Ask a question
Search in U-verse Forums

U-verse Forums

Reply
Posted Oct 11, 2013
6:56:34 PM
Network key is in the clear http://<router-ip>

So I just realized this and I'm concerned. Looks like a significant security oversight. I have a 3801HGV router. It's one of the upright rectangular boxes. If connect to it via web interface I can see my SSID key totally in the clear, before giving any authentication. It's presenting it as if it's just there for general consumption. I realize someone needs to be on my network to see this, but I'm in the practice of concealing passwords as often as possible (at work this means all the time).

 

Can anyone suggest how this might be avoided by way of a setting or firmware update?

 

Please see both images here. Note I've greyed out the actual password below.

 

So I just realized this and I'm concerned. Looks like a significant security oversight. I have a 3801HGV router. It's one of the upright rectangular boxes. If connect to it via web interface I can see my SSID key totally in the clear, before giving any authentication. It's presenting it as if it's just there for general consumption. I realize someone needs to be on my network to see this, but I'm in the practice of concealing passwords as often as possible (at work this means all the time).

 

Can anyone suggest how this might be avoided by way of a setting or firmware update?

 

Please see both images here. Note I've greyed out the actual password below.

 

Network key is in the clear http://<router-ip>

899 views
11 replies
(1) Me too
(1) Me too
Reply
View all replies
(11)
0
(0)
  • Rate this reply
View profile
Oct 12, 2013 4:15:26 AM
0
(0)
ACE - Master
Edited by BeeBeeSA on Oct 12, 2013 at 4:17:44 AM

I guess I don't understand why this is such a big deal.  As you mentioned, in order to get the password, someone would have to already be on your network and connected with a hardwired connection (ethernet connection) and then know to browse to 192.168.1.254 to hack your password.  I would think you would know if someone was doing that. The only way someone could see it wirelessly is if you have already given them your password so they would know it anyway.  Right?

"If you find this post helpful and it solved your issue please mark it as a solution.  This will help other forum members locate it and will also let everyone know that it corrected your problem. If they have the same issue they will know how to solve theirs"

I guess I don't understand why this is such a big deal.  As you mentioned, in order to get the password, someone would have to already be on your network and connected with a hardwired connection (ethernet connection) and then know to browse to 192.168.1.254 to hack your password.  I would think you would know if someone was doing that. The only way someone could see it wirelessly is if you have already given them your password so they would know it anyway.  Right?

"If you find this post helpful and it solved your issue please mark it as a solution.  This will help other forum members locate it and will also let everyone know that it corrected your problem. If they have the same issue they will know how to solve theirs"

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Re: Network key is in the clear http://<router-ip>

[ Edited ]
2 of 12 (878 Views)
0
(0)
  • Rate this reply
View profile
Oct 12, 2013 8:50:44 AM
0
(0)
Tutor

To exploit, it isn't necessary to be on the network. It could potentially be done remotely via email or via http. If I were developing the exploit I'd attempt a quick connection to 192.168.1.1, the default and most common address, and grab the following:

 

                  <td class="colorblue" style="padding: 2px">Network key</td>
                  <td class="colorblue" style="padding: 2px">myLittlePassword</td>

For better security, all passwords should be encrypted, encrypted, or at very minimum obfuscated. A password which allows access to a network shouldn't be available with such minimal effort.

 

I believe that by printing a default password + SSID on the physical device the service provider saves an significant amount of support overhead and liability (ie, fewer calls regarding setup, fewer boxes exploited by simple neighborhood access). However, by printing the password in the clear on the front page of the web interface, accessible without any authentication whatsover, this disallows better security by those of us who have chosen to change the default password.

To exploit, it isn't necessary to be on the network. It could potentially be done remotely via email or via http. If I were developing the exploit I'd attempt a quick connection to 192.168.1.1, the default and most common address, and grab the following:

 

                  <td class="colorblue" style="padding: 2px">Network key</td>
                  <td class="colorblue" style="padding: 2px">myLittlePassword</td>

For better security, all passwords should be encrypted, encrypted, or at very minimum obfuscated. A password which allows access to a network shouldn't be available with such minimal effort.

 

I believe that by printing a default password + SSID on the physical device the service provider saves an significant amount of support overhead and liability (ie, fewer calls regarding setup, fewer boxes exploited by simple neighborhood access). However, by printing the password in the clear on the front page of the web interface, accessible without any authentication whatsover, this disallows better security by those of us who have chosen to change the default password.

