• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0

ISP's that secure Customers wifi with the customers phone number.

Question

+warwagon    12,606

So I created a thread about this a while back but damned if I can locate it. I was going to add to it, but I thought, oh well I'll just create a new one.

 

So there is a DSL provider in the town called "Frontier". I think they are nationwide. For every customer, they configure the wifi password as the customers "Phone number". I also think the Cable provider might do this too.

 

They do this because the average user tends to forget their password and when they do, they contact support. This way support can tell each customer what their Wifi Password is.

 

So here's the issue.

 

Every single bar that I go to in town has their name in the SSID so it's not hard to know who that wifi belongs to. You then look up that bars phone number on google and BOOM you are connected.

 

But it gets worse, much worse. 

 

These same individuals who are too stupid to remember their wifi password are also too stupid to actually change their router admin password. Thus on my test, I was able to connect not only to the wifi but into the router itself in 4/5 bars.

 

I remember sitting in the subway located inside the local Walmart. There was a wifi Access point but it was secured. I think it was called frontier. So I looked up subways phone number in this town and BOOM I was connected.

 

I personally think securing a customer's wifi with their phone number is a HORRIBLE idea!

 

 

  • Like 1

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0
adrynalyne    10,906
14 minutes ago, warwagon said:

So I created a thread about this a while back but damned if I can locate it. I was going to add to it, but I thought, oh well I'll just create a new one.

 

So there is a DSL provider in the town called "Frontier". I think they are nationwide. For every customer, they configure the wifi password as the customers "Phone number". I also think the Cable provider might do this too.

 

They do this because the average user tends to forget their password and when they do, they contact support. This way support can tell each customer what their Wifi Password is.

 

So here's the issue.

 

Every single bar that I go to in town has their name in the SSID so it's not hard to know who that wifi belongs to. You then look up that bars phone number on google and BOOM you are connected.

 

But it gets worse, much worse. 

 

These same individuals who are too stupid to remember their wifi password are also too stupid to actually change their router admin password. Thus on my test, I was able to connect not only to the wifi but into the router itself in 4/5 bars.

 

I remember sitting in the subway located inside your local Walmart. There was a wifi Access point but it was secured. I think it was called frontier. So I looked up subways phone number in this town and BOOM I was connected.

 

I personally think securing a customer's wifi with their phone number is a HORRIBLE idea!

 

 

I personally think that the isp has no business setting up wifi for clients period. 

  • Like 5

Share this post


Link to post
Share on other sites
  • 0
+warwagon    12,606
1 minute ago, adrynalyne said:

I personally think that the isp has no business setting up wifi for clients period. 

 
 

Its mostly on the ISP's DSL Modem / Router

Share this post


Link to post
Share on other sites
  • 0
adrynalyne    10,906
31 minutes ago, warwagon said:

Its mostly on the ISP's DSL Modem / Router

I still don't think they should. 

Share this post


Link to post
Share on other sites
  • 0
sc302    1,657

Do they offer this wifi to their "customers" if so what difference would it make.  If not, yes it is an issue. 

 

Did you ask ask the employees for wifi access? Would they give you the password?  If yes, again what would the big deal be?   Sure the router not being secure is an issue in itself but the wifi might be a todo about nothing. 

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,349
8 hours ago, warwagon said:

I personally think securing a customer's wifi with their phone number is a HORRIBLE idea!

Are you saying the customer does not have access to change it after its setup, and only the company can set it up/change it?  Is so then I agree with you.  But if this is the "setup" config - then is on the user.. Just like its on the user when you get some new router/other device and don't change the default password.

 

tech: Ok I setup your router, wifi password is your phone number.  I would change that!!

user: Ok thanks..

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
neufuse    3,493

I don't like when ISP's like Comcast have the ability to change your wifi passwords from anywhere... it's open for abuse by rogue employees or others to get into your network (law enforcement, theifs, hackers, etc) in comcasts case techs can change it without knowing the previous password, CSRs have full access to it and can see it in plain text when it is on one of their rented gateways

Share this post


Link to post
Share on other sites
  • 0
Human.Online    7,903
32 minutes ago, BudMan said:

Are you saying the customer does not have access to change it after its setup, and only the company can set it up/change it?  Is so then I agree with you.  But if this is the "setup" config - then is on the user.. Just like its on the user when you get some new router/other device and don't change the default password.

