Nothing really technical today, just an opinion on a popular ISP in my area.
When one subscribes, they are offered the choice to receive a wireless router. As an added bonus for people that may not be able to configure the device. It either comes pre-configured, or a technician can swing by and set it up for you.
That’s about the only good thing about the service. As Bob mentioned to me not long ago, he found a few security issues that alarmed me.
For starters, the router is configured by default with WEP which can be easily cracked using air-crack. The default WEP key is actually the router’s serial number. Lastly, and this is what made me jump, there is no username & password on the router… by default! As Bob was telling me, he managed to crack a few WEP keys and enter these “secure” routers provided by one of the biggest ISPs in Canada. The router has many options, such as opening and closing ports. Redirecting traffic.. just to name a few. The worst part, it never asks for a password when saving these new settings.
Another thing that surprised me is that this router also acts as the client’s modem. So along with all the local network’s information found on the device, you can also retrieve the username and password to the customer’s internet connection.
I know for a fact, that often clients with no wireless devices receive these routers so as to setup a local network easily. What does this mean? A vulnerable network, and who knows what it may contain and who may attack it. Now knowing all of this, what would stop someone from coding a virus/worm/trojan to take advantage of this? I don’t know, I suppose its possible, I mean look at Conficker and all it did (and doing). In my opinion, ISPs giving away these unsecure devices and not taking the time to configuring them with a minimum of protection aren’t helping.
Probably, involuntarily of course, are even helping the spread of malware on the net.