o2 customers risk prosecution due to security problem

If you currently use the o2 Wireless Box 2 or 3 you will no doubt be aware
that o2 is supplying the routers and encouraging people to use them KNOWING
there is a security problem.
Example of code to explot the security problems can be found in the latest
edition of PHRACK Magazine.
At the moment every o2 customer using the supplied wireless router can have
their systems looked at by anyone who knows how to login remotely. Changes
can be made to settings and all 450,000 home users could be acting as BOTs!

If you use the router from o2 your bank/paypal/ebay and other details are
NOT secure. o2 refuse to do anything about the problem. This means that if
you get a knock from the Police at least you have a defence when you end up
in Court for illegal activities! The problem is that o2 lie and say the
router is secure.

o2 has their own backdoor to the routers using the "o2Care", "SuperUser" and
"PowerUser" logins through various ports, but these are also available to
anyone knowing the standard passwords.

I can't believe o2 has been so stupid as to put every customer at risk.

On Mon, 31 Aug 2009 14:03:56 +0100, Roger wrote:

> Example of code to explot the security problems can be found in the
> latest edition of PHRACK Magazine.

Do you have a link please as I've not been able to find it.

On Mon, 31 Aug 2009 13:03:56 UTC, "Roger" <(E-Mail Removed)>
wrote:

> If you currently use the o2 Wireless Box 2 or 3 you will no doubt be aware
> that o2 is supplying the routers and encouraging people to use them KNOWING
> there is a security problem.
> Example of code to explot the security problems can be found in the latest
> edition of PHRACK Magazine.
> At the moment every o2 customer using the supplied wireless router can have
> their systems looked at by anyone who knows how to login remotely. Changes
> can be made to settings and all 450,000 home users could be acting as BOTs!
>
> If you use the router from o2 your bank/paypal/ebay and other details are
> NOT secure. o2 refuse to do anything about the problem. This means that if
> you get a knock from the Police at least you have a defence when you end up
> in Court for illegal activities! The problem is that o2 lie and say the
> router is secure.
>
> o2 has their own backdoor to the routers using the "o2Care", "SuperUser" and
> "PowerUser" logins through various ports, but these are also available to
> anyone knowing the standard passwords.
>
> I can't believe o2 has been so stupid as to put every customer at risk.

No comment.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

On Mon, 31 Aug 2009 13:44:03 UTC, R Johnson <(E-Mail Removed)> wrote:

> On Mon, 31 Aug 2009 14:03:56 +0100, Roger wrote:
>
> > Example of code to explot the security problems can be found in the
> > latest edition of PHRACK Magazine.
>
> Do you have a link please as I've not been able to find it.

It's not the latest edition. It's in issue 65.

Nothing new - merely the same stuff that Darren posted. Which may or may
not be the same flaw that I referred to indirectly.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

"Roger" <(E-Mail Removed)> writes:

> o2 has their own backdoor to the routers using the "o2Care", "SuperUser" and
> "PowerUser" logins through various ports, but these are also available to
> anyone knowing the standard passwords.

If they want to have remote configuration access to the routers, then at
the very least they should be using some form of Public Key
authentication - something like SSH or HTTPS[1] - or using IPSec and
preferably also restricting the IP addresses from which such remote
connections are allowed. Anything less than this would IMHO amount to
negligence.

[1] With the requirement for the connecting client to present a
certificate and only accept certificates signed by the ISP.

On Mon, 31 Aug 2009 14:01:31 +0000, Bob Eager wrote:

> On Mon, 31 Aug 2009 13:44:03 UTC, R Johnson <(E-Mail Removed)> wrote:
>
>> On Mon, 31 Aug 2009 14:03:56 +0100, Roger wrote:
>>
>> > Example of code to explot the security problems can be found in the
>> > latest edition of PHRACK Magazine.
>>
>> Do you have a link please as I've not been able to find it.
>
> It's not the latest edition. It's in issue 65.
>
> Nothing new - merely the same stuff that Darren posted. Which may or may
> not be the same flaw that I referred to indirectly.

So, basically no POC. In other words, it cannot be cited and, on balance,
must be dismissed as inaccurate. Pity, would have been nice to have a
poke around with.

On Mon, 31 Aug 2009 17:39:14 UTC, R Johnson <(E-Mail Removed)> wrote:

> On Mon, 31 Aug 2009 14:01:31 +0000, Bob Eager wrote:
>
> > On Mon, 31 Aug 2009 13:44:03 UTC, R Johnson <(E-Mail Removed)> wrote:
> >
> >> On Mon, 31 Aug 2009 14:03:56 +0100, Roger wrote:
> >>
> >> > Example of code to explot the security problems can be found in the
> >> > latest edition of PHRACK Magazine.
> >>
> >> Do you have a link please as I've not been able to find it.
> >
> > It's not the latest edition. It's in issue 65.
> >
> > Nothing new - merely the same stuff that Darren posted. Which may or may
> > not be the same flaw that I referred to indirectly.
>
> So, basically no POC. In other words, it cannot be cited and, on balance,
> must be dismissed as inaccurate. Pity, would have been nice to have a
> poke around with.

