Broadband News

TalkTalk shows why wireless routers should ship with WPA enabled

Security of your wireless network is for many people something that is easily overlooked, and given the complexity of getting four or five devices connected for novice wireless users it can be daunting.

TalkTalk has staged a wireless stunt which Rory Cellan-Jones at the BBC was following, whereby they surveyed a street in North London, and found while a large number of networks use some form of encryption it was the lowest level which meant that someone could exploit loop holes in the security and gain access to your network. Once on your network, any illegal activity they carry out would be traced to your connection, with you being liable, in the case of the proposed unlawful downloading proposals as they is no judicial process the assumption would be that you are trying to squirm out of it. The Department for Business, Innovation and Skills currently envisages there being some form of tribunal existing so people can appeal.

The BPI (British Phonographic Industry) appears to be confident that the warning letter system would mean that people would have the chance to secure their networks, but that presumes people would understand what happened, and in families with children, you might see parents who simply believe it was the children and blame them rather than look into the technical measures. Given the amount of wireless kit that ships with WEP encryption and is sold as secure, one can forgive the non-computer experts (i.e. the majority of the population) for believing they are secure.

The best level of encryption is WPA2, but alas not all devices support this, WPA is more widely supported, but these methods still carry the risk that someone can guess your password. Therefore it is imperative that you use passwords that cannot be easily guessed, thus avoid things like pets names, birthdays, address and go for much longer phrases.

For a guide that explains the myriad of terms and gives simple advice on how to secure your wireless network visit GetSafeOnline.Org. Other options include getting a trusted friend to help you setup the network, or using one of a growing number of commercial services that will visit your home and configure your hardware. TalkTalk run one of these services (Geek Squad), but at £99 for a home visit many people will do their best to avoid using them.

Comments

Isn't WPA bust too these days?

  • carrot63
  • over 7 years ago

Yes but WPA2 is a lot harder to crack. just keep the SSID longer than 8 characters and the pass phrase at least 16 characters long using upper, lower & special characters like the '@' sign should keep things relatively secure. Also change the default admin pass on the router and if possible change the admin login name if the router supports it.

  • commandergc
  • over 7 years ago

Or you can use the setup CD's which come with the router, and per the WiFi Protected Setup *standard* enable security as-default.

There's no need for websites or anything else fancy whatsoever, just using the provided tools. I only recomend routers to the less technical which fully support the standard.

  • Dawn_Falcon
  • over 7 years ago

I guess maybe people could change their keys to something like "MandeLs0n(anb!temyshineymetal...spoon"

I have two wireless networks at home, the first is a WPA2 network which I never generally give the keys out, but have to have a WEP network (on a physically separate network via IPCop) just for the kids to play online on the DS.

  • EnglishRob
  • over 7 years ago

I just wish that Nintendo would support WPA2 on the original DS (I dare say they could do it in newer games). Still maybe with a bit of publicity it might make people start to think. But still £99 which Talktalk is charing is a bit much for 10 mins work (if that!).

  • EnglishRob
  • over 7 years ago

I have had to put my network back to WEP because my daughter's Acer laptop (Vista) doesn't support WPA or WPA2. My old IBM with XP works fine. Can't find an updated driver that works either (Broadcom).

  • packetman
  • over 7 years ago

While I agree it's good to encourage people to secure home networks, conversely if an organisation *wants* to provide a free hotspot is there any reason to turn on encryption? Modern routers have "Wireless Isolation" to protect clients from each other.

  • prlzx
  • over 7 years ago

I looked at the preceding article in GetSafeOnline.org, about Backups - amusingly out-of-date (see the maximum sizes and prices for USB Flash Drives and external hard disks, for example). Why don't these website articles give the Date Last Revised? It makes you wonder how up-to-date the article about Wireless Security is... (seems mostly OK, though).

  • John_Gray
  • over 7 years ago

The only time I've come across a router with was set up with WEP was on a Wanadoo router.

All others default to at least WPA and sometimes WPA+WPA2 as soon as you turn the wireless on

  • uklad77
  • over 7 years ago

@uklad77, the 2WIRE 2700 is WEP out of the box. I think the Netgear DG834N is WEP out of the box as well.

The 2WIRE 2700 doesn't have WPA2. Or at least not the firmware I am on 5.x. As I use the 2700 as a hub only.

  • vodoun
  • over 7 years ago

The DG834N is insecure out of the box ie no encryption. BT Home Hubs used 64 bit WEP and I think this is true of the Home Hub 2.0 (the wireless key is 10 characters)

  • herdwick
  • over 7 years ago

Although WPA is often equated with TKIP and WPA2 with CCMP, this isn't always the case.

A wireless access point advertising WPA may offer TKIP (RC4) or CCMP (AES) or both at the same time. The same is true with WPA2.

(Additionally, to further complicate matters, a WAP may offer both WPA and WPA2, in any of the possible configurations above, at the same time.)

  • n1ck
  • over 7 years ago

@packetman First make sure you've got XP SP3 installed on the machine. Then install http://www.station-drivers.com/telechargement/broadcom/wireless/broadcom_bcm43xx_5.30.21_0-winxp-vista-7(www.station-drivers.com).exe from http://www.station-drivers.com/page/broadcom.htm.

  • n1ck
  • over 7 years ago

@packetman, sorry! - just reread. You're using Vista. That is odd. Try the drivers at the link I've posted, obviously ignoring the XP SP3 part.