 

tech: Ok I setup your router, wifi password is your phone number.  I would change that!!

user: Ok thanks..

And user's promptly ignore any comments about security until they get compromised, then blame everyone other than themselves.

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,349
20 minutes ago, neufuse said:

I don't like when ISP's like Comcast have the ability to change your wifi passwords from anywhere.

They shouldn't be able too..  But if you use "their" device and it has wifi, and they have remote admin - then yeah they most likely would be able too.

 

Not really a fan of PE.. I sure an the hell do not like renting say a "modem" that they never freaking update anyway.  I will buy my own equipment thank you very much ;)

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
Cnónna    667

why can't they just put random generated password on a sticker on the back of each router they ship out to customers. can't be that hard. most ISP's I've encountered over here do it. 

 

laziness on the behalf of the provider?

 

longest I went with default login details was 2 weeks while I waited for my fiber connection to settle in. as soon as that was up I stuck my own password in and changed the SSID as well on both 2.4 and 5ghz wifi the router spits out.

Share this post


Link to post
Share on other sites
  • 0
+warwagon    12,606
1 hour ago, BudMan said:

Are you saying the customer does not have access to change it after its setup, and only the company can set it up/change it?  Is so then I agree with you.  But if this is the "setup" config - then is on the user.. Just like its on the user when you get some new router/other device and don't change the default password.

 

tech: Ok I setup your router, wifi password is your phone number.  I would change that!!

user: Ok thanks..

 
 

The DSL Modem / Router comes preconfigured to the users DSL account and the Wifi is already setup with the phone number as their password. As far as "Being on the user" ... gotta disagree. as simple as it may be to change the password, the average user has NO CLUE!" http://192.168.254.254 ----WUT?

 

Although having the ISP make a random password and sticking the password on the outside of the modem / router is a good idea

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,349
6 minutes ago, warwagon said:

the average user has NO FRICK'N CLUE!"

While I completely agree with that statement..

 

How Is that the ISP problem??  I mean really - that again is on the freaking user.. Sorry.. Not asking the user to know how to do brain surgery here..  How is this any different then setting say the pin on your phone?  Or setting the time on your microwave clock you just bought.. How about adjusting the level on your toaster when the toast is not dark enough?  How about changing the time on your watch?

 

To your point if they made it a random, with a sticker on the back.. These no clue users wouldn't have a clue to even login..

Share this post


Link to post
Share on other sites
  • 0
+warwagon    12,606
5 minutes ago, BudMan said:

While I completely agree with that statement..

 

How Is that the ISP problem??  I mean really - that again is on the freaking user.. Sorry.. Not asking the user to know how to do brain surgery here..  How is this any

 
 
 
 
 
 

Most average users don't even know where the address bar is in the web browser. You mention the word "Clock in the bottom right" ... they can't find it until you correct yourself and say "The time" :D

 

There is a difference between setting the clock on a Microwave, the Darkness on your toast and Logging into a web interface via the routers default gateway and setting the wireless password.

 

To you and me, yes, it's as easy as setting the darkness on your toast, but for the average user, not so much.

 

My mom could do it (I've taught her well) ... but my dad? HA! He wouldn't even know where to start)

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,349

And I hear you and agree with you.. Just saying why is that the ISP problem??  That is the users problem pure and simple..

 

My 2 year old grandson knows how to open up  apps on the ipad and play games and watch videos on youtube.. How is it that a grown person that you would assume graduated at least high school can not do basic functions on every day technology?

Share this post


Link to post
Share on other sites
  • 0
Andrew    2,860
15 minutes ago, warwagon said:

The DSL Modem / Router comes preconfigured to the users DSL account and the Wifi is already setup with the phone number as their password. As far as "Being on the user" ... gotta disagree. as simple as it may be to change the password, the average user has NO CLUE!" http://192.168.254.254 ----WUT?

