Community home

HappyNomad · ‎23-05-2021

Vodafone is in the news again, perhaps unfairly - according to the article, an older HHG2500 was (probably) hacked into because the default passwords weren’t changed by the VF subscriber...

Did weak wi-fi password lead the police to our door?

Thinking only of the router security aspect of the story then can Vodafone reasonably be held responsible for an end user’s failure (for whatever reason) to take steps to secure a router?

I have two of these old devices so naturally, I had a look at the labels on them - both have a different wifi password to each other - fairly complex with 15 characters each and both have different SSIDs. I can’t remember if these modems insisted on the default password being changed the first time the UI was accessed? I am sure the later THG3000 does but HHG2500?

Could unauthorised access be achieved with the VF App without any password details or physical access to the router? From a car parked outside your house, presumably the wifi password would be needed to gain access to the UI in the first place

The salutary lesson is of course, ‘if it arrives with default passwords, change them as a priority’.

Cynric · ‎23-05-2021

It doesn't need to be accessed from a car parked outside your house. Depending on various factors your Wi-fi signal can be picked up with an ordinary omni-directional antenna from three miles away and up to five miles with a beam focused antenna. There is a YouTube video demonstration of this. From where I am sitting right now I can detect 16 WiFi signals. Obviously some are from the same router, just different channels, so let's say I can see 8 routers from my mobile phone app. I can't think what it would be like in a more densely populated location.

HappyNomad · ‎23-05-2021

I used the outside in a car analogy more as meaning ‘no physical access to the router’... I can see three or four (secured) SSIDs on my phone which I assume are in my little cul de sac.

Oddly enough, for the first couple of years after buying my current house I was getting a very strong signal from an unsecured SSID (meaningless name)... thought it was my wifi intruder alarm but shutting that down made no difference so I assumed it was a neighbour and thought nothing more of it for quite some time.

Eventually, in checking the range of my own wifi around the house and gardens, I discovered that the unsecured SSID was at its strongest inside my house. Turned out it was my solar panel installation (already on the roof when I bought the house) and fully open to anybody. Happily, the username and password into the system was pitifully easy to guess so I switched its wifi off.

Not entirely sure why a solar installation would have a wifi router attached.

Anonymous · ‎23-05-2021

Okay, so examining this from the point of view of a sceptic!

Once the WiFi password is hacked, would an attacker need to break the WebAdmin password and reconfigure the router? Almost certainly not, unless they were to be routing their activity through a device on the network. So at least initially this would have been a local attack! *It is possible to use the HHG2500 without ever changing the default WebAdmin password (confirmed), this much is correct!

On to breaking the default WiFi password! I have my HHG2500 to hand, and it has a fully randomised 15 character WiFi password. So that's 26 (A - Z) + 26 (a - z) + 10 (0 - 9) = 62 characters per position to the power of 15 (password length) = 768,909,704,948,766,668,552,634,368 combinations - assuming a fully randomised algorithm though if the generation method is robust it would be significantly lower. Probably no more than 1,502,726,298,004,566,835,200 (rough calculation using real basic assumptions) real combinations and if stored as a "hash" it'd be fewer still (another story again). That's pretty tough to crack using brute force!

So it's a shame that we have WPS! WPS if you are not careful can let your neighbours onto your WiFi at the same time as you use it to connect your own devices (it's happened to me). But WPS gets worse, far worse! It also has a passkey, which is all digits, and sufficiently short and consistent to enable someone sat outside your house to crack it in a not unreasonable length of time! *There is a reason for this discrepancy in strength, but it's not necessarily a good reason!

So my guess would be that it's either a neighbour who managed to accidentally get onto their network when the householders used the WPS button, and then realised what they could do (ugh!). Or it was a deliberate attack, someone used brute force on the WPS key!

If you have WPS enabled on your router TURN IT OFF!

I see a number of people posted how many WiFi networks they can see from their property! Well, you know how some routers have a better range than others... Sometimes that range is a curse! I've mentioned before that I can detect my router when I drive into the estate I'm on, that's 200ish metres away, weak it may be, but it's there! That also means that using the WiFi radar ability of the router I can detect 50+ networks - on a well spaced estate of semi and detached houses!

I probably didn't cover everything, but that's it for now..,

Cynric · ‎23-05-2021

Without wishing to go into great technical detail it all depends on which encryption type is used to store the credentials. The weaker ones can be broken in minutes because certain network packets leak, in 2007 WEP could be done in 2 minutes but hopefully nobody uses WEP now. WPA-2 is now also known to have problems and WPA-3 and TKIP are now the common flavours of encryption. But it's an "arm race" and what is the real problem is the way that manufacturers abandon updates on routers that otherwise are perfectly useable or how would they keep selling us new ones.

gipjon · ‎23-05-2021

"The government plans to ban default passwords being pre-set on devices, as part of upcoming legislation covering smart devices."

That sounds like a good idea for Vodafone routers ( It would be nice if Admin TJ can pass that info up the hierarchy )

Cynric · ‎23-05-2021

That may just be a "sound bite", I think I'll wait for it to happen before celebrating.

Jayach · ‎23-05-2021

I believe the earlier routers all had the same default router password (not WiFi), the THG3000's don't so the article doesn't apply to them. (despite the BBC using a mocked up picture for the article)

Probably the only information the Police had was the I.P. address being used and that can be spoofed. Also it would rely on Vodafone correctly identifying the user using that I.P. at the time and we all know how good Vodafone are at getting things right.

More sensationalist crap reporting by the BBC.

Anonymous · ‎23-05-2021

The WebAdmin passwords for the early routers were all the same, the WiFi passwords were different. That the WPS passkey is so easily broken using brute force negates pretty much all the other security measures.

Jayach · ‎23-05-2021

@Anonymous wrote:
That the WPS passkey is so easily broken using brute force negates pretty much all the other security measures.

But doesn't that mean the "hackers" would need to be waiting for the couple of minutes after you press the WPS button to be able to break it?

Community home

Router Security / HHG2500