Talk Talk’s Internet security team conducts physical W-Fi survey that in some locations discovered 41% were vulnerable to hijacking, proving plans to disconnect file-sharers can expose the innocent to “superhighway robbery” of their Internet connections.
UK ISP Talk Talk, which claims to be the country’s largest broadband provider with over 4.25 million customers, has long been “dismayed” by the govt’s “u-turn on illegal file-sharing.” It, along with Carphone Warehouse, were the first ISPs to reject any efforts to force them to “impinge its customers’ rights and restrict their freedom of use of the internet.”
After first calling Internet disconnection “too draconian” the govt later said that it’s thinking had “evolved” on the issue and that “urgent action” was necessary.
However, what has often been overlooked is the fact that people won’t be accused, but rather IP addresses will, and the unsecure nature of Wi-Fi connections exposes the innocent to what Talk Talk calls “superhighway robbery.”
Just this very morning it says it sent a team of its Internet security experts out to The Highway, a residential road in Stanmore, Middlesex, and within a few hours discovered that more than on-third of the total Wi-Fi connections there were vulnerable to hijacking. It even downloaded a few songs to prove their point.
A few days ago it conducted a similar wi-fi survey of central Ealing in West London and found that 41% of 1,083 Wi-Fi networks were vulnerable to hijacking and illegal use.
“The clear implication is that millions of people would be at risk of ‘superhighway robbery’ under Mandelson’s plans,” says Andrew Heaney, Talk Talk’s Executive Director of Strategy and Regulation. “The risk of innocent people being disconnected is not hypothetical. Consumer organizations such as Which? have been contacted by hundreds of people who have been wrongly accused of file-sharing using a similar method to the one Mandelson is suggesting.”
He’s right. An IP address in no way identifies an individual anymore than a bus ticket does. All it confirms is that somebody was present at a specific location and traveled to a certain destination, but never at anytime does it says who it was.
“This is why we think the Mandelson scheme is wrong-headed and naive,” adds Heaney. “The lack of presumption of innocence and the absence of judicial process combined with the prevalence of Wi-Fi hijacking will result in innocent people being disconnected.”
All the plan will do, as Heaney points out, is encourage file-sharers to use other people’s wi-fi connections and cause untold innocent people to stand accused and risk losing their Internet connection.
Sure you can mandate that people secure their connections, but as we all know some people have a tough time just surfing the Internet let alone router manipulation.
“We will continue to strongly resist any approach that does not protect the innocent,” he adds.
Too bad the UK govt isn’t as concerned as Talk Talk is.
Stay tuned.
jared@zeropaid.com
Related Posts
- UK Govt Plans “2-Strikes” for File-Sharers Instead of 3
- UK POLL: 73% Say “3-Strikes” Would Harm Use of Vital Services
- UK Govt: File-Sharers Won’t Be Disconnected “Willy Nilly”
- South Korea’s “Three-Strikes” Law Takes Effect
- UK ISPs Blast New “Three-Strikes” Proposal
Loading ...
It’s amazing how many people are so lazy they won’t take a minute to read the instructions that come with a router… nowadays the whole thing sets itself up for crying out loud.
My guess is that this isn’t just talking about routers that are fully open. It probably also covers routers that have poor protection. This is either due to it using older encryption technology, weak pass phrase, or vulnerable to behavioral based algorithm cracking. There is software that lets you crack some wireless encryption with astounding ease.
Indeed. I recall seeing people use dictionary attacks on routers and that, in a densely populated area, is more than enough to do break into at least one router (and 1 router is all you need) Granted, this was a video demonstration, but I can totally see it being very plausible.
Yeah but WEP routers haven’t been manufactured since 2004 – though I guess most have it for backwards compatability. Either way it’s lack of responsibility and knowledge on the part of the user and if you follow the instructions in the manual there shouldn’t be a problem.
You are going in a circle, you know.
Should also mention, based on experience from helping people set up their wireless security, that the majority of computer users will not understand even the simplest of settings due to a fear of screwing up. You can make the easiest to understand user security and it will still baffle many users. The only idiot proof system I could come up with would be an automated system using a usb key at all points on the network to communicate the settings automatically to all computers you want connected.
My router, the Linksys like Soulxtc’s has a button for SES, easy security setup. You push the button on the router and then the device and they are supposed to connect without putting any codes in. It fails because I don’t have any other devices that use that system.
Security is best if you have one or two computers that stay the same, like a simple network in an apartment or something, but if you really want to use your router it gets hard. Add wireless printers and other pieces, or friends who come with phones and laptops and expect to use the net, then it’s a big pain.
Then it’s where you live too, if you’re in the country who cares, but with an apartment in the city you have to look at security more.
I usually only set people up with the WPA2 encryption and give them a copy of the password and show them where to change it. The only difference I have on my home setup is that I get rid of the ssid broadcasting and put in a mac address filter.
I think that SES uses WPA also, I’m sure from what I read it’s higher than WEP.
One of my friends sister got a plug in Linksys usb wi-fi antenna and when she got on it could see they had a Linksys router and said to set up a secure connection to click this button, and then push the button on the router. She thought it was the only way they could get on the net from the laptop, so they did it, but my friend couldn’t get on at all, locked out, and they spent an evening trying to get it back to the way it was.
Hiding the SSID, I have never tried that, but it sounds like a good idea and maybe that would be easier for guests to use than a pass phrase.
The security level goes wep (useless since its easily cracked), WPA, WPA2, whatever ends up replacing WPA2
You should still have a pass phrase, even if you turn of SSID broadcasting. it encrypts your airwaves to prevent snooping. Otherwise all your communication between your router and computer can be fished out of the air, not very safe to do so, its not like giving someone your pass phrase to connect is time consuming or difficult.
Stopping SSID broadcasting only makes the network invisible to the uninformed user. It doesn’t send out information that this is a network and here are the details. To connect to the network you need to input the name and details manually. Blocking SSID braodcasting is just as much of a pain as a pass phrase but offers no data security.
Finally mac filters are simply an extra step in the security line. Most advanced users can just spoof their mac address to get access to your network, but its still an extra layer of security. It is however the most annoying security feature for when you want to allow someone access to your network. You have to manually add their mac address to the routers list for them to connect.
war driving ,, aka ,, borrowed bandwidth
Hey that looks like the exact same router that I have!
I have people at the bus stop across the street who piggy back. I see the lights start to flash when no computer is on, and then look out of the window and someone always has a phone or laptop open every time.
Hiding SSID or using MAC address filtering is security through obscurity. Both SSID and MACs are sent over the air in plaintext, even when hidden. Anyone with InSSIDer or Kismet can see them. It’s only effective when there’s an easier target in the same neighbourhood (ie. no encryption, visible SSID, no MAC filtering).
If your router is using WPA or WPA2 encryption, then hiding SSID or doing MAC address filtering offers no additional security.
–Bob.
Thanks Bob, I can understand why that would be the case. I just saw a site, it might have been Steve Gibson’s site that said that hiding the SSID can cause more interference because other wi-fi routers could be set to your channel, and the owners wouldn’t know since they didn’t find yours there.