# Are there dangers to removing the WPA security from my eircom router?



## sfag (21 May 2009)

The reason I ask is that not all devices have the wpa access that the router uses - eg the nintendo ds wont connect. Plus I have an itnernet radio that is having trouble. 

I do not have a home network. I have no shared folders.

The only danger I can think of  if is that neighbours could use my internet but I'm not worried about that.

Would I be open to internet hackers or other dangers?.


----------



## extopia (21 May 2009)

If you run without encryption, your neighbours or someone sitting in a car outside your house, for example, could intercept everything you send and receive wirelessly through your wireless network. Passwords, logins, bank details, credit card numbers, emails, the lot.

It's up to you, but I wouldn't do this.

If you don't like WPA, you could at least restrict your network to known and trusted devices via their MAC addresses. You can do this with most wireless routers.


----------



## car (21 May 2009)

not internet hackers, they come in through the firewall. (or not).  wep/wpa is just to stop others using your wifi. 

careful with that,   if youre doing online banking or are inputting sensitive info, sending mails etc someone could easily get it if they wanted to.

I thought the DS worked with WEP even though its old and vulneralbe?   even that would be better then nothing.

_edit_: post crossed with _extopia_


----------



## Dearg Doom (21 May 2009)

> Passwords, logins, bank details, credit card numbers, emails, the lot.



The wireless network encryption only encrypts the wireless communications i.e. from your computer to the router, after that they are back in the clear. If you send any of the above items via the internet without using SSL then they are free for all to see as they cross the internet - all bar e-mail are generally encrypted before they go over your network in any case - so having encryption on your wireless network is of little or no addition for these. An encrypted wireless network only makes them harder to access data on *your* network.

If you are happy for all items you have connected to the network to be available for anyone nearby to access and you are happy with the potential of people you don't know doing anything they like using your internet connection then by all means remove the encryption. You won't be any more or less open to remote internet hacking.


----------



## sfag (21 May 2009)

thanks for that clarification Dearg. 
I never really got the 'hacker sittiing outside in car with a laptop' scare anyway.   
Yes I'm happy to share my net connection unless it was to become bogged down with traffic. 
I think neighbours should share this kind of thing. My neighbours share more than that by swapping each others phone numbers, holiday plans & ocassionally even house keys. 

A quick scan of neighbours wi fi's shows four that are receivable - 2 secure and 2 not secure. 

I wonder if a neighbour uses my net access to access dodgy websites would I be responsible?


----------



## Dearg Doom (22 May 2009)

sfag said:


> A quick scan of neighbours wi fi's shows four that are receivable - 2 secure and 2 not secure.



And you will often find that the 'secure' networks are often using Eircom's standard configuration which can be broken in seconds. 



sfag said:


> I wonder if a neighbour uses my net access to access dodgy websites would I be responsible?



I'll leave that to the legal eagles...


----------



## nai (22 May 2009)

sfaq - it doesn't have to be the hacker sitting outside in their car - it could just as easily be the next door neighbours teenage kid who logs onto your pc via your router and swipes all of your personal files/emails etc. 

it could be someone next door downloading nasty pictures via your web connection = first finger of suspicion/investigation pointed at you and you would have to prove that they were using it without your permission - which they now are given that you're stated here publicly that all neighbours are free to use it.

From an encryption point of view it is unlikely that bank/cc information would be harvested because these would be configured to use SSL (https) via your browser.

As CAR stated - the DS is WEP compatible - you could use this with a strong passphrase and implement MAC address filtering to increase the difficulty in connecting to your router - however any type of hacker worth their salt would be in a position to bypass this level of security very easily.

One last point - what happens if you breach the terms of Fair Use and end up getting a stonking big bill some month because you're way over your download limit ?


----------



## AlbacoreA (22 May 2009)

sfag said:


> ...I wonder if a neighbour uses my net access to access dodgy websites would I be responsible?


 
As said earlier by others...

It would be traced back to your connection, your phone, modem, but not your PC. Could be argued by leaving unsecured you allowed it. 

