Sure Signal now.
My THG3000 is used as a door stop until the end of my contract

[Alex Atkin UK]

I'm not even sure how the BT system works.  I know when BTFON was a thing they did used to tunnel to the BT network, then a few years before the whole project was shelved they dropped the tunnel method which made me really uncomfortable.

I seem to recall I asked FON how on earth they were now protecting us from bad actors using our APs, they claimed the traffic could still be tracked as from a BT/FON account rather than the host.  Have to say I was dubious at that point.

[Weaver]

What a scary, horrible story. These poor people got stuffed for the crime if being tech-ignorant. If I were well enough I would be doing free education and safety classes for locals. (I used to do that kind of education for local customers when I worked as a consultant here.)