dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5515
share rss forum feed


Tanshin

join:2009-07-18
West Simsbury, CT
kudos:1
Reviews:
·ooma

Wireless Network Key in Plain Text?

I just got back home tonight from a long year of classes and decided to see if anything had changed with our router's firmware (3801HGV). Much to my disappointment, it looks like our network key is now proudly displayed on the router home page in plain text. I changed our network key back to the default on the sticker until I can come up with something unique for the router, but I have some questions about this. How long has this been this way? Who thought this was a good idea?

Paralel

join:2011-03-24
Michigan, US
kudos:4
This happened with the latest firmware that was rolled out. I have no idea who thought it was a good idea. I think it's one of the most ridiculous things I've ever seen with regard to wireless security.


Wily_One
Premium
join:2002-11-24
San Jose, CA
reply to Tanshin
I have a 3801HGV and there is no Wireless Network Key on my homepage. (»192.168.1.254/)


brookeKrige

join:2012-11-05
San Jose, CA
kudos:3
...because you (and I) don't get the new FW. ;(

Were posts about new options (cascaded router...) but really, what are the major reasons for the upgrade? Is it to support new profiles? What if everyone that will get the new FW, has already?

Tanshin: pic please (with the sensitives redacted)?

How about on Settings/LAN/Wireless, there also in plain text (custom Wireless Network Key)?


Wily_One
Premium
join:2002-11-24
San Jose, CA
Yeah I'm still on 6.3.7.50-enh.tm.

OP: By "Wireless Network Key" do you really mean just the "Network Name"? (SSID)


Tanshin

join:2009-07-18
West Simsbury, CT
kudos:1
Reviews:
·ooma
reply to brookeKrige
Click for full size
I've attached a screenshot of that part of the homepage. I can select that as text, copy, paste, and do whatever with it. Firmware: 6.9.1.42-enh.tm

This, combined with the fact that they put us on POTS after a failed trial of the Wireless Home Phone, really made my welcome home that much more fun. I've been using an Airport Extreme for a while and I don't think I really have any use for the 2wire wireless. This just serves to be extra food for thought. It's useful for when the power is out, but I don't know if that's a big enough incentive to keep it active.


Darknessfall
Premium
join:2012-08-17
kudos:7
Reviews:
·Frontier Communi..
·Comcast
·AT&T U-Verse
reply to Tanshin
I don't know what the big deal is :/. You need the key to access the wireless anyway. Not like you won't know it when you go to the menu.

The only way they'll be able to see the key is if they already had access to the network.

What are you mad about?

Are you trying to only allow people wired access but not wireless?

I'm confused on what you are trying to accomplish. I'm probably just missing some important detail about this though .


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to Tanshin
I'm not sure I am getting the point here.

Yes, I am still on the older firmware.

In my case, I have to login to the router (provide the administrative password) before I can access the wireless settings page. If I can see the network key after giving the administrative password, that does not seem a big problem to me.

Are you actually able to see the network password without first providing an administrative password?
--
AT&T Uverse; Buffalo WHR-300HP router (behind the 2wire gateway); openSuSE 12.3; firefox 22.0


Tanshin

join:2009-07-18
West Simsbury, CT
kudos:1
Reviews:
·ooma
The network password shows up without any password entry. Yes, you'll have to be on the network first to see it, but it still seems strange. All I have to do is type in 192.168.1.254 and it shows up.

It just seems like such a basic thing. Maybe not completely alarming, but still not something I was expecting.

Paralel

join:2011-03-24
Michigan, US
kudos:4

1 edit
It is a major problem because let's say someone uses a machine in my residence that is connected to my network (even a wired system/connection), all they have to do is type in the LAN IP address for my gateway and the key for my wireless network is visible right on the status page for the gateway, in plain text.

No, it is not the network name, no, you do not need to login with the administrative password, it is right on the status page. Anyone that has a machine that is on the network, wireless or wired, can pull up the status page without any information other than the gateways LAN IP address

Below is the status page for the NVG589, all you need to access it is the LAN IP address for the Gateway, no password, no login names, no nothing. The full SSID for my gateway was redacted, as was the last part of my phone number, and the actual network key, in plain text, that someone would need to join the wireless portion of my network through my gateway.

How can anyone not see this as anything buy a very serious security issue?

Paralel

join:2011-03-24
Michigan, US
kudos:4

1 edit
reply to Tanshin
Click for full size
Status Page with Network Key in Plain Text


Tanshin

join:2009-07-18
West Simsbury, CT
kudos:1
Reviews:
·ooma
What's more interesting is that it still shows up even when the wireless network is disabled. I don't have a problem with what's on the sticker shown (anybody can look at that), but if I had a custom password that people started using elsewhere, then I start to get worried. In an age where we hear stories of this forum, this site, Apple, etc being hacked all the time, the last thing I would want to see if a password shown that accessibly. It just seems like a huge step backwards in terms of security.