 

Although having the ISP make a random password and sticking the password on the outside of the modem / router is a good idea

But instead of going through the effort to use their details for the password, they can just use randomly generated passwords.

 

And again maybe this is a UK thing, but our ISPs usually include a short leaflet to setup the provided routers. Those guides usually tell them to navigate to "https://routerlogin.net" to start, rather than the IP. Bad documentation and sheer laziness is the reason they receive calls over simple questions.

Share this post


Link to post
Share on other sites
  • 0
+warwagon    12,606
3 minutes ago, BudMan said:

And I hear you and agree with you.. Just saying why is that the ISP problem??  That is the users problem pure and simple..

 

My 2 year old grandson knows how to open up  apps on the ipad and play games and watch videos on youtube.. How is it that a grown person that you would assume graduated at least high school can not do basic functions on every day technology?

 
 

While it's not the ISP's fault per say .... 

 

A term called coined by Steve Gibson which I completely agree with, it's called..

 

"the tyranny of the default" ... the tyranny of the default is sort of the expression I like to use for that most users don’t go in and change things. They just assume that someone smarter than them chose the settings that are best for them… So what that means is that, if it’s enabled by default, it’ll tend to stay on

Share this post


Link to post
Share on other sites
  • 0
+warwagon    12,606
2 minutes ago, Andrew said:

But instead of going through the effort to use their details for the password, they can just use randomly generated passwords.

 

I completely agree.

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,349

And how many complaints you think that would generate from the masses... Why do I have to type in this 20 character Random -- WTF!!!! your product sucks!!!  Who was the idiot that came up with this idea??  The type is too small, how do they expect anyone to read this, etc. etc. etc..

 

Why don't you suggest that to this company that is doing that, and see what they say ;)

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
+warwagon    12,606
1 minute ago, BudMan said:

And how many complaints you think that would generate from the masses... Why do I have to type in this 20 character Random -- WTF!!!! your product sucks!!!  Who was the idiot that came up with this idea??

 

Why don't you suggest that to this company that is doing that, and see what they say ;)

 

Well it doesn't have to be giberish. Netgear also comes with a random password where they just put 2 or 3 random words together like ..

 

Lakesunnydrive.

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,349

Well that's pretty useless, can hack something like that in a matter of minutes..... That isn't much better than just using someones phone number ;)

 

Does not matter what they make the "setup" password.  Be it something random, some info from the user/customer, some info from the device (mac address), or something default like linksys or cisco.  Not changing what the default password is completely on the end user..  If they leave it at what it was out of the box they are asking for trouble.

 

What I would be more concerned with is these IoT devices that have backdoor passwords that are common, this is beyond moronic and squarely on the maker of said device.  The user changed the web interface login to something secure.. But how they suppose to know that there is a admin backdoor with url ?=admin, etc.

 

This sort of setup is just unforgivable from a security point of view from companies that are deploying mass amounts of hardware that will be plugged into the public internet.. 

 

Now your asking the user to have to do security evaluations of the device/firmware/etc...  This is beyond what should be expected from the end user.. You can expect the user to setup the radio stations on the radio in their new car.. You don't expect the end user to be able to change out the transmission, etc.

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,349
4 hours ago, warwagon said:

Well it doesn't have to be giberish. Netgear also comes with a random password where they just put 2 or 3 random words together like ..

Maybe netgear should of spent some more time on their actual code vs being worried about something that should be changed minutes after the device is plugged in anyway ;)

 

https://www.kb.cert.org/vuls/id/582384

Netgear R6200, R6250, R6400, R6700, R6900, R7000, R7100LG, R7300, R7900, R8000, D6220, D6400, and D7000 routers and possibly other models are vulnerable to arbitrary command injection.

 

Solution

The CERT/CC is currently unaware of a practical solution to these problems and recommends the following workaround.

Disable web server

The very vulnerabilities that exist on affected routers may be used to temporarily disable the vulnerable web server until the device is restarted:
http://<router_IP>/cgi-bin/;killall$IFS'httpd'
Note that after performing this step, your router's web administration not be available until the device is restarted. Please see Bas' Blog for more details.

