Insecure by default
by Volker Weber
Recently I discovered through the use of Boingo* that there is a second WLAN in my neighborhood. As you can see from the picture above it is unprotected. I connected and received the IP adress 192.168.2.2. Well, that made me curious and I http'ed to 192.168.2.1 and there was a login screen for a Telekom Sinus 130DSL wireless access router. I asked Google for the default password and that turned out to be "0000". I was in.
So this router has WLAN enabled by default, it has set its SSID to WLAN and accepts "ANY" as a second SSID. No WEP encrpytion. I wonder what the owner would do if I changed the password from "0000" to, say "6666"? Does it have a master reset?
*) Boingo is free to download. If you use a Stinkpad, I highly recommend IBM Access Connections, which also includes this WLAN discovery. See vowe's choice. The software is free to download and use, but only runs on IBM gear.
Comments
Even more curious is that this Router serves arbitrary DHCP requests by default.
My Digitus WLAN router does not. In order to use it, you have to login to an admin console at least once and enable the DHCP server either for defined MACs or with WEP.
Inviting thousands of people to exploit unprotected WLAN DSL ports may become a realistic thread if pirate ISP's start to engage in this business. Thanks to vowe I found another low-investment business model today ;-)
Well, those who can afford ThinkPads normally also afford personal access points for convenience, n'est ce pas ?
My university took a different approach for its on-campus (sadly not yet campus wide) WLAN:
The authentication works via an HTTPS encrypted web form where you have to enter your (e-mail) user name and password. On the plus side that really a cross plattform solution without the pain of running an up-to-date register of MAC addresses but of course you are stuck with an otherwise unencrypted WLAN connection. In the initial setup they used VPN for the authentication but back than OS X had no built in support for that (and of the two third party clients I knew/found, one didn't work and the other one was way too expensive after its free beta phase was over) and so I'm not really complaining... :-)
Sure, Volki. As you can see there is another signal available.
Post a comment
Recent comments
Tobias Lange
on Remember, it's always the cable at 13:16
Volker Weber
on Remember, it's always the cable at 12:21
Ian White
on Remember, it's always the cable at 11:56
Andy Brunner
on Remember, it's always the cable at 11:37
Ben Rose
on Remember, it's always the cable at 11:33
Ben Poole
on It has only been less than two hours at 09:44
Frank L. Quednau
on It has only been less than two hours at 09:29
Martin Hiegl
on It has only been less than two hours at 08:27
Stephan H. Wissel
on Notes.ini parameter RunFaster=1 is finally here at 05:24
Volker Weber
on It has only been less than two hours at 01:33
Thomas "Duffbert" Duff
on It has only been less than two hours at 01:26
Chris Linfoot
on Planet Lotus not picking up Christopher's feed at 21:56
Yancy Lent
on Planet Lotus not picking up Christopher's feed at 19:48
Bruce Elgort
on Robin Bloor: Why Google Chrome Will Dominate at 18:51
Mac Guidera
on Planet Lotus not picking up Christopher's feed at 16:04
Kevan Emmott
on 824 Chrome users so far today at 15:56
Chris Linfoot
on Planet Lotus not picking up Christopher's feed at 14:54
Lars Berntrop-Bos
on Planet Lotus not picking up Christopher's feed at 13:12
Andreas Braukmann
on 824 Chrome users so far today at 11:33
Nick Daisley
on Robin Bloor: Why Google Chrome Will Dominate at 10:14
Chris Linfoot
on Planet Lotus not picking up Christopher's feed at 09:42
Alper Iseri
on 824 Chrome users so far today at 09:38
Jean Pierre Wenzel
on 824 Chrome users so far today at 08:37
Jan-Piet Mens
on Robin Bloor: Why Google Chrome Will Dominate at 08:26
Benjamin Stein
on Synchronizing iPhone with ... Lotus Notes at 07:18
Click here to subscribe
