I had heard complaints from people in the past that Eircom didn’t seem to do the whole security thing properly at all. I guess I just hopped they’d have sorted themselves out by now. They haven’t. I’m not sure if it’s down to incompetence or just not caring about their customers, but, in my book there are no valid excuses for leaving your customers exposed. Eircom have chosen to give their customers a wireless router. This makes things a lot simpler for the customer since it means they don’t have to go messing around with cables and such, but it potentially opens them up to significantly higher security risks. In the relationship between an Internet Service Provider (ISP) and a customer, the ISP must be the one on top of security issues. The average broadband customer cannot realistically be expected to be a security expert. Customers can only be expected to follow instructions from their ISP, and they have every right to assume that these instructions will not expose them to serious risks. Having gone through the process of setting up Eircom broadband for my grandfather last weekend I can tell you they are totally failing to protect their users by instructing their customers to set up their networks in a way that is highly insecure.

[tags]Eircom, Broadband, Ireland, Security, WEP[/tags]

The Flaws

There are two fundamental flaws in Eircom’s default setup and I’ll look at each in turn.

The first problem is that no password is set on the router by default. This leave the configuration open to change by any person or program/script at or running on any computer on your home network. At first glance this may not seem like a big problem, but it is. Modern web technologies like AJAX make it trivial for websites to user your web browser to launch attacks against your router. The worst-cast scenarios would go something like this:

  1. You get an email from a friend telling you about a cool flash game they found on the net
  2. You have some time on your hands so you follow the link and start to get engrossed in the game
  3. While you’re playing the game your browser is executing a malicious piece of JavaScript on the same page as the game in the background
  4. Since your browser is running on your machine it has full access to your home network – the script simply scans for known makes and models of router and tries to access the configuration pages behind you back
  5. You notice NOTHING as your browser invisibly finds your Eircom router without password and re-configures the firewall on it to allow full access to your machine from the outside world
  6. Now that your router’s firewall features have been neutralised you are wide open to attack from anywhere in the world. The owner of the site can now use any known remote attack against your now exposed machine and soon takes it over.
  7. The attacker silently installs a web server on your machine and starts serving out child pornography from YOUR computer
  8. Millions of perverts from around the world now leech YOUR bandwidth to view this illegal material now being hosted on your computer without your knowledge
  9. The first you know about any of this is when the police call to arrest you for possessing and distributing child pornography

Sure, this is a worst-case scenario, but far from an impossible one. The attacker may choose to simply install some key logging software on your computer instead, that way he can steal your bank details and other personal information. He may also decide to subscribe your computer to a botnet to have it send out spam or launch DDOS attacks on other systems. What’s worse is that these JavaScript based attacks on broadband routers are not just theoretical, they are really happening.

The point is clear, by not having a password on their routers Eircom are opening their customers up to a world of trouble. I’d go so far as to call this criminal negligence from a company that absolutely should know better.

The second problem is their choice of encryption. For your privacy and protection it is vital that your wireless network be protected from eaves droppers and intruders by encrypting all the data that gets sent through the air. Once an attacker breaks into your wireless network they have direct access to all the machines on that network and are in a position to monitor all traffic on that network. Again, this gives the attacker an opportunity to collect personal or financial information, or to launch attacks against machines on your network to try take them over.

Eircom are not quite incompetent enough not to use any encryption, they are just using encryption that has been totally and utterly broken and now presents effectively no obstacle to an informed attacker. Eircom use WEP which provides about as much security as erecting a sign that says “please don’t rob me”. There are two things that make this all the worse in my opinion, firstly, the routers they supply DO support the actually secure WPA encryption scheme, and secondly, using WEP gives uninformed users the illusion of protection when in reality they are completely vulnerable.

Again, in my book, this amounts to totally unacceptable behaviour for an ISP.

Two Simple Steps To Protect Yourself

If you are an Eircom customer using their default setup you need to take two very simple steps to plug these two security holes:

  1. Set a password on your router’s administration interface
  2. Chance the encryption scheme from WEP to WPA with a Pre-Shared Key (PSK).

Update (30 April 2008): More detailed instructions on securing Eircom wireless routers are now available here.