The recent controvery over the Eircom implementation of WEP security still bubbles on. For those not in the know the problem relates to how Eircom, Ireland’s largest ISP, distributed security within the Netopia wireless routers it provides to consumers and small businesses. Since 2005 Eircom has been shipping these routers with wireless networking enabled to support users who wish to use wireless networking within their homes/small offices. In order to secure those wireless routers Eircom also enabled WEP security by default on them. This problem was further compounded by making it relatively easy for people to guess the WEP key for each Eircom installation. It turns out that the WEP key is generated by a combination of the serial number of the router and some lyrics from a Jimi Hendrix song. What has further compounded the problem is the SSID also broadcasts the serial number resulting in it being relatively easy for someone wishing to piggyback on a Eircom subscriber’s wireless network to access the Internet.
In a recent update to the story, it is claimed that Eircom knew about this issue since March of this year but viewed the threat posed by it to be relatively minor.
As I mentioned to the Irish Times this leads to a number of security concerns for the approximatley 200,000 consumers impacted, not least the fact that someone can use your Internet connection for undesirable activity.
But lets look at this in a different light. What Eircom done, i.e. enhancing the security of their clients’ networks, was done with good intentions, but as we all know the road to hell is littered with good intentions. WEP is well known to be a weak security protocol and anyone implementing a wireless network in the past few years, even in 2005, knew not to use WEP to secure their Wireless LAN.
And this is not the first time that WEP has made security headlines, this year’s reported breach at TJX whereby over 45 million credit card details were exposed was as the result of poor WEP implementation as per a previous post.
So yes Eircom made a mistake, but at least they made efforts to try and secure their clients’ networks. There are many other ISPs in the Irish market place who are rolling out wireless routers to their clients with no security. Some will argue that having inadequate security is worse than no security as this can lead to a “false sense of security” and people assuming they are secure when they actually are not.
So what is the answer? Force the ISPs to implement stronger encryption on their wireless routers? What about the cost implications of this? Will the consumer pay the increased cost for this and which ISP will be brave enough to test the market with this?
It looks like the answer lies in educating the end user. But this has repeatedly failed. Users do not seem to care about security unless they are directly impacted. Perhaps we need to stop talking to them in technical terms and maybe in terms they will better understand. Maybe each new wireless router should come with the following;
Improper Use of this router may seriously damage your wealth!!”
As part of work I done with the European Commission I recommended that each new ISP customer should be supplied with a government sponsored leaflet outlining the main security threats they could possibly face with a number of recommended steps to deal with those threats. After all before driving a car you are supposed to have read the rules of the road. It will be interesting to see if this evetually comes to fruition.
For those of you looking to secure your own wireless network, have a look at this previous post which provides video tutorials on how to secure the most popular brands of routers.