Re: Network key is in the clear http://<router-ip>

3 of 12 (861 Views)
0
(0)
  • Rate this reply
View profile
Dec 2, 2013 6:31:42 PM
0
(0)
Tutor
Has anyone found a solution to this oversight?
Has anyone found a solution to this oversight?

Re: Network key is in the clear http://<router-ip>

4 of 12 (638 Views)
0
(0)
  • Rate this reply
View profile
Dec 3, 2013 7:53:21 AM
0
(0)
ACE - Expert

ezekieldas wrote:

To exploit, it isn't necessary to be on the network. It could potentially be done remotely via email or via http. If I were developing the exploit I'd attempt a quick connection to 192.168.1.1, the default and most common address, and grab the following:

 

                  <td class="colorblue" style="padding: 2px">Network key</td>
                  <td class="colorblue" style="padding: 2px">myLittlePassword</td>

For better security, all passwords should be encrypted, encrypted, or at very minimum obfuscated. A password which allows access to a network shouldn't be available with such minimal effort.

 

I believe that by printing a default password + SSID on the physical device the service provider saves an significant amount of support overhead and liability (ie, fewer calls regarding setup, fewer boxes exploited by simple neighborhood access). However, by printing the password in the clear on the front page of the web interface, accessible without any authentication whatsover, this disallows better security by those of us who have chosen to change the default password.


Look, for the fifth or sixth time: You cannot see this page unless you have a connection.  To have this connection wirelessly, you'd have to ALREADY have the displayed password and have used it to make the connection by which you're seeing it.  Perhaps this should not be displayed, but it is not the glaring hole you seem to want to make it.

 

 


ezekieldas wrote:

To exploit, it isn't necessary to be on the network. It could potentially be done remotely via email or via http. If I were developing the exploit I'd attempt a quick connection to 192.168.1.1, the default and most common address, and grab the following:

 

                  <td class="colorblue" style="padding: 2px">Network key</td>
                  <td class="colorblue" style="padding: 2px">myLittlePassword</td>

For better security, all passwords should be encrypted, encrypted, or at very minimum obfuscated. A password which allows access to a network shouldn't be available with such minimal effort.

 

I believe that by printing a default password + SSID on the physical device the service provider saves an significant amount of support overhead and liability (ie, fewer calls regarding setup, fewer boxes exploited by simple neighborhood access). However, by printing the password in the clear on the front page of the web interface, accessible without any authentication whatsover, this disallows better security by those of us who have chosen to change the default password.


Look, for the fifth or sixth time: You cannot see this page unless you have a connection.  To have this connection wirelessly, you'd have to ALREADY have the displayed password and have used it to make the connection by which you're seeing it.  Perhaps this should not be displayed, but it is not the glaring hole you seem to want to make it.

 

 

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Re: Network key is in the clear http://<router-ip>

5 of 12 (623 Views)
0
(0)
  • Rate this reply
View profile
Dec 3, 2013 7:53:56 AM
0
(0)
ACE - Expert
Edited by JefferMC on Dec 3, 2013 at 7:54:18 AM

skramnor wrote:
Has anyone found a solution to this oversight?


Yes.  Disable wireless on your RG and acquire your own Wireless Access Point.

 


skramnor wrote:
Has anyone found a solution to this oversight?


Yes.  Disable wireless on your RG and acquire your own Wireless Access Point.

 

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Re: Network key is in the clear http://<router-ip>

[ Edited ]
6 of 12 (622 Views)
0
(0)
  • Rate this reply
View profile
Dec 3, 2013 8:55:48 AM
0
(0)
Tutor

As privacy and security become more relevant to more people this type of response is unacceptable.It's just lazy and uninformed.

 

Unfortunately, avoiding the service, bypassing the equipment, avoiding exploitable feature, or applying modifications are various measures people have to pursue on their own.

 

The bottom line is passwords should never be offered in the clear. Never. Security must be reinforced in layers and passwords must be at the core of this. Gaining access to household networks is trivial stuff, easily harvesting passwords as a bonus results in more injuruous leaks.

 

 

As privacy and security become more relevant to more people this type of response is unacceptable.It's just lazy and uninformed.

 

Unfortunately, avoiding the service, bypassing the equipment, avoiding exploitable feature, or applying modifications are various measures people have to pursue on their own.

