Dangerous hospitality
by Volker Weber
Deutsche Telekom is pushing one particular router into the market that once again has proven to be very hospitable. Lots of people seem to buy this device without having an immediate need for its wireless capabilities. Since they don't use the wireless access they probably don't feel an urge to secure it. However, the wireless network is switched on by default. It uses WLAN as its SSID and gives out IP addresses in the 192.168.2.x range.
So, while visiting my mother for Christmas I had access to more than one of those access points in the neighborhood. Having free internet access is a nice thing. However I wish that the firmware would force the user to change the default password before you can enter your ISP username and password.
This particular router has the default password 0000 and I have yet to find a device where the owner has changed it. Leaving this password at the default value is very dangerous because one can save and download the configuration. I have not yet tried to do so, but I assume that it is possible to recover the password from this saved configuration. At least it does allow any bypasser to clone your settings onto his own machine. It is rather easy to steal a number of these configurations and use them to access the Internet on someone else's contract.
This has a number of unintended consequences. The original owner of a comprised account may not only find himself paying for somebody else's use of the Internet, he also may become a target of a criminal investigation if his account is abused. If I understand the Telekom infrastructure correctly there is no way to tell from which DSL line an account has been used, so it may be next to impossible to prove your innocence.
This is why I am asking to enforce a password change before one can enter the account data.
Comments
A colleague of me found an open WLAN at a customer's site. This was from a book store across the street. Not only there was still the default password set on the (Linksys) router, there also weren't set any passwords on a PC in the network. So my colleague was able to open docs on it.
He went to that store and told the owner these things. He didn't believe anything until he was told the content of one of the Word docs. He said a "friend" of him had configured the router.
Some weeks later this WLAN is still in the same state and providing free internet access to all WLAN cards in the area...
I am not so much complaining about the open WLAN but a lot more about the open configuration. Identity theft is a much bigger issue than access to a network.
Of course people should protect their network shares, and of course you have to close your access point if you are on a metered connection, but having someone steal your identity and use it somewhere else is a problem of much greater magnitude.
Volker, I completely agree with the notion of your post. However, there should be a chance to prove your innocence in case your account credentials were stolen. Although it might not be possible to tell the exact DSL line an account was used from, you should be able to identify at least the DSLAM the line in question was connected to. For the DSLAM has to be quite near to the users location there's a high probability that a hijacker would use a different one than the legitimate owner of the account.
Since this router had no password set it would have been possible to steal his DSL account, too.
I'm sure there has been an article in c't or heise news about the possibility to use an account on two lines but can't find it. So maybe one of those guys knows more about this.
No, you cannot steal the "DSL account". DSL is a line and as such "hardwired". :-)
You can steal the router configuration and thus the ISP account that the router connects to via the DSL line. You may even be able to recover the clear text password, and use that on a different hardware. I simply don't know that since I never attempted to.
As for parallel use of the account: That would depend on your ISP.
I agree %1000 with Volker; I have installed or helped at least 30 people with their routers, and am amazed at what I have experienced.
Two of my favorite stories:
In one case, the colleague was having trouble getting her VPN to work, so I had her bring everything to my house for a controlled check, since it appeared ok over the phone. I discovered that the WLAN was turned off in her firmware, which meant that the whole time she was using a neighbor's router without knowing it (or the firmware was faulty).
The best one was where someone had a "friend" configure the router for her. I discovered that this "friend" was also using the flat rate T-Online account, since he had even hijacked the T-Online e-mail, which she wasn't using! T-Online uses the IP address for POP3/SMTP verification, so it was easy to cut him off after also changing the web mail password.
