ISP's that secure Customers wifi with the customers phone number.

[+Warwagon MVC]

So I created a thread about this a while back but damned if I can locate it. I was going to add to it, but I thought, oh well I'll just create a new one.

 

So there is a DSL provider in the town called "Frontier". I think they are nationwide. For every customer, they configure the wifi password as the customers "Phone number". I also think the Cable provider might do this too.

 

They do this because the average user tends to forget their password and when they do, they contact support. This way support can tell each customer what their Wifi Password is.

 

So here's the issue.

 

Every single bar that I go to in town has their name in the SSID so it's not hard to know who that wifi belongs to. You then look up that bars phone number on google and BOOM you are connected.

 

But it gets worse, much worse. 

 

These same individuals who are too stupid to remember their wifi password are also too stupid to actually change their router admin password. Thus on my test, I was able to connect not only to the wifi but into the router itself in 4/5 bars.

 

I remember sitting in the subway located inside the local Walmart. There was a wifi Access point but it was secured. I think it was called frontier. So I looked up subways phone number in this town and BOOM I was connected.

 

I personally think securing a customer's wifi with their phone number is a HORRIBLE idea!

 

 

[adrynalyne]

14 minutes ago, warwagon said:

So I created a thread about this a while back but damned if I can locate it. I was going to add to it, but I thought, oh well I'll just create a new one.

 

So there is a DSL provider in the town called "Frontier". I think they are nationwide. For every customer, they configure the wifi password as the customers "Phone number". I also think the Cable provider might do this too.

 

They do this because the average user tends to forget their password and when they do, they contact support. This way support can tell each customer what their Wifi Password is.

 

So here's the issue.

 

Every single bar that I go to in town has their name in the SSID so it's not hard to know who that wifi belongs to. You then look up that bars phone number on google and BOOM you are connected.

 

But it gets worse, much worse. 

 

These same individuals who are too stupid to remember their wifi password are also too stupid to actually change their router admin password. Thus on my test, I was able to connect not only to the wifi but into the router itself in 4/5 bars.

 

I remember sitting in the subway located inside your local Walmart. There was a wifi Access point but it was secured. I think it was called frontier. So I looked up subways phone number in this town and BOOM I was connected.

 

I personally think securing a customer's wifi with their phone number is a HORRIBLE idea!

 

 

I personally think that the isp has no business setting up wifi for clients period. 

[+Warwagon MVC]

1 minute ago, adrynalyne said:

I personally think that the isp has no business setting up wifi for clients period. 

 

 

Its mostly on the ISP's DSL Modem / Router

[adrynalyne]

31 minutes ago, warwagon said:

Its mostly on the ISP's DSL Modem / Router

I still don't think they should. 

[sc302 Veteran]

Do they offer this wifi to their "customers" if so what difference would it make.  If not, yes it is an issue. 

 

Did you ask ask the employees for wifi access? Would they give you the password?  If yes, again what would the big deal be?   Sure the router not being secure is an issue in itself but the wifi might be a todo about nothing. 

[+BudMan MVC]

8 hours ago, warwagon said:

I personally think securing a customer's wifi with their phone number is a HORRIBLE idea!

Are you saying the customer does not have access to change it after its setup, and only the company can set it up/change it?  Is so then I agree with you.  But if this is the "setup" config - then is on the user.. Just like its on the user when you get some new router/other device and don't change the default password.

 

tech: Ok I setup your router, wifi password is your phone number.  I would change that!!

user: Ok thanks..

[neufuse Veteran]

I don't like when ISP's like Comcast have the ability to change your wifi passwords from anywhere... it's open for abuse by rogue employees or others to get into your network (law enforcement, theifs, hackers, etc) in comcasts case techs can change it without knowing the previous password, CSRs have full access to it and can see it in plain text when it is on one of their rented gateways

[Dick Montage]

32 minutes ago, BudMan said:

Are you saying the customer does not have access to change it after its setup, and only the company can set it up/change it?  Is so then I agree with you.  But if this is the "setup" config - then is on the user.. Just like its on the user when you get some new router/other device and don't change the default password.

 

tech: Ok I setup your router, wifi password is your phone number.  I would change that!!

user: Ok thanks..

And user's promptly ignore any comments about security until they get compromised, then blame everyone other than themselves.

[+BudMan MVC]

20 minutes ago, neufuse said:

I don't like when ISP's like Comcast have the ability to change your wifi passwords from anywhere.

They shouldn't be able too..  But if you use "their" device and it has wifi, and they have remote admin - then yeah they most likely would be able too.

 

Not really a fan of PE.. I sure an the hell do not like renting say a "modem" that they never freaking update anyway.  I will buy my own equipment thank you very much

[Cnónna]

why can't they just put random generated password on a sticker on the back of each router they ship out to customers. can't be that hard. most ISP's I've encountered over here do it. 

 

laziness on the behalf of the provider?