  • n1ck
  • over 7 years ago

AFAIK WPA-TKIP is pretty much useless now as a security measure - proof of concept showing it could be exploited in 15 seconds with a 9800GX2 + CUDA - but WPA-AES is still fairly good.

  • Rroff
  • over 7 years ago

What should we do with old devices with no WPA2 such as Nintendo DS ?
Throw them in the skip ? Spend even more hard earned cash to buy new replacements ?

What about the the router software ? For old devices we could add their MAC so WEP
can be used just for them. Others (different MAC) trying to connect with WEP etc.
would fail, even if with correct WEP key. "MAC spoofing" might be of concern
but the spoofer would need the MAC address of the WEP device, specified in the
router.

  • shaunhw
  • over 7 years ago

No, MAC filtering is basically useless. It's trivial to bypass.

And get onto Nintendo about an addon which has proper wifi security.

  • Dawn_Falcon
  • over 7 years ago

The idea of WPA-PSK / WPA2-PSK using TKIP was that it used the same RC4 cipher as WEP and would be compatible with existing hardware.

WPA-PSK / WPA2-PSK using CCMP uses AES and is typically incompatible with older hardware.

The reason for the DS not supporting TKIP is Nintendo lacking the will to make it happen, nothing more. With a software update, it could.

  • n1ck
  • over 7 years ago

The security risk of TKIP based WPA-PSK is negligible.

See http://wifinetnews.com/archives/2009/08/new_wpa_exploit_presented_in_paper.html

  • n1ck
  • over 7 years ago

Actually, n1ck, it can't. The DS is not a very capeable machine and relies on hardware even for WEP encryption. It would need a hardware addon for WPA.

  • Dawn_Falcon
  • over 7 years ago

I'm using a router with WPA2 security on vista and am still able to use a DS online, try using the driver from this link:
http://wiiportal.nintendo-europe.com/426.html

  • jonno251
  • over 7 years ago

In my experience, many people are happy just to get their various bits of kit working together wirelessly. They don't understand the concepts of encryption and they don't want to make any configuration changes in case it stops working and they can't fix it.

  • chris_the_geek
  • over 7 years ago

My Sky router comes pre-set with WPA-PSK as the security option. With WPA-802.1x Security Encryption as the next. Is this their version of WPA2?

  • bluesbros
  • over 7 years ago

Dawn_Falcon wrote:

"No, MAC filtering is basically useless. It's trivial to bypass."

How do you bypass MAC filtering:

1: Without knowing the MAC address of the particular device ?

Or:

2: Not being able to get access to the router ?

Just curious.

Yes Mac space is small in crypto terms but the router could close off WEP connects completely until restart after just a few attempts of unauthorised MACs trying to use WEP to connect.

  • shaunhw
  • over 7 years ago

In fact - why doesn't the router simply shut down WI-FI after a few WiFi connections are attempted with bad keys, and wait for a restart ? One wouldn't need much more than (say) ten connect attempts with bad keys before you simply turn off the WiFi or refuse ANY new connections (to allow existing to continue.) This assumes no physical access to the router, which is the case, when attacked from the street.

  • shaunhw
  • over 7 years ago

PS: I am aware that WEP is attacked by analysis of the packets not brute force. It seems like the designers were quite naive really.

  • shaunhw
  • over 7 years ago

Who would want to hack into a bobr talk talk connection anyway you would be better off with 2 yogort pots and a piece of string lol

  • 2doorsbob
  • over 7 years ago

Unprotected Networks are due to 1)Ignorance 2)Reduced signal range 3)Incompatibility with older hardware and 4)Incompatibility with Windows. Living in a rural area where connection piggy-backing (without the owners permission) is unusual, in order to minimise the chance of encountering points 2) - 4) I've set them up with 64bit WEP and "Allow AP" on, "Broadcast SSID" off, which makes it too much hassle for someone who just wants to see "Unsecured Network" and Logon.

  • soloman
  • over 7 years ago

please ignore my previous post as i had a bad experience with talk talk but on the subject i prefer to use mac addy filtering as there is no signal loss ,no further reduction in network performance and the router says if your name is not on the list you cant come in

  • 2doorsbob
  • over 7 years ago

soloman:

0) Routers shipping without WiFi Protected Setup

shaunhw - It's *trivial* to spoof, once you're through the encryption. Think about what "wireless" means.. "broadcast".

MAC filtering is worthless.

  • Dawn_Falcon
  • over 7 years ago

Posted by shaunhw 2 days ago
"MAC spoofing" might be of concern
but the spoofer would need the MAC address of the WEP device, specified in the
router.

shaunhw - Dream on - and suffer the consequences.

To optimise my WIFI I downloaded some public utilities (i.e. NOT hackers / war drivers tools)
and one of them reports all the neighbours MAX addresses even though they use encryption keys I do not possess.

Alan

  • alan-borers
  • over 7 years ago

@Dawn_Falcon - "0) Routers shipping without WiFi Protected Setup" - it was the subject of the thread so I decided to drop that as one of the reasons when I got the "post too long" error. LOL

;)

  • soloman
  • over 7 years ago

soloman - Well it's the soloution, honestly, to the entire mess. Honestly, I'd like to see naming and shaming of the consumer-aimed routers which ship without it!

  • Dawn_Falcon
  • over 7 years ago

"Posted by shaunhw 4 days ago How do you bypass MAC filtering:" With a sniffer. Mac addresses are sent clear text, sniff away and then you've got the mac address of a wireless device when it boots up/first registers/communicates

  • GMAN99
  • over 7 years ago

Post a comment

Login Register