Eircom under fire for WEP security flaw

By Justin Mann on October 2, 2007, 10:53 AM
Eircom, an ISP in Ireland, has come under fire for an oversight that results in lax security at their customers houses. The problem is the broadband routers they supply, which can feature a wireless AP mode. It seems that many of these wireless routers are all shipped out with the exact same WEP configuration despite the devices supporting other protocols like WPA-PSK. This particular flaw stems frm the WEP key being generated from the serial number, which is readily accessible. This is only a default configuration - the devices are still user-configurable to use other security keys or protocols.

When I saw this security article, I was a bit shocked. Not in that I was shocked at yet another piece of hardware or software being vulnerable to an exploit or having a serious flaw from the factory, but because of the issue brought up being Eircom's policies, rather than WEP. In and of its nature, WEP has been inherently a primitive form of encryption that has been easily defeatable for many years now. No matter the hardware, relying on a single shared key WEP system does not promote any security, as even with run of the mill hardware and a few hours of research you can defeat WEP in an hour, perhaps a few minutes if you are a bit more clever about it.

WEP being compromised? Not surprising at all. What is very surprising, however, is that Eircom defends WEP as a secure enough protocol to use for its customers. There's already enough false senses of security on the Internet today.

User Comments: 1

Got something to say? Post a comment
petermcs said:
The problems with eircoms policies on this are many fold:1. eircoms support site promoted WEP exclusivly until Monday when the issue above became public knowledge. So the majority of eircoms customers would have had WEP if they followed their advice.2. eircom provided a "free" wireless modem even if you did not require wireless capability. A friend of mine tried to get a non wireless modem from eircom for her business and couldn't get it through to the sales support people that she DID NOT WANT wireless!3. The wireless interface is enabled by default but would not normally be suceptible to WEP cracking as it will not broadcast traffic (other than the SSID)if you are not using a wireless connection. With the flaw in eircoms configuration which allows you to obtain the encryption keys from the SSID you don't need to sniff any traffic - you look at the SSID thaat pops up in your network connection dialogs and you have all you need to go and access the network now that the information is in the public domain.I could go on for several more points but you get the gist hopefully...
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.