Euro Security Watch with Mathew J. Schwartz

Technology

TP-Link Routers Fail Sniff Test WiFi Password is Based on MAC Address, Experts Warn
TP-Link Routers Fail Sniff Test

When WiFi routers sport easily guessable - or deducible - WiFi passwords, what's the worst that could happen?

See Also: Detecting Insider Threats Through Machine Learning

Keep that question in mind, because Chinese technology networking product manufacturer TP-Link has been shipping routers that have password-protected access enabled by default, which from a security standpoint is a good thing.

"The appearance of security ... is worse than having no security at all because it lulls users into having a false sense of security." 

Now for the bad: The routers are simultaneously broadcasting most of the information required to deduce the password without needing to bother with a packet-capture tool such as Wireshark. And by using Wireshark, an attacker could deduce the device's password in seconds.

Last month, U.K.-based penetration tester Mark Carney reported that for at least some of its routers, TP-Link sets the default password on some of its devices to be the devices' MAC address, which is a unique identifier associated only with that device. "For those wondering the default WiFi password IS the last 8 chars of the MAC address... On *ALL* OF these devices," the researcher notes via Twitter.

As a result, an attacker could use a free tool such as the Airodump-np script, which can be used to identify the unique MAC address of any access point within range, to identify the devices' passwords. Or since the SSID that the devices broadcast includes the last six digits of the eight-digit password, an attacker could simply guess the first two hexadecimal digits. "Even if you don't bother with airodump to get the MAC, you have 255 combos to brute force," he says.

Risk: False Sense of Security

It's a truism that the appearance of security - when in fact there is none, at least against a semi-knowledgeable attacker - is worse than having no security at all because it lulls users into having a false sense of security.

A spokeswoman for TP-Link didn't immediately respond to a request for comment on the flaw, or whether the router manufacturer planned to alter its approach to settings default passwords. All TP-Link users, however, should review their default Wi-Fi password and ensure that it's not tied in any way to their device's MAC address or SSID, and if it is, change it.

The Internet of Hackable Things

The TP-Link episode demonstrates that it's not just end users who so often fail at picking long, strong, complex - and tough to guess - passwords (see "123456" Password Fail). If router manufacturers can't get it right either, that bodes poorly for many of the millions of Internet of Things devices now being shipped (see The Internet of Dangerous Toys?).

Earlier this month, for example, researchers from Princeton University's Center for Information Technology Policy warned in a presentation at PrivacyCon - hosted by the U.S. Federal Trade Commission - that digital thermometers manufactured by Nest had been sending sensitive information unencrypted, thus leaving it vulnerable to eavesdropping.

"Many of the devices exchanged personal or private information with servers on the Internet in the clear, completely unencrypted," they warned in a related blog post. According to Princeton researcher Sarthak Grover, furthermore, similar flaws were found in a number of different types of devices, ranging from Sharx Security IP cameras to the Pix-Star digital photo frames.

Sarthak Grover, a researcher with Princeton's Center for Information Technology Policy, details how flaws in Internet of Things products can put privacy at risk.

Curse of the Piggybacking Pirates?

News of TP-Link's apparently poor password practices, meanwhile, seems likely to revive the debate on piggybacking, which refers to using someone else's wireless access point without their permission. In the United Kingdom, the practice is reportedly illegal. In the United States, meanwhile, state-level "unauthorized access" computer laws vary, and many experts say it's unclear if they apply to unauthorized access to WiFi access points.

Security guru Bruce Schneier has said that he maintains an open Wi-Fi network. Meanwhile, civil rights group Electronic Frontier Foundation in 2011 called for an open wireless movement.

But even Schneier has noted that there can be risks from allowing open access points, not least from pedophiles peddling child porn using pirated connections. For example, in 2011, the FBI raided a home in Buffalo - assault weapons drawn, homeowner pushed to the floor - because the man was suspected of having downloaded thousands of child pornography images, the Associated Press reported at the time. "You're a creep ... just admit it," agents told the man, according to his attorney.

In fact, someone else used the homeowner's unsecured wireless signal, and three days later, agents reportedly arrested the man's 25-year-old neighbor.

Easily guessable WiFi passwords: What could go wrong?



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network