Paralel

join:2011-03-24
Michigan, US
kudos:4
Exactly, I also use a custom password, much better than the one that is on the Gateway. Plus, even if it is the password on the side of the gateway, I have a structured wiring cabinet that I keep locked, so someone that wouldn't have access to the gateway's default password on the side of the machine (since it is in a locked cabinet) could now have it, and the default wireless password is hardcoded into the router, so if someone got that, there is no way I can change the default to another default, it will always be that hardcoded default.


Wily_One
Premium
join:2002-11-24
San Jose, CA
Reviews:
·AT&T U-Verse
reply to Paralel
said by Paralel:

It is a major problem because let's say someone uses a machine in my residence that is connected to my network (even a wired system/connection), all they have to do is type in the LAN IP address for my gateway and the key for my wireless network is visible right on the status page for the gateway, in plain text.
...
How can anyone not see this as anything buy a very serious security issue?

Yes it is. The security issue is you letting untrustworthy people into your house.


Darknessfall
Premium
join:2012-08-17
kudos:7
Reviews:
·Frontier Communi..
·Comcast
·AT&T U-Verse
reply to Tanshin
Wouldn't they have to be inside your home and hooked up with Ethernet to even get anything valuable from the wireless password? You all must have some hacker friends/family then . Hacking over wireless doesn't mean anything either since they'll have had already hacked the password and probably already know it and don't even need to look at the menu.

Only way they'll be able to get the password(With them not knowing it already) would be through a wired connection. Probably would be easy to find your friend pulling out a large Ethernet cable while trying to plug it into your gateway.

Paralel

join:2011-03-24
Michigan, US
kudos:4
reply to Wily_One
said by Wily_One:

said by Paralel:

It is a major problem because let's say someone uses a machine in my residence that is connected to my network (even a wired system/connection), all they have to do is type in the LAN IP address for my gateway and the key for my wireless network is visible right on the status page for the gateway, in plain text.
...
How can anyone not see this as anything buy a very serious security issue?

Yes it is. The security issue is you letting untrustworthy people into your house.


It's hard to corral all the guests (and sometimes their kids) when one hosts a party and still have a good time. Plus, people like to have access to a system to stream a playlist, play a group game, show a funny clip, stream pictures, let their kids play with their ipad to keep them quiet, etc...

I hope one of the AT&T people that hang out here will make whoever is responsible for the layout of the firmware aware of this and hopefully they will change it so one needs an administrative password to access a page that contains the wireless network key.


Darknessfall
Premium
join:2012-08-17
kudos:7
Reviews:
·Frontier Communi..
·Comcast
·AT&T U-Verse

1 edit
said by Paralel:

Plus, people like to have access to a system to stream a playlist, play a group game, show a funny clip, stream pictures, let their kids play with their ipad to keep them quiet, etc...

Wouldn't they already have the password to it then though?Or do you type in your password for all of them? I feel lost .

I wouldn't worry so much about this though.

Not like grandma is some secret hacker when she visits or 7 year old Billy carries an Ethernet cord in his back pocket.

I understand your concern if you type in the passwords for everyone who comes to your home. That makes it a different story depending on what device it is(Since Windows shows past networks that you connected to and their passwords).

I just believe you're over thinking this or you really don't trust your visitors .

Paralel

join:2011-03-24
Michigan, US
kudos:4

2 edits
said by Darknessfall:

said by Paralel:

Plus, people like to have access to a system to stream a playlist, play a group game, show a funny clip, stream pictures, let their kids play with their ipad to keep them quiet, etc...

Wouldn't they already have the password to it then though?Or do you type in your password for all of them? I feel lost .

I wouldn't worry so much about this though.

Not like grandma is some secret hacker when she visits or 7 year old Billy carries an Ethernet cord in his back pocket.

I understand your concern if you type in the passwords for everyone who comes to your home. That makes it a different story depending on what device it is(Since Windows shows past networks that you connected to and their passwords).

I just believe you're over thinking this or you really don't trust your visitors .


You're lost, they wouldn't have the password. In my example it would be a system that I own that is either wired to the gateway, or is already on my wireless network. They could easily find out what my wireless key is just by typing in the IP for my gateway.

Hey, if you guys have no problem with people easily being able to know your wireless network key from any device in your home that is on your network, that is wired or wireless, more power to you.

By any and all standards of security, what AT&T is doing is extremely poor practice, whether you agree with it or not. They took what should be a secured password that one used to need administrative access to see, and placed it in on the unsecured landing page for the gateway.

