When WiFi routers sport easily guessable - or deducible - WiFi passwords, what's the worst that could happen?
Keep that question in mind, because Chinese technology networking product manufacturer TP-Link has been shipping routers that have password-protected access enabled by default, which from a security standpoint is a good thing.
"The appearance of security ... is worse than having no security at all because it lulls users into having a false sense of security."
Now for the bad: The routers are simultaneously broadcasting most of the information required to deduce the password without needing to bother with a packet-capture tool such as Wireshark. And by using Wireshark, an attacker could deduce the device's password in seconds.
Last month, U.K.-based penetration tester Mark Carney reported that for at least some of its routers, TP-Link sets the default password on some of its devices to be the devices' MAC address, which is a unique identifier associated only with that device. "For those wondering the default WiFi password IS the last 8 chars of the MAC address... On *ALL* OF these devices," the researcher notes via Twitter.
As a result, an attacker could use a free tool such as the Airodump-np script, which can be used to identify the unique MAC address of any access point within range, to identify the devices' passwords. Or since the SSID that the devices broadcast includes the last six digits of the eight-digit password, an attacker could simply guess the first two hexadecimal digits. "Even if you don't bother with airodump to get the MAC, you have 255 combos to brute force," he says.
Risk: False Sense of Security
It's a truism that the appearance of security - when in fact there is none, at least against a semi-knowledgeable attacker - is worse than having no security at all because it lulls users into having a false sense of security.
A spokeswoman for TP-Link didn't immediately respond to a request for comment on the flaw, or whether the router manufacturer planned to alter its approach to settings default passwords. All TP-Link users, however, should review their default Wi-Fi password and ensure that it's not tied in any way to their device's MAC address or SSID, and if it is, change it.
The Internet of Hackable Things
The TP-Link episode demonstrates that it's not just end users who so often fail at picking long, strong, complex - and tough to guess - passwords (see "123456" Password Fail). If router manufacturers can't get it right either, that bodes poorly for many of the millions of Internet of Things devices now being shipped (see The Internet of Dangerous Toys?).
Earlier this month, for example, researchers from Princeton University's Center for Information Technology Policy warned in a presentation at PrivacyCon - hosted by the U.S. Federal Trade Commission - that digital thermometers manufactured by Nest had been sending sensitive information unencrypted, thus leaving it vulnerable to eavesdropping.
"Many of the devices exchanged personal or private information with servers on the Internet in the clear, completely unencrypted," they warned in a related blog post. According to Princeton researcher Sarthak Grover, furthermore, similar flaws were found in a number of different types of devices, ranging from Sharx Security IP cameras to the Pix-Star digital photo frames.
Curse of the Piggybacking Pirates?
News of TP-Link's apparently poor password practices, meanwhile, seems likely to revive the debate on piggybacking, which refers to using someone else's wireless access point without their permission. In the United Kingdom, the practice is reportedly illegal. In the United States, meanwhile, state-level "unauthorized access" computer laws vary, and many experts say it's unclear if they apply to unauthorized access to WiFi access points.
But even Schneier has noted that there can be risks from allowing open access points, not least from pedophiles peddling child porn using pirated connections. For example, in 2011, the FBI raided a home in Buffalo - assault weapons drawn, homeowner pushed to the floor - because the man was suspected of having downloaded thousands of child pornography images, the Associated Press reported at the time. "You're a creep ... just admit it," agents told the man, according to his attorney.
In fact, someone else used the homeowner's unsecured wireless signal, and three days later, agents reportedly arrested the man's 25-year-old neighbor.
Easily guessable WiFi passwords: What could go wrong?