 

The bottom line is passwords should never be offered in the clear. Never. Security must be reinforced in layers and passwords must be at the core of this. Gaining access to household networks is trivial stuff, easily harvesting passwords as a bonus results in more injuruous leaks.

 

 

Re: Network key is in the clear http://<router-ip>

7 of 12 (613 Views)
0
(0)
  • Rate this reply
View profile
Dec 3, 2013 9:22:10 AM
0
(0)
ACE - Expert

One more time, you CANNOT access this password unless you:

a) are physically wired to the network, or

b) already have it so that you can form the wireless network connection, or

c) have hacked the wireless network without it, in which case you don't need it anyway.

 

While I can understand your concern, there is always a tradeoff between convenience and security.  When Security is at its tightest, convenience suffers; the most convenient arrangement provides no security.  The secret is finding the sweet spot where you don't give up meaningful security but provide useful convenience.

 

A perfect example of this is putting the initial wireless password on a sticker on the side.  It's not the same for everyone, so you can't know what the password is for any U-verse user who hasn't bothered to change his password, and if you don't want it to be the password on the side of the box, you can change it.

 

The display on the web page is similar... you can't see it unless you have made a connection to the network, and to make that connection, you've already got it (or might as well have).  

 

Sometimes security measures only give you a false sense of security; masking the password strikes me as one of those things.

 

About the only scenario that would bolster your case would be this: you enter the password into a child's laptop. Your child's friend (and also your nextdoor neighbor), while using that laptop visits your RG and gets the password.  He then can use his laptop to access your network from home.  Even this requires exactly what I said: this user had to have access to your network to gain this password, and it becomes a case of social engineering.

 

One more time, you CANNOT access this password unless you:

a) are physically wired to the network, or

b) already have it so that you can form the wireless network connection, or

c) have hacked the wireless network without it, in which case you don't need it anyway.

 

While I can understand your concern, there is always a tradeoff between convenience and security.  When Security is at its tightest, convenience suffers; the most convenient arrangement provides no security.  The secret is finding the sweet spot where you don't give up meaningful security but provide useful convenience.

 

A perfect example of this is putting the initial wireless password on a sticker on the side.  It's not the same for everyone, so you can't know what the password is for any U-verse user who hasn't bothered to change his password, and if you don't want it to be the password on the side of the box, you can change it.

 

The display on the web page is similar... you can't see it unless you have made a connection to the network, and to make that connection, you've already got it (or might as well have).  

 

Sometimes security measures only give you a false sense of security; masking the password strikes me as one of those things.

 

About the only scenario that would bolster your case would be this: you enter the password into a child's laptop. Your child's friend (and also your nextdoor neighbor), while using that laptop visits your RG and gets the password.  He then can use his laptop to access your network from home.  Even this requires exactly what I said: this user had to have access to your network to gain this password, and it becomes a case of social engineering.

 

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Re: Network key is in the clear http://<router-ip>

8 of 12 (610 Views)
0
(0)
  • Rate this reply
View profile
Dec 3, 2013 2:28:16 PM
0
(0)
Tutor

There are additional scenarios:

 

d) As noted earlier, a web page or tcp connection (bot) which could backscan the internal network. We need only scrape http://192.168.1.1/<index>

 

e) An app installed on a phone with access to the network does a single connection to 192.168.1.1 http and if successful takes data from the front page.

 

f) Any trojan via email

 

g) A "guest" connection --even when connected via a restricted network (eg, 192.168.100/24) the client may still have access to 192.168.1.1 via http

 

And again, we never want to reveal passwords in the clear. When we do it's on a temporary basis (a quick read or write, given some timed interaction) and when we store them they're salted and hashed with strong crypto.

 

I recommend isolating this box as much as possible, not using the wifi capability it offers and if no other option change the pass every six weeks at minimum.

 

 

 

 

 

 

There are additional scenarios:

 

d) As noted earlier, a web page or tcp connection (bot) which could backscan the internal network. We need only scrape http://192.168.1.1/<index>

 

e) An app installed on a phone with access to the network does a single connection to 192.168.1.1 http and if successful takes data from the front page.

