opinion From my apartment in Sydney’s Eastern suburbs my MacBook Pro can usually pick up no less than fourteen Wi-Fi network signals being broadcast in the local area. This number isn’t surprising, given that the area is full of mid-sized apartment blocks.
Of course, some of the names are a little weird — apparently one of our neighbours is a fan of 1980’s British sitcom “The Young Ones”, one network is ironically named “iwantinternet”, and someone has rather laconically described their Wi-Fi signal as “Terry’s Wireless”. The most surprising one is that there’s a Wi-Fi signal somewhere close by labelled “BrokenHillCafe” — a somewhat interesting coincidence, given I spent most of my youth in that town in outback New South Wales.
All of these networks vary in terms of signal strength and label. Some of them are obviously quite distant from our apartment, and others are clearly operated by those who are less technical adept, as they haven’t bothered to change their name from the default — usually referencing Optus, BigPond, or a router manufacturer like D-Link.
However, they all share one thing in common.
Like our own apartment’s Wi-Fi network, they are secured to varying degrees through a combination of mechanisms. Some use lesser-grade WEP encryption (a bold move, given it’s been broken pretty comprehensively), some feature the more powerful WPA family of encryption, and some even go so far as disabling the DHCP function which automatically allocates IP addresses, or even blocking devices which are not approved by MAC address.
There are probably still further networks in the area which we don’t pick up automatically — as their SSID identifier is set not to broadcast.
Enabling these Wi-Fi security features on broadband routers is usually a no brainer. For starters, it stops people piggybacking on your bandwidth for free and downloading whatever they want under your name, but more importantly, it stops them from gaining direct access to your home network and all the goodies — confidential information, for example — that are stored there.
It also stops your data being auto-collected by Google and becoming the subject of a global privacy investigation, but that’s another story.
There are situations where you might want to open up your network, for instance — if you’re troubleshooting something, for instance, or if you want to participate in the global Fon Wi-Fi sharing initiative. But in general, I don’t think Australian society is yet ready for universal open Wi-Fi in residential areas. The risks are simply too great — how do you explain yourself if someone hacks into the CIA from your home wireless network?
However, apparently iiNet doesn’t agree with this fairly standard approach to security. While testing the national broadband company’s new Bob Lite integrated ADSL router yesterday, I became aware that it ships with an extremely insecure default Wi-Fi setup.
For starters, the device ships with its Wi-Fi connection turned on, but with no protection set up — not even the most basic WEP encryption. This means that by default, as soon as you plug the Bob Lite in and turn it on, anyone in your neighbourhood can access it.
But wait; it gets worse.
By default, the Bob Lite also allows Wi-Fi access to its web-based administration interface … where the default password is clearly stated, not once but twice! In other words, as soon as you plug your Bob Lite in and turn it on, it would be trivial for anyone close to your house to log on to the device and do whatever they wanted — even to change the password and lock you out of it, if they so desired. Sniffing packets broadcast over unsecured Wi-Fi connections is also not that hard to do these days.
The seriousness of this problem cannot be understated.
In August 2010, iiNet revealed it had sold some 40,000 units of the Bob Lite’s predecessor by the end of June that year. At that stage the company had some 650,000 ADSL customers, a position that, as its recent extensive advertising campaign has pointed out, places the company as the second-largest provider of ADSL services in Australia (behind Telstra).
With the launch of the full-featured Bob Lite at the low price of $99, or $69 on a contract, iiNet has positioned itself perfectly to take advantage of the fact that every year, tens of thousands of those customers will upgrade their ADSL router. Most of those customers will buy a BoB Lite over the more expensive BoB legacy model — which costs at least twice as much.
What this means is that tens of thousands of BoB Lite routers will be flooding into the Australian market over the next few years — all with the most incredibly insecure setup that you could imagine. And BoB Lite will not usually be sold to technologically savvy users — which means that many of the mums and dads who buy it won’t realise their Wi-Fi access is insecure.
Now, the default security model used by iiNet’s BoB device is not, honestly that unusual — many routers from many different manufacturers ship in a fairly blank state that would allow them to be easily broken in to. However, what makes iiNet’s situation different is both the scale on which it is expected to be deployed — as well as the fact that the company is pitching it as a device which requires very little configuration.
Like Apple does with many of its devices, with its BoB range iiNet is attempting to obscure much of the complex technical workings that underpin its technology, in order that users will find the device easy to use. But this is a dangerous thing to do — when the initial settings are not laid down in a secure manner.
What would it cost iiNet to rectify this situation? Almost nothing. All the company would have to do to fix the security on its BoB Lite modems would be to disable the wireless by default, and set the Wi-Fi to be secure by default unless the user specifically wanted it open. The BoB Lite already comes with a series of user friendly manuals; the extra steps necessary could easily be added in to them. We’ve asked iiNet to respond to the issue, but the company hasn’t yet commented.
The alternative is that iiNet’s BoB Lite range will become notorious in Australia’s internet security community … for all the wrong reasons.