Breakage in breakage

Verizon's FIOS Wireless Access Point devices (the Actiontec-made devices used by many Verizon customers to connect to the Net) is programmed to set its default WEP key to the last 40 bytes of its MAC address - that is, the unique identifier of the router's WAN port.

This MAC address is easily discoverable using a simple wireless packet sniffer such as Kismet. The vulnerability was discovered and published by a guy choosing to call himself Paul, which goes to show that not everyone is in the business for the cash or the fame.

What this vulnerability does (once found) is to give remote attackers zero-effort access to affected customers’ WLANs and to their Internet connections – not that WEP security isn’t easily crackable in the first place, but there’s a difference between “minimal effort” (half an hour tops with a weak computer) and “no effort”, the same that exists in a burglar’s mind between “standard Yale lock – closed – on the patio door” and “patio door slightly ajar”.

Devices and bits of software designed to be insecure by default are a big problem we’re all facing – the added cost of some security, in this case, would have been effectively nil – the router software could’ve chosen key at (pseudo)-random and would have been just as insecure as any other WEP user, or could’ve used WPA2, for the same marginal cost of ~0.0 USD. That the router manufacturer chose not to do so is a vivid illustration of the principle that the costs of failed security should be borne at least in part by those who’ve implemented the faulty security in the first place.

Due dilligence already has its firmly established place in the business world at large. Why not in the security industry as well?

About the author


Razvan Stoica is a journalist turned teacher turned publicist and
technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking.

Razvan Stoica started off writing for a science monthly and was the chief
editor of a science fiction magazine for a short while before moving on to
the University of Medicine in Bucharest where he lectured on the English
language. Recruited by Bitdefender in 2004 to add zest to the company's
online presence, he has fulfilled a bevy of roles within the company since.

In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.