In theory someone could access your PC everything on it, and everything you do from it with a key logger. Online banking etc. All your passwords.

Most likely you'll get a bill for a few thousand euro because you've exceed your download cap. Because of everyone downloading movies etc through it.


----------



## Dearg Doom (22 May 2009)

AlbacoreA said:


> In theory someone could access your PC everything on it, and everything you do from it with a key logger. Online banking etc. All your passwords.



That can happen anyway - whether or not his wireless network is secured.



AlbacoreA said:


> Most likely you'll get a bill for a few thousand euro because you've exceed your download cap. Because of everyone downloading movies etc through it.



In fairness that is not the most likely result. It's a possible one, but the most likely result is that nothing happens. I know of many unsecured or very poorly secured wireless networks and nothing adverse has happened.


----------



## AlbacoreA (22 May 2009)

Dearg Doom said:


> That can happen anyway - whether or not his wireless network is secured.


 
Thats like saying you can still have an accident in a car without ABS. Which maybe true but it doesn't negate the usefulness of ABS. Ditto it doesn't negate the usefulness of a secured WiFi access. 



Dearg Doom said:


> In fairness that is not the most likely result. It's a possible one, but the most likely result is that nothing happens. I know of many unsecured or very poorly secured wireless networks and nothing adverse has happened.


 
I'm sure thats a comfort when the bill drops through the door. 

I've certainly seen posts on forums in the past where people have been hit with large bills for busting their download cap. These days ISPs are more likely to cut you off or throttle your connection. But they may not.



> The Nintendo DS is compatible with WEP encryption. Nintendo DSi, released in Japan on November 1, 2008, and in the USA on April 5, 2009, is compatible with both WPA and WEP encryptions


 
http://en.wikipedia.org/wiki/Nintendo_Wi-Fi_Connection
[broken link removed]

As a temp workaround you could have a one (WPA) router for the PC and a 2nd (WEP) for the DS. Turn either on/off as required. Routers are cheap enough. 

Unfortunately the correct solution is to buy equipment that supports WPA.


----------



## askew70 (23 May 2009)

Security issues aside, it is worth bearing in mind Eircom's recent agreement with some representatives of the music industry over access to copyrighted material online. Eircom have agreed to implement a policy of "3 strikes and you are out" if one of their customers is identified as accessing such copyrighted material. The first two incidents result in a warning, the third results in your Eircom broadband service being withdrawn. If someone uses your wireless router to access such material, you will be held responsible as things currently stand.

There remain lots of questions about whether Eircom can really enforce this in law. Some people claim that you could argue that your wireless network was not secured and therefore you are not responsible for the online antics of anyone using your broadband connection, others claim that this is not a defence that holds any water. There is also the issue that many Eircom routers remain vulnerable to the widely publicised hack that allows the wireless encryption key to be derived from the wireless network name (where the wireless router configuration is the one that is was delivered to you with), which some argue effectively removes any responsibility from the home user for their wireless network being "hacked" and used by others. I haven't seen any mention of Eircom applying this new policy as yet but obviously that doesn't mean that they haven't, or that they won't. So, right now, no-one knows whether it is a policy that is truly enforceable or even whether Eircom will actively try to enforce it. But it is one more thing to consider if you opt to leave your wireless network unsecured (i.e. no shared key/password required to use it), or choose to use an extremely low leve of security (WEP).

Incidentally, if security is a true concern for you then WPA2 is a better alternative to WPA, but support for WPA2 isn't yet as widespread as support for WPA so fewer products support it right now. WPA2 provides stronger encrpytion than WPA - specifically, WPA2 supports AES for wireless encryption while WPA supports TKIP. Several months ago a weakness in TKIP was exposed which, although it hasn't been turned into an effective exploit as yet, it certainly paves the way for that to happen at some point (maybe next month, maybe next decade - no-one can predict when). Something that clouds the issue is that WPA actually supports both TKIP and AES, but that is an early implementation of AES, while WPA2 supports both TKIP (for backward-compatibility) and AES also, but generally speaking when people refer to WPA they are talking about TKIP and when referring to WPA2 they are talking about AES. For maximum security of your wireless traffic, opt for WPA2/AES whenever you can.


