There was a lot off outrage back in October 2007 when it emerged that Eircom was leaving it’s customers home networks open to being hacked. As most others ISP’s Eircom had been supplying their broadband customers with a wifi enabled router as standard when they subscribed to their service. The fact that the wireless signal emitting from these routers can be picked up outside the customer’s home creates a possible security risk and would require that access would be made secure. Eircom however not only failed to inform it’s customers of this risk it also made two critical mistake when “securing” access at the time of installation;
- It used WEP encryption. WEP encryption has been proven flawed as far back as 2003 and can now be decrypted within minutes.
- They WEP-key used was based on the serial number of the router. No real problem except that the serial number was part of the broadcast SSID (the name of the network). This can be read by any wifi enabled device. So it was fairly simple to add 1 + 1 and come up with the WEP key.
As a result of all the negative publicity Eircom sent out a press release “making people aware” of this issue and in 2008 (!) they put a notice up on their website stating that for the previous 4 years they have been providing and installing inadequately secured routers and that they were now switching to WPA encryption. However the wording of the statement was misleading. It stated that: “This vulnerability makes it possible for a person with an advanced working knowledge of encryption and coding techniques to illegally access an eircom customer’s wireless internet connection”.
This statement purposely ignores the fact that there were software tools widely publicised & available for download that would decipher the WEP code in seconds allowing anyone with the ability to read and press a key to connect to what was estimated as 250.000 unsecured routers. Someone with “advanced working knowledge of encryption and coding techniques”
would not have needed this flaw to gain access. They would have used Airsnort, KisMac or a range of other software tools available for years that would allow you to extract any WEP key in seconds. And they then quite likely might have used something like MetaSploit to do some real damage rather than just use your broadband without your permission. But I digress….
The point is that by the end of 2007 there were circa 250.00 of these routers in peoples homes and business premises. As Eircom was responsible for the supply of these you would have expected that they would have gone to some length to rectify this situation. Well it turns out they didn’t. I found out this week via Bernie Goldbach’s blog that there is actually an iphone app being sold through the iTunes store that will allow you to easily extract the WEP key for these networks and subsequently connect. It is also being covered elsewhere.
Now, while I am not a legal professional, I can see several issues here:
- There are over 250.000 wifi routers with an easily disabled encryption spread over Ireland allowing a 3rd party to connect and potentially download/upload illegal content, send spam or run a botnet.
- If any of this illegal activity is detected it will be easily traceable to the Eircom customers broadband connection.
- There is no real applicable legislation in this area at the moment. Some legal professionals would say that it is up to the prosecution to proof that there wasn’t anybody else using the broadband connection. However this could be used as an excuse similar to the “one armed man” in the movie “The Fugitive”. Proof of your innocence would be an unknown 3rd party that will most likely be impossible to trace or even to gather proof of its existence.
- Should people be held responsible for deeds or actions resulting out of them not (or not adequately) securing their wireless networks?
- What is the applicable legislation for accessing someones network without their explicit permission? Surely it would be seen as trespass or “use of a 3rd parties assets or resources without their permission”?
- Furthermore is it legal to sell an application that basically makes “hacking” someone network a one-click operation? Are lockpicking “guns” illegal to sell? If they are surely the sale of “deSSID” should be illegal also?
However in all honesty I have to admit that most of the above questions have been asked over & over again across the globe for as long as I have been working with wifi (since 1999 in case anyone is interested). However the most glaring offense here is Eircoms’ fault in providing mis-configured routers and their negligence in correcting this fault.