Jump to content

Your Home Router May Also Be a Public Hotspot — COMCAST

Johnny_Robot

By Johnny_Robot
in Security

 Share

Recommended Posts

cooper Newbie

cooper

Posted
Posted (edited)

We have this here in the Netherlands aswell, primarily by the 2 (well, 1 since the takeover) cable internet providers, Ziggo and UPC. I'm on Ziggo so I know how their setup works.

What it boils down to is that you first get some extra bandwidth allocated to play with (for me: from 20 Mbit/s to 22 Mbit/s) and of that, 1 Mbit/s is 'reserved' for their so-called "wifispots" feature. Each Ziggo cablemodem, SSID by default ZiggoA9999 where A is any capital letter and the 4 9's any combination of numbers, also presents a 'Ziggo' SSID. You can opt out of providing the Wifispot, but then you also don't get the extra bandwidth.

For me, living in an appartment building many floors up, it's a no-brainer: fat chance of having some random schmuck passing by and using my Wifispot so that reserved 1Mbit/s can be used by me aswell until someone manages to grow wings and hover outside my window in an effort to acquire free wifi.

Now, from a hacking point of view, this stuff is *HILARIOUS*!

With your typical AP you identify to the AP itself but for this service you provide credentials which are then sent on to a radius server at the ISP. In wpa_supplicant-speak:

ssid="Ziggo"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="SoMeUsErId"
password="PaSsWoRd"

The hilarious bit about this is that when you go *ANYWHERE* and set up Jasager to identify itself as an AP by this name that will accept a username/password, that username/pass will be exchanged and you'll have another account that you can use effectively *NATIONWIDE*!

And unless someone is standing next to you to verify that the credentials you're employing are valid for you, specifically (since, after all, the credentials are intended to be used by everyone in a full household and not just the billpayer, say) there's no way to say what you're doing is not legal.

And until someone bothers to change his account, which should be VERY rare because at least here you yourself can't change either the username or the password and you have absolutely NO WAY of discovering if someone's running amok with your credentials on the other side of the country, you're good to go.

This particular scenario has been pointed out to Ziggo and their official response is that "it's impossible to completely secure a system" and currently they don't feel additional security measures are called for.

Edited by Cooper
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...