I guarantee you are unable to find another router, gateway, etc... that has the wireless network key in plain text on the unsecured landing page because it is something that anyone in the right mind would never do. Ask anyone that does security and I guarantee they will be horrified to see that this was done.


Wily_One
Premium
join:2002-11-24
San Jose, CA
Reviews:
·AT&T U-Verse
said by Paralel:

By any and all standards of security, what AT&T is doing is extremely poor practice, whether you agree with it or not.

I do agree it's a bad practice, but what we're trying to say is the risk is mitigated by: physical access required or they already have to know both 1) Your wireless connection credentials and 2) Your gateway IP address, which I wouldn't exactly call common knowledge for the average user.

So again, the real security risk here is the people you let into your network.

Paralel

join:2011-03-24
Michigan, US
kudos:4
said by Wily_One:

said by Paralel:

By any and all standards of security, what AT&T is doing is extremely poor practice, whether you agree with it or not.

I do agree it's a bad practice, but what we're trying to say is the risk is mitigated by: physical access required or they already have to know both 1) Your wireless connection credentials and 2) Your gateway IP address, which I wouldn't exactly call common knowledge for the average user.

So again, the real security risk here is the people you let into your network.


True, but it is security risk that shouldn't even exist, and didn't until recently when AT&T got careless/stupid with how they treat sensitive information like wireless network keys.

Things should always move in the direction of more secure, never less secure. AT&T shouldn't be making more security risks, and there is no good reason for them to have done so. It offers no advantage to anyone and actually creates issues.


OSUGoose

join:2007-12-27
Columbus, OH
reply to Paralel
Its called a guest network, who in their right mind gives access to the home network? You create a guest network that is locked down and permits limited functions..... Security 101.


OSUGoose

join:2007-12-27
Columbus, OH
reply to Paralel
Creates what issue? Actually knowing who your letting have access to your PC (another security hole!) to gain said wired access to even attempt this?

Paralel

join:2011-03-24
Michigan, US
kudos:4
reply to OSUGoose
said by OSUGoose:

Its called a guest network, who in their right mind gives access to the home network? You create a guest network that is locked down and permits limited functions..... Security 101.

As far as I can tell, there is no such functionality on the AT&T supplied gateway


Darknessfall
Premium
join:2012-08-17
kudos:7
Reviews:
·Frontier Communi..
·Comcast
·AT&T U-Verse

2 edits
reply to OSUGoose
said by OSUGoose:

Creates what issue? Actually knowing who your letting have access to your PC (another security hole!) to gain said wired access to even attempt this?

The bad thing is that almost all router(Residential with stock firmware) guest networks allow access to modem/router pages that aren't their own. A Linksys with guest networking up would let the people on the guest network be able to have access to his NVG589's menu.


OSUGoose

join:2007-12-27
Columbus, OH
Easy Fix, you block that IP address on the guest side.


Darknessfall
Premium
join:2012-08-17
kudos:7
Reviews:
·Frontier Communi..
·Comcast
·AT&T U-Verse
said by OSUGoose:

Easy Fix, you block that IP address on the guest side.

Does stock firmware allow that? When I tried a Netgear, Belkin, Asus, and Linksys they didn't allow you to block specific IPs on the guest network. Maybe I just missed it.

Also, can't believe you understood what I wrote lol. I tried to change my sentences around for that post and it turned into a mess.

Do you need business hardware for this or 3rd party firmware?


OSUGoose

join:2007-12-27
Columbus, OH
I don't know 100% tho I don't run Guest Nets because I don't let guests on my network... If I did, then I would secure it properly. It helps when you've taken a CCNA class....and arnt joe consumer to know the security risks to it.


Darknessfall
Premium
join:2012-08-17
kudos:7

1 edit
reply to Tanshin
I think AT&T should password protect the whole thing instead of just the wireless password. The gateways pretty much let you see all kinds of information before you are hit by a password page.

Paralel

join:2011-03-24
Michigan, US
kudos:4

1 edit
said by Darknessfall:

I think AT&T should password protect the whole thing instead of just the wireless password. The gateways pretty much let you see all kinds of information before you are hit by a password page.


I couldn't agree more. I never understood why they never did this.

The gateway, being such an integral part of our service, should be locked up tighter than fort knox from anyone but AT&T and the account holder.


brookeKrige

join:2012-11-05
San Jose, CA
kudos:3
More reason to disable RG's wifi. (Did ATT ever patch the WPS vulnerability)?

Many z0mbie PC's behind uverse? Harvest list of {location,SSID,key}.

Rans0mware targets uverse: "WARNING: Detected Network Security Key (X) exposure in progress on facebook & twitter! Purchase protection now _here_"