 

longest I went with default login details was 2 weeks while I waited for my fiber connection to settle in. as soon as that was up I stuck my own password in and changed the SSID as well on both 2.4 and 5ghz wifi the router spits out.

[+Warwagon MVC]

1 hour ago, BudMan said:

Are you saying the customer does not have access to change it after its setup, and only the company can set it up/change it?  Is so then I agree with you.  But if this is the "setup" config - then is on the user.. Just like its on the user when you get some new router/other device and don't change the default password.

 

tech: Ok I setup your router, wifi password is your phone number.  I would change that!!

user: Ok thanks..

 

 

The DSL Modem / Router comes preconfigured to the users DSL account and the Wifi is already setup with the phone number as their password. As far as "Being on the user" ... gotta disagree. as simple as it may be to change the password, the average user has NO CLUE!" http://192.168.254.254 ----WUT?

 

Although having the ISP make a random password and sticking the password on the outside of the modem / router is a good idea

[+BudMan MVC]

6 minutes ago, warwagon said:

the average user has NO FRICK'N CLUE!"

While I completely agree with that statement..

 

How Is that the ISP problem??  I mean really - that again is on the freaking user.. Sorry.. Not asking the user to know how to do brain surgery here..  How is this any different then setting say the pin on your phone?  Or setting the time on your microwave clock you just bought.. How about adjusting the level on your toaster when the toast is not dark enough?  How about changing the time on your watch?

 

To your point if they made it a random, with a sticker on the back.. These no clue users wouldn't have a clue to even login..

[+Warwagon MVC]

5 minutes ago, BudMan said:

While I completely agree with that statement..

 

How Is that the ISP problem??  I mean really - that again is on the freaking user.. Sorry.. Not asking the user to know how to do brain surgery here..  How is this any

 

 

 

 

 

 

Most average users don't even know where the address bar is in the web browser. You mention the word "Clock in the bottom right" ... they can't find it until you correct yourself and say "The time"

 

There is a difference between setting the clock on a Microwave, the Darkness on your toast and Logging into a web interface via the routers default gateway and setting the wireless password.

 

To you and me, yes, it's as easy as setting the darkness on your toast, but for the average user, not so much.

 

My mom could do it (I've taught her well) ... but my dad? HA! He wouldn't even know where to start)

[+BudMan MVC]

And I hear you and agree with you.. Just saying why is that the ISP problem??  That is the users problem pure and simple..

 

My 2 year old grandson knows how to open up  apps on the ipad and play games and watch videos on youtube.. How is it that a grown person that you would assume graduated at least high school can not do basic functions on every day technology?

[DrunknMunky Veteran]

15 minutes ago, warwagon said:

The DSL Modem / Router comes preconfigured to the users DSL account and the Wifi is already setup with the phone number as their password. As far as "Being on the user" ... gotta disagree. as simple as it may be to change the password, the average user has NO CLUE!" http://192.168.254.254 ----WUT?

 

Although having the ISP make a random password and sticking the password on the outside of the modem / router is a good idea

But instead of going through the effort to use their details for the password, they can just use randomly generated passwords.

 

And again maybe this is a UK thing, but our ISPs usually include a short leaflet to setup the provided routers. Those guides usually tell them to navigate to "https://routerlogin.net" to start, rather than the IP. Bad documentation and sheer laziness is the reason they receive calls over simple questions.

[+Warwagon MVC]

3 minutes ago, BudMan said:

And I hear you and agree with you.. Just saying why is that the ISP problem??  That is the users problem pure and simple..

 

My 2 year old grandson knows how to open up  apps on the ipad and play games and watch videos on youtube.. How is it that a grown person that you would assume graduated at least high school can not do basic functions on every day technology?

 

 

While it's not the ISP's fault per say .... 

 

A term called coined by Steve Gibson which I completely agree with, it's called..

 

"the tyranny of the default" ... the tyranny of the default is sort of the expression I like to use for that most users don’t go in and change things. They just assume that someone smarter than them chose the settings that are best for them… So what that means is that, if it’s enabled by default, it’ll tend to stay on

[+Warwagon MVC]

2 minutes ago, Andrew said:

But instead of going through the effort to use their details for the password, they can just use randomly generated passwords.

 

I completely agree.

[+BudMan MVC]

And how many complaints you think that would generate from the masses... Why do I have to type in this 20 character Random -- WTF!!!! your product sucks!!!  Who was the idiot that came up with this idea??  The type is too small, how do they expect anyone to read this, etc. etc. etc..

 

Why don't you suggest that to this company that is doing that, and see what they say

[+Warwagon MVC]

1 minute ago, BudMan said:

And how many complaints you think that would generate from the masses... Why do I have to type in this 20 character Random -- WTF!!!! your product sucks!!!  Who was the idiot that came up with this idea??

 

Why don't you suggest that to this company that is doing that, and see what they say

 

Well it doesn't have to be giberish. Netgear also comes with a random password where they just put 2 or 3 random words together like ..