----------



## bond-007 (23 May 2009)

Dearg Doom said:


> In fairness that is not the most likely result. It's a possible one, but the most likely result is that nothing happens. I know of many unsecured or very poorly secured wireless networks and nothing adverse has happened.


If you leave your router unsecured you don't know who is accessing your router or what they are doing using your connection. There could be someone in a car outside accessing illegal websites and downloading illegal content using your unsecured connection. And what are you going to say when the Gardaí arrive at your door with a search warrant? They will tear your house apart and take away all your computers. It is your connection and you are responsible for what it is used for. It would be very embarrassing for you when the neighbours see the Gardaí taking all your computers away for testing.

So an unsecured connection is a very silly thing to have.


----------



## Dearg Doom (25 May 2009)

AlbacoreA said:


> Thats like saying you can still have an accident in a car without ABS. Which maybe true but it doesn't negate the usefulness of ABS. Ditto it doesn't negate the usefulness of a secured WiFi access.


 
Where did I say a secure wlan wasn't useful? What I'm saying is that it isn't the most important thing - having decent security software installed will be of far more benefit than a secure wlan. A Keylogger is far more likely to be installed by downloading malware than by sitting on a open network. 



bond-007 said:


> If you leave your router unsecured you don't know who is accessing your router or what they are doing using your connection. There could be someone in a car outside accessing illegal websites and downloading illegal content using your unsecured connection. And what are you going to say when the Gardaí arrive at your door with a search warrant? They will tear your house apart and take away all your computers. It is your connection and you are responsible for what it is used for. It would be very embarrassing for you when the neighbours see the Gardaí taking all your computers away for testing.



And some people live in remote areas where a van parked at the font door using the free wireless network will be very noticeable. Likewise many people belive they have a secure network and don't, e.g. eircom default WEP encryption and so effectively still have an open wireless network. 

Sfag should make the decision based on the reality of the situation as it applies to his case, his network, his requirements and knowlege of the effects of removing the security and not on scarmongering about keyloggers, massive bills and gardai breaking the door down.


----------



## AlbacoreA (26 May 2009)

Always trust the guy who says "it will be grand" 

You're taking my point of context. I was simply commenting that was websites with SSL doesn't protect your bank details, password from keyloggers. The suggestion was SSL is enough to secure your bank details. It isn't. 
He asked what the dangers. Telling him isn't scare mongering. Its informing him of the risks. If you want to play the odds with those risks thats your own business. Unless someone sues you of course. Being dismissive of the risks of an open WiFi connection is irresponsible IMO. The web is full of stories about ISPs charging people with big bills for exceeding their cap, or issues of copyright theft for downloading movies and MP3's. I certainly know a few who have been charged hundreds of euro for exceeding their caps. 

Its bad practice for good reason.


----------



## Dearg Doom (26 May 2009)

I'm not being dismissive of the risks, I'm trying to put some balance on the discussion. Implying that these things will definitely happen is not painting the full picture of the risks or the steps to take to avoid them. Leading people to believe that having a secure wifi connection is somehow going to protect them from keyloggers or people using your broadband is irresponsible as is may mean they don't take the steps they should take to protect themselves. Secure wifi may reduce the likelihood of these things being done by the uninformed, but someone who wants to do the things you mention will in no way be prevented from it by a 'secure' wifi connection.


----------



## Complainer (26 May 2009)

You could check out MAC-based security as an alternative to WPA.


----------



## AlbacoreA (26 May 2009)

Dearg Doom said:


> I'm not being dismissive of the risks, I'm trying to put some balance on the discussion. Implying that these things will definitely happen is not painting the full picture of the risks or the steps to take to avoid them. Leading people to believe that having a secure wifi connection is somehow going to protect them from keyloggers or people using your broadband is irresponsible as is may mean they don't take the steps they should take to protect themselves. Secure wifi may reduce the likelihood of these things being done by the uninformed, but someone who wants to do the things you mention will in no way be prevented from it by a 'secure' wifi connection.


