Jump to content

wifi routers (netgear, etc)

metal_wraith

By metal_wraith
in Security

 Share

Recommended Posts

metal_wraith Newbie

metal_wraith

Posted
Posted

Lately where I am in MA just like my friend's place.. Typical Netgear with default everything, until I helped him set up wep, etc... But still when it was set up as the factory layout. I found that whenever I went places, be it my netbook or tablet would automatically connect me up to whoever's similiar Netgear setups were in the same areas. Just amazes me how many leave their things set with the default settings, and don't bother changing anything. I figure it's mostly older people, and those that aren't really worried about security, etc.

Of course if I knew who had those connections I'd let them know to change their settings, etc. Granted if I wanted to be a jerk I could change all their settings, obviously I don't. But temptation is there. lol I'm sure then they'd be like "WTF".

Link to comment
Share on other sites
Radau Newbie

Radau

Posted
Posted

Lately where I am in MA just like my friend's place.. Typical Netgear with default everything, until I helped him set up wep, etc... But still when it was set up as the factory layout. I found that whenever I went places, be it my netbook or tablet would automatically connect me up to whoever's similiar Netgear setups were in the same areas. Just amazes me how many leave their things set with the default settings, and don't bother changing anything. I figure it's mostly older people, and those that aren't really worried about security, etc.

Of course if I knew who had those connections I'd let them know to change their settings, etc. Granted if I wanted to be a jerk I could change all their settings, obviously I don't. But temptation is there. lol I'm sure then they'd be like "WTF".

Please... no... not WEP.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

A majority of people don't change the defaults on things. I blame the manufacturers for not forcing it in some way and having different defaults on each device.

Yeah, most consumers pull it out, plug it in, turn it on, and go. This is pretty much to be expected and I don't see it changing any time soon though.

Other than hard coded, non-changeable passwords, we can only hold manufacturers responsible for so long though. Most every device ships with some form of default password, but thats what manuals are for. At some point, the person installing a device should read the documentation. If the first thing instructions say when setting up is change the password, well, lets start there..

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

I don't think there is anything you could write in a manual that would get people to change a default password so the way I see it there are two options:

For something like a router or AP, set it up as a captive portal and force the user to work through a wizard to set at least the basic things such as password. They aren't allowed beyond the portal till that is done. Maybe not the most user friendly but would only need to be done once and if the interface is written well enough then should be quick and simple. A potential problem with this is if someone sets up a site that simulates this wizard and tricks someone into believing that they have to do it again as the device has forgotten the details. Not sure off hand how to prevent that but there is probably a way and the attacker would have to know what type of device they are using to simulate it.

Have a unique default for each device. Some devices do it, especially APs where their ESSID and/or the WPA password is unique per device. Even if this isn't changed then it prevents attackers going straight in.

And finally, the interface on devices should never be accessible from the internet side and if wifi is protected well enough shouldn't be accessible by a casual user.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

I don't think there is anything you could write in a manual that would get people to change a default password so the way I see it there are two options:

For something like a router or AP, set it up as a captive portal and force the user to work through a wizard to set at least the basic things such as password. They aren't allowed beyond the portal till that is done. Maybe not the most user friendly but would only need to be done once and if the interface is written well enough then should be quick and simple. A potential problem with this is if someone sets up a site that simulates this wizard and tricks someone into believing that they have to do it again as the device has forgotten the details. Not sure off hand how to prevent that but there is probably a way and the attacker would have to know what type of device they are using to simulate it.

Have a unique default for each device. Some devices do it, especially APs where their ESSID and/or the WPA password is unique per device. Even if this isn't changed then it prevents attackers going straight in.

And finally, the interface on devices should never be accessible from the internet side and if wifi is protected well enough shouldn't be accessible by a casual user.