 

Lakesunnydrive.

[+BudMan MVC]

Well that's pretty useless, can hack something like that in a matter of minutes..... That isn't much better than just using someones phone number

 

Does not matter what they make the "setup" password.  Be it something random, some info from the user/customer, some info from the device (mac address), or something default like linksys or cisco.  Not changing what the default password is completely on the end user..  If they leave it at what it was out of the box they are asking for trouble.

 

What I would be more concerned with is these IoT devices that have backdoor passwords that are common, this is beyond moronic and squarely on the maker of said device.  The user changed the web interface login to something secure.. But how they suppose to know that there is a admin backdoor with url ?=admin, etc.

 

This sort of setup is just unforgivable from a security point of view from companies that are deploying mass amounts of hardware that will be plugged into the public internet.. 

 

Now your asking the user to have to do security evaluations of the device/firmware/etc...  This is beyond what should be expected from the end user.. You can expect the user to setup the radio stations on the radio in their new car.. You don't expect the end user to be able to change out the transmission, etc.

[+BudMan MVC]

4 hours ago, warwagon said:

Well it doesn't have to be giberish. Netgear also comes with a random password where they just put 2 or 3 random words together like ..

Maybe netgear should of spent some more time on their actual code vs being worried about something that should be changed minutes after the device is plugged in anyway

 

https://www.kb.cert.org/vuls/id/582384

Netgear R6200, R6250, R6400, R6700, R6900, R7000, R7100LG, R7300, R7900, R8000, D6220, D6400, and D7000 routers and possibly other models are vulnerable to arbitrary command injection.

 

Solution

The CERT/CC is currently unaware of a practical solution to these problems and recommends the following workaround.

Disable web server

The very vulnerabilities that exist on affected routers may be used to temporarily disable the vulnerable web server until the device is restarted:
http://<router_IP>/cgi-bin/;killall$IFS'httpd'
Note that after performing this step, your router's web administration not be available until the device is restarted. Please see Bas' Blog for more details.

Do not enable remote administration

Enabling remote administration allows affected routers to be exploited via direct requests from the WAN. As such, users are strongly advised to leave remote administration disabled, or disable it if is has been enabled previously.

Discontinue use
Exploiting these vulnerabilities is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available.

[neufuse Veteran]

7 hours ago, BudMan said:

They shouldn't be able too..  But if you use "their" device and it has wifi, and they have remote admin - then yeah they most likely would be able too.

 

Not really a fan of PE.. I sure an the hell do not like renting say a "modem" that they never freaking update anyway.  I will buy my own equipment thank you very much

In Comcast land even if you own a gateway they apparently still are able to admin it from their side, that's one reason I tell people don't buy gateways... but a modem or an emta... leave the gateways alone... Comcast always screws with bridge mode and they have access to all your wifi settings and Comcast will even put their hotspot settings on your owned gateway...

[+BudMan MVC]

Agree, yeah I just have a modem. Wifi doesn't really belong on the router anyway - not if you want good coverage

[BinaryData]

10 hours ago, BudMan said:

Are you saying the customer does not have access to change it after its setup, and only the company can set it up/change it?  Is so then I agree with you.  But if this is the "setup" config - then is on the user.. Just like its on the user when you get some new router/other device and don't change the default password.

 

tech: Ok I setup your router, wifi password is your phone number.  I would change that!!

user: Ok thanks..

My mom uses Frontier I think, or one of them. It's her number as the wifi pw. She lives in an Apartment complex. It's running WEP, not anything else, the 5Ghz band is running more secure.

 

As for configuration access, FAT CHANCE. I asked them to set it up as a straight through, no routing or switching enabled, just a straight pipe so I could hook the router I bought for my mom up, and configure it correctly. Nope. Not allowed. In fact, hooking up your own router, and not using theirs is a violation of the ToS. It's a $500 - $2500 fine, and immediate suspension of services. She has Frontier, CenturyLink, or Comcast, I'm not sure which.

 

My ISP on the other hand, loves the fact that I'm using SMB class gear, that my FW is configured correctly, and I'm not getting their service bashed. Just abused a little..

[Anibal P]

19 hours ago, BinaryData said:

My mom uses Frontier I think, or one of them. It's her number as the wifi pw. She lives in an Apartment complex. It's running WEP, not anything else, the 5Ghz band is running more secure.

 

As for configuration access, FAT CHANCE. I asked them to set it up as a straight through, no routing or switching enabled, just a straight pipe so I could hook the router I bought for my mom up, and configure it correctly. Nope. Not allowed. In fact, hooking up your own router, and not using theirs is a violation of the ToS. It's a $500 - $2500 fine, and immediate suspension of services. She has Frontier, CenturyLink, or Comcast, I'm not sure which.

 

My ISP on the other hand, loves the fact that I'm using SMB class gear, that my FW is configured correctly, and I'm not getting their service bashed. Just abused a little..

 

Not Comcast, and likely illegal or against net neutrality rules