Eircom knew about security flaw, says engineer

3 Oct 2007

Since early March, Eircom has been aware of a security flaw which allows hackers to piggyback the broadband of over 200,000 of its customers who use Netopia wireless modems, according to Peter McShane, the software engineer who first alerted the telecoms company to the problem.

“I contacted them at the beginning of March this year and give them the full details of the issue, which was the first time they were made aware of this,” he said.

McShane told siliconrepublic.com that over the subsequent five or six months he was in contact with the company but saw “very little movement” leading him to contact the Commissions for Communications Regulation (ComReg) at the beginning of September.

“When I went to ComReg they shared my misgivings about the fact that there was no intention from Eircom at that stage to proactively inform people that there was something amiss ,” said McShane.

Following this, McShane was in the process of discussing with Eircom how its customers should be alerted to the security flaw when someone else went public with the issue.

He says Eircom’s official line up to this point was to put a notification in with new shipping modems along with information somewhere on its website on how to change the WEP (Wired Equivalent Privacy) key, i.e. security settings.

McShane didn’t feel that this was an adequate measure given his count that there is in excess of 200,000 people with these routers already, and in many cases he feels that people are not even aware that they have a modem with wireless functionality that can be switched on or off.

A spokesperson from Eircom said that only a person with technical expertise would be able to exploit this security flaw but McShane disagrees.

“Anyone with a reasonable knowledge of computers that uses information on certain web sites can get someone’s default WEP key”, he claimed.

McShane explained that several websites have applications that will spit out the serial number of the compromised Netopia wireless routers as long as the SSID, or wireless ID, is entered.

SSID of any of these wireless modems can be seen as soon as someone searches for the nearest WiFi connection from their laptop, McShane said.

“Once you know the serial number you don’t need to know all the gory details. On an Eircom CD or site they give you a program where you type in your serial number and it gives you the WEP key,” said McShane.

By Marie Boran