Austrian ISP's wireless routers set up secret network
According to a report by security researchers at SBA Research, Austrian broadband provider UPC has given its customers wireless routers that set up an undocumented second wireless network that is not properly protected. It turns out that UPC's Thomson TWG850-4U router always uses the same SSID and the same WPA key (password) for this wireless network (WLAN). In addition to the WPA key, users also have to know the SSID to connect to the network; networks with a hidden SSID – the name of the wireless network – do not appear in a normal overview of wireless devices.
Because the network is not isolated from the main WLAN, the researchers say that attackers can access both the internet and other computers in the network. Unwelcome guests can even access the router's configuration interface to read out the WPA key set by UPC customers and change critical configuration parameters.
In a brief drive through Vienna, the security researchers say they found "hundreds of networks in just a few streets" that they could have gained access to and taken over. UPC provides the TWG850-4U to all customers who choose the company's combined TV and internet package. A UPC spokesperson confirmed the problem to The H's associates at heise Security, adding that approximately 100,000 of the aforementioned wireless routers are currently in circulation.
UPC reacted promptly and today, three days after the problem was made public, announced the publication of an emergency patch which is gradually and automatically being distributed to the devices affected. The researchers who discovered the hole told heise Security that the hidden WLAN is no longer set up after the firmware update.
Customers of UPC's Dutch subsidiary faced a similar problem last November. After a firmware update, a different Thomson router also set up an invisible network there, but it could not be used to gain access to the configuration interface and other computers in the network. UPC said these problems occurred because of "new possibilities" planned for the future.
- WPA key of Speedport routers too simple, a report from The H.