National broadband provider iiNet this week said the default setup of its new BoB Lite ADSL router – which leaves its Wi-Fi functionality open and the device’s administration password publicly available – was “standard practice” used by router manufacturers.
“… your network is laid bare for the world to access. iiNet concedes this point with a slim leaflet in the box that suggests you set up a wireless access password. Call us picky, but even a simple predefined password would be a better bet for a product that’s pitched squarely at network novices,” consumer technology site CNET.com.au wrote in its review of the device.
An iiNet spokesperson disagreed the issue was a problem. “It is standard practice for wireless routers to follow the same set up protocols as BoB Lite when logging into the user interface,” they said in a statement, noting that the company also emphasised the need for customers to change their passwords regularly and follow safe online practices.
“We send out regular reminders about the importance of secure passwords and detailed information is available on our website and from our support team,” they added.
Security analyst James Turner – an an advisor with Intelligent Business Research Services – said ISPs needed to be thinking about and planning for the future when it came to security – as when Australia had a nationwide fibre network in the form of the National Broadband Network, they would be “creating a rod for our own backs” if they didn’t get consumers used to the idea of implementing security features in their devices.
Turner didn’t consider it likely that many iiNet customers would have their BoB Lite broken into in the sparse minutes between turning on the device and setting up a Wi-Fi password and encryption such as the commonly used WPA2 standard — as that would require an attacker to be in the right place at precisely the right time and to log in to the router.
But it would be a different matter if users simply left the Wi-Fi open permanently, he said – noting he wouldn’t personally leave an unsecured Wi-Fi router set up that way.
The analyst pointed out there were groups in the community who would exploit such open systems – such as the Anonymous network of individuals who have recently been wreaking havoc on the technology systems of financial institutions and governments alike.
Turner noted as well that there were some people in the community who had what he described as “some very unusual fetishes” — adding that if such individuals had a modicum of knowledge about computer security, they wouldn’t download illegal content through their own home internet connection. Open Wi-Fi networks could provide such people with the anonymity they needed.
Image credit: iiNet
Standard Practice != Good Practice
Unfortunately, iiNet is right – it *is* standard practice – irresponsible, IMHO, but every router manufacturer either leaves the admin password blank or sets it to something simple like “admin” or “password”.
The major problem is that they do little, if anything, to educate the user in the necessity of securin their access point IMMEDIATELY. They fall back on a the old “it’s the user’s responsibility to secure their environment” excuse – which, technically, it *is*, I guess – but many users are so technologically inept they may not possess the minor skills necessary to do this without guidance.
What the router manufacturers should be compelled to do is have a “scripted” configuration environment built in that will not allow the device to be used without a suitable admin password being set. As for wifi access, that’s less of an issue as some people deliberately leave their wifi unsecured to “share the wealth”, but the dangers of this should be clearly emphasized in the documentation.
I see many local businesses with completely insecure routers it is staggering – so after checking my email (as you do), if I can locate the business I’ll offer to show them how dangerous their setup is and why. Most are appreciative, but I’ve had one sporting goods chain connect me to their IT people who actually said “it’s easier to leave it unprotected, then we don’t have to remember passwords, etc”
WTF, PEOPLE !!! That’s like writing your ATM card PIN on the card itself !! I showed one store franchisee how easy it was to access his wireless cash registers from my iPad and see bank information, and then how to lock it down and he couldn’t believe that their corporate people didn’t consider this a security risk !!!
Anonymous now targeting iiNet customers? lol
No, Anonymous targeting their normal targets through an ii user’s connection.
Anonymous is hardly going yo be tracking down iiNet customers for the purpose suggested.
What a joke.
Standard practice for some vendors maybe. When I was over in Germany in December my inlaws had a Samsung ADSL router. Rather than having no WPA password or some stupid default, the password was written on the bottom of the router. It was actually just the serial number.
Would be good if all providers started standardising on something similar.
Regardless, most people – (read: average mum and dad user) – don’t have the knowledge to do all this work. It’s all well and good for us tech-inclined to say this and that about how secure or insecure they should be by default.
People don’t know.
Finding the balance between REALLY SECURE default settings, and allowing BASIC USERS to get up and running is very difficult.
There is a huge label on the front of every bob lite and bob sold that clearly states
Your wireless is unsecured and you need to secure it.
I have seen this on both bob and bob lite units I purchased.
Users need to take this on board and configure their security.
Most probably just want to get their shiny device online and then forget to
go back and configure their modem.
Netgear don’t do it this way.
At least not for the Optus supplied routers.
Each and every router uses WPA2 and has the default key on a sticker on the base of the router.
It can be considered an oversight by iiNet to not do this, but it is shameful that they are basically denying the problem.
You’re number 2 now. Smarten up.
netgear modems dont have security by default – i know. i have 3 of them. optus preconfigure their modems, as do telstra (wheres that link to breaking into the telstra SECURED modems?). manufacturers, and companies who dont preconfigure them, are all the same. require user setup. since modems that arent preconfigured also require user intervention to get online theres no reason why wireless cant be done at the same time.
It’s not just the Netgear modems that Optus sends out like this – the wifi-enabled cisco cable modems they send out all have unique details, too.
Lol the day a Cisco modem ships with an open Wi-Fi connection is the day I eat my shoe … I am sure they are specifically configured to be secure by default.
Cisco’s dont come with wireless on at el ,at all ,it has to be configured deliberately .
+1 — Cisco is usually the gold standard when it comes to this kind of stuff.
Anyone with half a brain knows that 95% of people will expect to plug the unit in and have it work. If this is the case they almost certainly won’t bother touching it beyond that point, including any wireless security.
They are losing credibility by the day by stepping back from the issue rather than acknowledging and addressing it. No shame in admitting you messed up if you actively do something to resolve it.
And number 2 in DSL – isn’t that like saying you’re 2nd best of the mediocre?
I agree Standard Practice != Good Practice.
But can someone please tell me why iiNet being made an example of here?
Why not any of the other modem manufacturers who ship 100 fold more devices than iiNet does?
You can disagree with their official practice response all you want, the fact remains that it is true.
Why are we targeting iiNet at all? Surely if the practice is the problem, then that is what needs to change?
Leave iiNet out of it.
Its so all their downloaders can say ‘it wasnt me’ to AFACT :) – they got hacked over wireless
Ok,
I moved to the UK couple of years ago, and found out they did something really simple there. All the ADSL wireless routers, that are shipped from a ISP have a sticker on the bottom of the device with a SSID and a Wireless key presetup.
Most of the time it was WPA or higher, now this makes serious sense. Pretty much everyone left it as it was, so when someone needed it you just found your modem and looked at the sticker.
It blew me away how simple it was, I could never find a open wireless network there. It those providers can do it im sure iiNet can, and yes i am aware it generates the code from the MAC address, and it can be hacked with some good work, but security on by default and not WEP is better than nothing at all!
Standard practice for router manufactures it may be, but it is not standard practice for ISPs.
For example, Big Pond’s wireless routers come with an SSID and shared key built in, and it’s written on the modem and on a card. Myne commented that Optus’ Netgear modems also come with built in security.
Bigpond’s modem’s also happen to use part of their serial number for the PSK and SSID – which means with a little reverse engineering you can break into them.
There was a great article on this last year.
Just received my FRITZ!Box from Internode. Defaults to WPA/WPA2 with an initial key on a label on the underside of the unit.
Rubbish! There are PLENTY of ISP’s and router manufacturers who use higher encryption by default (and yes I hate to say this even some BogPond equipment) and different keys for each device. One more time: Because its standard practice it does not mean everyone SHOULD do it, we would still be in the stone ages.
Comments are closed.