 
Who said these things will definately happen? Or that one layer of security (WPA) is all you need? A magic bullet as it were. Er no one. Even taking things out of context like you have done it makes no sense. 

Telling someone to wear a seat belt, isn't saying they are definately going to have an accident, or that its going to save them if they get hit by a 40 tonne truck. By telling some to wear a seat belt isn't going to make them ignore the rules of the road and run every red light because they believe they are invunerable. You  might drive through 10 red lights and not have an accident. Thats not proof that its ok to do, or that you'll never get caught and fined for it. 

However if someone told me, something was of "little or no addition" or "most likely result is that nothing happens" or "nothing adverse has happened" or regardless of what measures you take "That can happen anyway". I'm not sure I'd bother with it either as it would seem pointless.


----------



## nai (26 May 2009)

I wonder what the OP is making of all of this ?

From my own point of view - the OP has stated he can see 4 of his neighbours WLAN routers - this to me would imply that he/she lives in a built up area - the risks are obviously a bit higher here than in the middle of the country side.

I have to agree with AlbacoreA - noone has stated that all of the risks will happen - we are merely highlighting them to allow the op to make up his own mind.

To start off here is my list of risks in order of ascending criticality to having an unsecured wlan :
1. Someone else uses my broadband
2. Intruder from 1 breaches my download limit
3. Intruder captures some of my login details for webmail and the like and posts/emails inappropriate content under my identity.
4. Intruder virus infects my computer equipment causing damage to systems
5. Intruder invades my privacy and publishes my private information onto internet/public domain.
6. Intruder retrieves some of my PI details and effects some type of fraud (financial or otherwise) using my identity.
7. Intruder effects some other type of crime (copyright theft etc).
8. Intruder uses me as a patsy for downloading inappropriate illegal images .. (cp)
9. While doing all of the above intruder has assumed control of my pc without my knowledge leaving most of the traces of the intrusion on my pc not on his own.

While 1 & 2 above are almost guaranteed while living within a built up area the percentages of all the others happening diminish quite rapidly. However they all do occur and I have been involved in investigating situations 3-7. Thankfully 8 & 9 have not crossed my path yet but I do know of cases where it has occurred.

Points 1-5 will merely cause the op some discomfort - 6-9 could end up with the Garda Computer Forensics section knocking on the door - it is up to each individual to make an informed decision and weigh the risks.


----------



## nai (26 May 2009)

Complainer said:


> You could check out MAC-based security as an alternative to WPA.




One point on this - MAC based security on it's own can be bypassed within minutes and is very simple to do.


----------



## sfag (26 May 2009)

nai said:


> I wonder what the OP is making of all of this ?
> 
> From my own point of view - the OP has stated he can see 4 of his neighbours WLAN routers - this to me would imply that he/she lives in a built up area - the risks are obviously a bit higher here than in the middle of the country side.
> 
> ...


 
cheers for the replies. I like the sense of balance that dearg was trying to point out. I do live in a built area where most people are honest. I dont lock the car at night and dont care if an intruder has a snoop - they have and not much happened. I employ the same balance of cautiousness with most things - ie try not to be too overly cautious.

re the above.
1. dont care. I like to use theres if I was stuck.
2. trust the neighbours not to do that & I have large limit.
3. dearg says they cant do that - i dont have them written in a file on my hard drive and i dont belive using my wifi turns a user into a hacker.. 
4 and so on. My neighbours simply would do that. You gotta trust some people surely you are talking dedicated hacker here?


----------



## bond-007 (26 May 2009)

> You gotta trust some people surely you are talking dedicated hacker here?


Not at all. It is very easy for anyone to do, the info is all online. 
In a housing estate or urban area it would be very easy for an unauthorised user to be using your connection without your knowledge.


