Security flaw leaves Eircom customers open to hackers
John Collins
Up to a quarter of a million Eircom customers could be inadvertently sharing their broadband connections with strangers due to a security flaw in products supplied by the telecoms company.
The security problem could allow hackers to access wireless connections in buildings up to 30m (100 feet) away, without the knowledge of the Eircom account-holder.
As well as allowing free access to the internet, the flaw could in theory permit a hacker to engage in illegal activity that could then be traced back to the Eircom customer.
The problem relates to broadband routers, supplied to Eircom by Motorola subsidiary Netopia, which can connect computers to the internet via Wi-Fi, a wireless technology commonly available on the average PC.
Due to the way security has been implemented on these products, hackers and anybody with a reasonable computer knowledge can freely use them to access the internet.
The wireless routers use a security protocol called Wired Equivalent Privacy (WEP). This protocol requires anybody accessing the wireless network to enter a 16-digit password.
This code is generated from the serial number of the router as well as some text which is converted to numerical values.
The text used includes eight snippets of lyrics from guitar legend Jimi Hendrix.
The security problem occurs because the unique eight digit number that is broadcast as the name of the network is also derived from the serial number.
As a result hackers simply have to look at the name of the Eircom network to get access to it. Both downloadable tools and websites have emerged which automatically create the 16-digit key when the network name is keyed in.
Eircom issued a statement yesterday saying it is aware of the issue and is contacting all affected broadband customers.
The Netopia routers in question are the 3300 and 2247 series.
Users who have changed the default set up are unaffected by the problem.
All new modems sold by Eircom will have instructions on how to change the default WEP key while existing customers are advised to visit www.broadbandsupport.eircom.net for instructions.
Eircom pointed out that accessing wireless networks without permission is a criminal offence under the Criminal Damage Act 1991 and the Criminal Justice (Theft and Fraud Offences) Act 2001.
The problem was first revealed on a post to the popular Boards.ie discussion website over the weekend.
“This raises a number of issues, not least that my neighbour could use my broadband connection,” said Brian Honan, a director of security specialists BH Consulting.
Mr Honan said unauthorised users could use a wireless network to download illegal content or even to access other computers in the premises or home.
Motorola, whose subsidiary supplies the routers, declined to comment on the matter.
(Aside: As you can expect, we had a busy day on boards.ie today, necessitating a database server restart at one stage when our web node requests became too much for our database to handle. But you may have seen in my recent presentation about boards.ie that we are purchasing a new database server to help resolve this limitation. The story also made it onto The Register via ENN.)
Firstly, thank you to all our social.ie beta testers to date. The site has been nominated in the IIA Net Visionary Awards 2007 for “Web Developer Excellence”! Voting is now open if you want to support us…
Latest Comments
RSS