The letters which Eircom promised to send out to users to inform them of the security flaw I described previously have started arriving and one of the boards.ie users was good enough to post a scan on his website. In this post I’m just going to go through some of the choice bits of this letter and rip them apart. I really wish Eircom had made a competent reply so this wouldn’t be necessary, but sadly it really is. They still don’t get security and seem more interested in glossing over the problems rather than addressing them.

[tags]Eircom, Security, WEP, WPA, Wireless, WiFi[/tags]

The security standard is called Wired Equivalent Privacy (WEP) and is a global standard for this type of technology and provides customers with an uncomplicated and easy-to-use level of security.

WEP is a deprecated standard. It is obsolete. It is fundamentally flawed and provides no actual security, just the illusion of security. WEP networks can be cracked in a matter of minutes. You don’t have to take my word for it, Steve Gibson addresses the problems with WEP in a number of episodes of the Security Now podcast. Particularly relevant is episode 108. Here’s a choice quote:

Now WEP is so badly broken that someone with the latest WEP cracking tools, which are, again, freely downloadable and available on the Internet, it takes them about a minute to crack the WEP key on a WEP-encrypted network. Only WPA is safe. And any version of WPA is safe enough.

It should also be noted that the Netopia’s come with WPA and that WPA is no more difficult to set up on anything but obsolete machines (I define obsolete as any OS that is no longer supported or which is dramatically un-patched). In fact, under the hood WPA is just WEP with the fatal flaws taken out. It’s the same basic maths going on. WPA was created as the natural successor to WEP which was known to be flawed.

A more honest though less flattering paragraph might go something like:

We continue to use WEP because it’s easy for us. However, WEP is obsolete and actually provides almost no security. You really should change to WPA, as indeed we should have done ages ago.

OK, lets continue further down the letter from Eircom:

This is the same method of security provided for other international operators using Netopia modems.

So what? It’s OK for Eircom to provide rubbish security because other companies do too? That just looks like ass-covering to me. “Don’t blame us, we were just blindly following the others”. That’s no excuse in my book. Anyhow, lets continue

The wireless access security issue makes it possible for a person with an advanced working knowledge of encryption and coding techniques to illegally access an Eircom customer’s Internet connection

This statement is technically true, a person with advanced knowledge can indeed do this, BUT SO CAN SOMEONE WITH NO KNOWLEDGE. Eircom are misleading their customers here. It is possible that they did so out of ignorance but I find that very hard to believe. This information is out there. I have seen web-based versions of this program where you just enter the Eircom SSID of a network and it spits out the default WEP key. This does not take any kind of advanced knowledge. Best-case, Eircom are out of touch with what’s going on, which is not good enough in my book, or worst-case they are trying to make themselves look better by intentionally misleading their customers, totally unacceptable. How ever, why the letter is misleading is not important, the key point is that it is. This makes people feel safer than they are.

Eircom then compound things by reinforcing the false sense of security many of their customers probably have:

However, when a customer generates their own unique WEP key or password and does not use the default setting, this security risk is removed.

This would lead users to falsely assume that they are safe because they have changed their WEP key. It does not mention the fundamental flaws in WEP, or the fact that to actually get a reasonable level of secure you should change to WPA, use a LONG passphrase, and set a password on your router.

The Eircom letter then blunders on into some totally hollow-sounding platitudes about how they take security very seriously:

In light of recent reports in the media we would like to take this opportunity to reassure our Broadband customers that eircome takes all issues relating to the security of its products and services very seriously. It is our absolute priority to help out customers minimise any wireless security risks on their broadband connection.

I find the last sentence in particular nothing short of insulting. Actions speak louder than words, and from their actions it is clear that Eircom still don’t get security. Were it to really be a priority they would educate themselves on the realities of WEP and on the importance of setting a password on your router, and then pass this knowledge on to their customers. Rather than doing this, Eircom continue to push WEP on their users and tell them it is secure. I see that as nothing short of an outrage.