----------



## nai (26 May 2009)

sfag said:


> 3. dearg says they cant do that - i dont have them written in a file on my hard drive and i dont belive using my wifi turns a user into a hacker..
> 4 and so on. My neighbours simply would do that. You gotta trust some people surely you are talking dedicated hacker here?



just to clarify #3 - that's not what dearg said - he said that sites using SSL are encrypted ( eg Online Banking) - my point was in relation to webmail/forums/some online shopping sites etc where a simple sniffer would capture the login credentials.

#4 and so on - my point is you never know with people - criminals (including hackers) do not normally advertise themselves or their methods - just because hacking can be seen as a white collar crime doesn't make it any less legal.

NOTE : My references to hacking are relating to the common perception that hacking involves some type of illegal or nefarious intent, as opposed to the historical definition of a hacker.


----------



## Complainer (26 May 2009)

nai said:


> One point on this - MAC based security on it's own can be bypassed within minutes and is very simple to do.


How?


----------



## nai (26 May 2009)

a mixture of a linux distro, aircrack-ng, macchanger and an atheros chip wlan card - add a bit of knowledge. shouldn't take too long.
There are mixture of other tools that will provide the same end result some windows based , some linux based.


----------



## Dearg Doom (26 May 2009)

> 3. Intruder captures some of my login details for webmail and the like and posts/emails inappropriate content under my identity.





> 3. dearg says they cant do that


No I didn't. Secure sites that use SSL are very difficult/impossible to intercept and decrypt and get the detail. Traffic to non-secure web sites, pop/imap e-mail is easily analysed to determine passwords. This holds true whether your wireless network is encrypted or not. 

The summary of what I'm saying is that encryption of your wireless lan (especially WEP encryption) doesn't protect you from the list of potential risks in nai's list so therefore not having it secured, if it suits your requirements and situation, is a valid consideration.

That doesn't mean you shouldn't take other steps to protect your self and monitor the usage of the network if is open and free for all to use.


----------



## Complainer (27 May 2009)

nai said:


> a mixture of a linux distro, aircrack-ng, macchanger and an atheros chip wlan card - add a bit of knowledge. shouldn't take too long.
> There are mixture of other tools that will provide the same end result some windows based , some linux based.



Fairly sophisticated equipment and tools required here!


----------



## bond-007 (27 May 2009)

You would be surprised what people are capable of. Those items listed above are easily obtained.


----------



## nai (27 May 2009)

Complainer said:


> Fairly sophisticated equipment and tools required here!



You could download all of these (with exception of WLAN card) in approx 10 minutes - google will point the way. WLAN card can be bought online - just a few quid.


----------



## Complainer (27 May 2009)

bond-007 said:


> You would be surprised what people are capable of. Those items listed above are easily obtained.


Maybe - but would a person with these tools be likely to be spending much time breaking MAC addressing on domestic routers? Sounds a bit like the CIA breaking into your house to rob your DVD Player.


----------



## nai (27 May 2009)

Absolutely - these tools are freely available and are very much in use by teenagers and others messing around trying to do a bit of devilment which can often lead to much more serious incidents. You don't have to be any type of hacker to use them - just a little IT knowledge is sufficient.

I have an incident I've been involved in where someone sniffed a minor's email login credentials, used these to change passwords on facebook, bebo etc, uploaded some very graphic pornographic images and distributed them to all their friends (also mostly all minors). They then went on to download photos of her and photoshop them into some very disturbing porno images which were then also distributed. 

There is a case currently active with the Gardai for this.


----------



## sfag (27 May 2009)

cheers again. 
This has been educational for me. I'll use the wep despite its limited usefullness. 
Will also watch out for local pale geeky looking teenagers for they are the ones most likely to be sitting up all night learning their hacking techniques.


----------



## AlbacoreA (29 May 2009)

For light relief...
http://news.bbc.co.uk/2/hi/asia-pacific/8063769.stm


----------