Do not enable remote administration

Enabling remote administration allows affected routers to be exploited via direct requests from the WAN. As such, users are strongly advised to leave remote administration disabled, or disable it if is has been enabled previously.

Discontinue use
Exploiting these vulnerabilities is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available.

Share this post


Link to post
Share on other sites
  • 0
neufuse    3,493
7 hours ago, BudMan said:

They shouldn't be able too..  But if you use "their" device and it has wifi, and they have remote admin - then yeah they most likely would be able too.

 

Not really a fan of PE.. I sure an the hell do not like renting say a "modem" that they never freaking update anyway.  I will buy my own equipment thank you very much ;)

In Comcast land even if you own a gateway they apparently still are able to admin it from their side, that's one reason I tell people don't buy gateways... but a modem or an emta... leave the gateways alone... Comcast always screws with bridge mode and they have access to all your wifi settings and Comcast will even put their hotspot settings on your owned gateway...

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,349

Agree, yeah I just have a modem. Wifi doesn't really belong on the router anyway - not if you want good coverage ;)

Share this post


Link to post
Share on other sites
  • 0
BinaryData    777
10 hours ago, BudMan said:

Are you saying the customer does not have access to change it after its setup, and only the company can set it up/change it?  Is so then I agree with you.  But if this is the "setup" config - then is on the user.. Just like its on the user when you get some new router/other device and don't change the default password.

 

tech: Ok I setup your router, wifi password is your phone number.  I would change that!!

user: Ok thanks..

My mom uses Frontier I think, or one of them. It's her number as the wifi pw. She lives in an Apartment complex. It's running WEP, not anything else, the 5Ghz band is running more secure.

 

As for configuration access, FAT CHANCE. I asked them to set it up as a straight through, no routing or switching enabled, just a straight pipe so I could hook the router I bought for my mom up, and configure it correctly. Nope. Not allowed. In fact, hooking up your own router, and not using theirs is a violation of the ToS. It's a $500 - $2500 fine, and immediate suspension of services. She has Frontier, CenturyLink, or Comcast, I'm not sure which.

 

My ISP on the other hand, loves the fact that I'm using SMB class gear, that my FW is configured correctly, and I'm not getting their service bashed. Just abused a little..

Share this post


Link to post
Share on other sites
  • 0
Anibal P    2,055
19 hours ago, BinaryData said:

My mom uses Frontier I think, or one of them. It's her number as the wifi pw. She lives in an Apartment complex. It's running WEP, not anything else, the 5Ghz band is running more secure.

 

As for configuration access, FAT CHANCE. I asked them to set it up as a straight through, no routing or switching enabled, just a straight pipe so I could hook the router I bought for my mom up, and configure it correctly. Nope. Not allowed. In fact, hooking up your own router, and not using theirs is a violation of the ToS. It's a $500 - $2500 fine, and immediate suspension of services. She has Frontier, CenturyLink, or Comcast, I'm not sure which.

 

My ISP on the other hand, loves the fact that I'm using SMB class gear, that my FW is configured correctly, and I'm not getting their service bashed. Just abused a little..

 

Not Comcast, and likely illegal or against net neutrality rules 

Share this post


Link to post
Share on other sites
  • 0
+warwagon    12,606
On 12/18/2016 at 12:47 PM, Anibal P said:

 

Not Comcast, and likely illegal or against net neutrality rules 

 
 
 
 
 

Doesn't sound like Frontier either, but now that i think about it, around my GF's neighborhood, there are a lot of CenturyLink Wifi access points. I looked up the house addresses on google to find phone numbers to tr to connect with, but no luck on any of them. Then again they were all just called Centurylink with a number after it, so no idea who's was who. 

 

The question was asked on facebook "Do you know how to change your wireless password in the router? Not in your phone or tablet but the password all your devices use to connect to the wifi."

 

At the moment the poll is 57% yes and 43%. Everyone who voted yes so far, All but 3 are Neowin members (Steve, Rich, and Goretsky, Keven and myself) and the other 3  are people that I know are tech-savvy.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.