Can't say I don't agree with you on each of those points. Personally, I think remote access should be off by default on consumer based routers, but sadly its almost always on for all the major brands. What they really should do, is do away with no encryption at all and wep all together. At a minimum all new routers should only allow WPA as the lowest on the totem pole, with WPA2 and then up depending on users network. Problem is, people still using wifi devices that aren't even capable of WPA(like my sisters old Laptop that only did 802.11a/b WEP at best) but the easy fix was a USB NIC and she was good to go. Although, she was still using XP, but thats more or less because it was an old laptop, and that brings the question, if we force users to WPA and up, what happens to the consumer who is still running XPSP2 at home or an old HTPC or game console that can't do any encryption.

Bottom line, users at some point, need to meet in the middle where technology is today, and get with the program of knowing that, hey, 1, change default password, 2, change SSID, 3, enable at a minimum WPA, or WPA2 if possible, and 4, disable remote admin control(including administration over wifi and enabling https only if capable).

Home users are pretty much like work users in the corporate office. They just expect to turn it on and go, but even if we prompt them, 9 times out of 10, they'd rather bypass protections to get to their facebook, than keep the network safe.

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

If some devices force the security to be set before use then they could start the education process. Make a big thing about it and try to get users questioning why other things don't do the same.

I can't see any other way to get education to the users as they really wont read the manual if they can avoid it.

And I think APs will start to drop WEP at some point but for now it lets them print an extra badge/logo on the box and have an extra bullet point on the features list so why drop it?

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

If some devices force the security to be set before use then they could start the education process. Make a big thing about it and try to get users questioning why other things don't do the same.

I can't see any other way to get education to the users as they really wont read the manual if they can avoid it.

And I think APs will start to drop WEP at some point but for now it lets them print an extra badge/logo on the box and have an extra bullet point on the features list so why drop it?

I hear ya. Preaching to the choir. I just don't see the landscape changing on the manufacturer level any time soon. My Asus did walk through a setup wizard though, which was kind of nice to see a company taking some initiative, but it was more a pain in the ass to get out of and logon directly to administrate than it was an ease of use since it wanted to use WPS and all that jazz which I disabled. Right now, my WPS button toggles the radios on the router itself, so I can disable wifi all together, which I love. I think they should have some sort of captive portal setup though like you mentioned, just once they are in, is the user going to secure it or pick something they are used to like linksys and a password like their phone number.
Link to comment
Share on other sites
logicalconfusion Newbie

logicalconfusion

Posted
Posted

Home users are pretty much like work users in the corporate office. They just expect to turn it on and go, but even if we prompt them, 9 times out of 10, they'd rather bypass protections to get to their facebook, than keep the network safe.

@digip I agree. Most people, manufactures include, don't give a rats ass. They still ship devices that support WEP! You won't believe how many people depend on WEP protection, even though its crackable. The only real WIFI protection around is WPA2/AES. Security experts generally recommend a hidden SSID, MAC filtering, and frequently changing the 63 char hex paswd along with the SSID.

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

No one who knows their stuff recommends hiding SSIDs or MAC filtering, they are both a waste of time as security measures and the hindrance they add to a normal user out weighs any positive arguments that could be given for either.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

No one who knows their stuff recommends hiding SSIDs or MAC filtering, they are both a waste of time as security measures and the hindrance they add to a normal user out weighs any positive arguments that could be given for either.

I'd say hiding an SSID does little as digininja mentioned, since probed packets give away the name of a hidden ssid, and can be seen by tools like kismet and aircrack anyway, so they do little to thwart attacks. I still use mac address filtering, even though I know it can be spoofed, but I don't not use it knowing this. I keep the radio off when not using wifi, and when I turn the radio on, we keep a pretty good eye on the network and whats happening around us. Wifi in general, even WPA2 is still crackable. As far as I am concerned the words wifi and secure don't belong in the same sentence as I don't believe you really can have both. Radius helps, but even radius attacks happen, and wifi in general for me, is temporary home stuff when we get on the tablets or on the road, but even at home, we use a VPN service, so all our traffic is encrypted on each device, wired and wireless. I'm one of those "don't trust my own ISP" kind of guys, and rarely use the internet in general without the VPN on, even when at home, just because of the fact we have wifi devices in the home.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...