 

f) Any trojan via email

 

g) A "guest" connection --even when connected via a restricted network (eg, 192.168.100/24) the client may still have access to 192.168.1.1 via http

 

And again, we never want to reveal passwords in the clear. When we do it's on a temporary basis (a quick read or write, given some timed interaction) and when we store them they're salted and hashed with strong crypto.

 

I recommend isolating this box as much as possible, not using the wifi capability it offers and if no other option change the pass every six weeks at minimum.

 

 

 

 

 

 

Re: Network key is in the clear http://<router-ip>

9 of 12 (595 Views)
0
(0)
  • Rate this reply
View profile
Dec 3, 2013 7:24:53 PM
0
(0)
Expert
Edited by SomeJoe7777 on Dec 3, 2013 at 7:25:42 PM

Scenarios D and F that you posted require executable code to run on your computer from a web page, e-mail, or trojan.  If that happens, far worse things will be done to your computer than simply sniff a wireless password off the gateway.  Anti-virus software and sandboxing within web browsers are the first lines of defense here.

 

Scenarios E and G presume a nefarious person whom you've already given network access to.  Nefarious people are far more likely to snoop or cause other problems than go look for a wireless password that they don't need, since they're already connected.

 

 

At any rate, if you absolutely want to prevent all of these situations, do the following:

 

1. Set up router-behind-router using the DMZPlus option with your own wireless router.

2. Turn off wireless on the 2Wire.

 

This prevents anything displayed on the 2Wire's home page from having any relevance.

 

If you want to further prevent access to the 2Wire under all circumstances, period:

 

3. Set up an inbound or outbound firewall rule on your router to prohibit connectivity to the 2Wire's private LAN subnet.

 

This prevents anyone connected to your router from accessing the 2Wire at all.

 

 

Scenarios D and F that you posted require executable code to run on your computer from a web page, e-mail, or trojan.  If that happens, far worse things will be done to your computer than simply sniff a wireless password off the gateway.  Anti-virus software and sandboxing within web browsers are the first lines of defense here.

 

Scenarios E and G presume a nefarious person whom you've already given network access to.  Nefarious people are far more likely to snoop or cause other problems than go look for a wireless password that they don't need, since they're already connected.

 

 

At any rate, if you absolutely want to prevent all of these situations, do the following:

 

1. Set up router-behind-router using the DMZPlus option with your own wireless router.

2. Turn off wireless on the 2Wire.

 

This prevents anything displayed on the 2Wire's home page from having any relevance.

 

If you want to further prevent access to the 2Wire under all circumstances, period:

 

3. Set up an inbound or outbound firewall rule on your router to prohibit connectivity to the 2Wire's private LAN subnet.

 

This prevents anyone connected to your router from accessing the 2Wire at all.

 

 

Re: Network key is in the clear http://<router-ip>

[ Edited ]
10 of 12 (587 Views)
0
(0)
  • Rate this reply
View profile
Dec 3, 2013 8:03:25 PM
0
(0)
Tutor

Those are great tips SomeJoe. #2 is probably the safest option. Yet unfortunately for many non-technical households the vulnerability persists.

 

The point of my post all the while is this password, in fact any password, should ever be presented in the clear.

Those are great tips SomeJoe. #2 is probably the safest option. Yet unfortunately for many non-technical households the vulnerability persists.

 

The point of my post all the while is this password, in fact any password, should ever be presented in the clear.

Re: Network key is in the clear http://<router-ip>

11 of 12 (579 Views)
Highlighted
0
(0)
  • Rate this reply
View profile
Dec 4, 2013 1:57:43 PM
0
(0)
Expert
While I tend to agree with the philosophy that no password should be present in the clear, it's evident that what AT&T is doing here is trying to reduce support calls and problems for the average customer. While the risk of compromise increases slightly by the wireless password being in the clear on the router homepage, in most cases it doesn't increase the average consumer's risk very much, while simultaneously helping many more customers who constantly forget their wireless password and therefore call AT&T to reset it.
While I tend to agree with the philosophy that no password should be present in the clear, it's evident that what AT&T is doing here is trying to reduce support calls and problems for the average customer. While the risk of compromise increases slightly by the wireless password being in the clear on the router homepage, in most cases it doesn't increase the average consumer's risk very much, while simultaneously helping many more customers who constantly forget their wireless password and therefore call AT&T to reset it.

Re: Network key is in the clear http://<router-ip>

12 of 12 (531 Views)
Advanced
You must be signed in to add attachments
Share this post
Share this post