No, there's POC on there. Code you can try. It just may not be the same
flaw.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

On Mon, 31 Aug 2009 18:42:04 +0000, Bob Eager wrote:

> On Mon, 31 Aug 2009 17:39:14 UTC, R Johnson <(E-Mail Removed)> wrote:
>
>> On Mon, 31 Aug 2009 14:01:31 +0000, Bob Eager wrote:
>>
>> > On Mon, 31 Aug 2009 13:44:03 UTC, R Johnson <(E-Mail Removed)>
>> > wrote:
>> >
>> >> On Mon, 31 Aug 2009 14:03:56 +0100, Roger wrote:
>> >>
>> >> > Example of code to explot the security problems can be found in
>> >> > the latest edition of PHRACK Magazine.
>> >>
>> >> Do you have a link please as I've not been able to find it.
>> >
>> > It's not the latest edition. It's in issue 65.
>> >
>> > Nothing new - merely the same stuff that Darren posted. Which may or
>> > may not be the same flaw that I referred to indirectly.
>>
>> So, basically no POC. In other words, it cannot be cited and, on
>> balance, must be dismissed as inaccurate. Pity, would have been nice to
>> have a poke around with.
>
> No, there's POC on there. Code you can try. It just may not be the same
> flaw.
So does the article relate to this specific issue or a different issue?
Do we have a link? This is all starting to look like half a storm in a
small teacup. Two days of posting, but *no* POC for the allegation
raised. It's simply not credible like this - and could even border on
liable/slander. I'm sure the OP is sincere, so let's all work together
here and nail this as fact or fiction.

On Mon, 31 Aug 2009 19:06:57 UTC, R Johnson <(E-Mail Removed)> wrote:

> On Mon, 31 Aug 2009 18:42:04 +0000, Bob Eager wrote:
>
> > On Mon, 31 Aug 2009 17:39:14 UTC, R Johnson <(E-Mail Removed)> wrote:
> >
> >> On Mon, 31 Aug 2009 14:01:31 +0000, Bob Eager wrote:
> >>
> >> > On Mon, 31 Aug 2009 13:44:03 UTC, R Johnson <(E-Mail Removed)>
> >> > wrote:
> >> >
> >> >> On Mon, 31 Aug 2009 14:03:56 +0100, Roger wrote:
> >> >>
> >> >> > Example of code to explot the security problems can be found in
> >> >> > the latest edition of PHRACK Magazine.
> >> >>
> >> >> Do you have a link please as I've not been able to find it.
> >> >
> >> > It's not the latest edition. It's in issue 65.
> >> >
> >> > Nothing new - merely the same stuff that Darren posted. Which may or
> >> > may not be the same flaw that I referred to indirectly.
> >>
> >> So, basically no POC. In other words, it cannot be cited and, on
> >> balance, must be dismissed as inaccurate. Pity, would have been nice to
> >> have a poke around with.
> >
> > No, there's POC on there. Code you can try. It just may not be the same
> > flaw.
> So does the article relate to this specific issue or a different issue?

I think it's actually a different one.

> Do we have a link? This is all starting to look like half a storm in a
> small teacup. Two days of posting, but *no* POC for the allegation
> raised.

The guy on the webite I originally cited (a) probably isn't reading this
newsgroup (b) indicated it wouldn't be quick [waiting until there is a
fix] and (c) has stated so on the website.

> It's simply not credible like this - and could even border on
> liable/slander. I'm sure the OP is sincere, so let's all work together
> here and nail this as fact or fiction.

How?

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

"R Johnson" <(E-Mail Removed)> wrote in message
news:4a9c1f51$0$2535$(E-Mail Removed)...
> On Mon, 31 Aug 2009 18:42:04 +0000, Bob Eager wrote:
>
>> On Mon, 31 Aug 2009 17:39:14 UTC, R Johnson <(E-Mail Removed)> wrote:
>>
>>> On Mon, 31 Aug 2009 14:01:31 +0000, Bob Eager wrote:
>>>
>>> > On Mon, 31 Aug 2009 13:44:03 UTC, R Johnson <(E-Mail Removed)>
>>> > wrote:
>>> >
>>> >> On Mon, 31 Aug 2009 14:03:56 +0100, Roger wrote:
>>> >>
>>> >> > Example of code to explot the security problems can be found in
>>> >> > the latest edition of PHRACK Magazine.
>>> >>
>>> >> Do you have a link please as I've not been able to find it.
>>> >
>>> > It's not the latest edition. It's in issue 65.
>>> >
>>> > Nothing new - merely the same stuff that Darren posted. Which may or
>>> > may not be the same flaw that I referred to indirectly.
>>>
>>> So, basically no POC. In other words, it cannot be cited and, on
>>> balance, must be dismissed as inaccurate. Pity, would have been nice to
>>> have a poke around with.
>>
>> No, there's POC on there. Code you can try. It just may not be the same
>> flaw.
> So does the article relate to this specific issue or a different issue?
> Do we have a link? This is all starting to look like half a storm in a
> small teacup. Two days of posting, but *no* POC for the allegation
> raised. It's simply not credible like this - and could even border on
> liable/slander. I'm sure the OP is sincere, so let's all work together
> here and nail this as fact or fiction.

Or even libel?
;-)

George
(not liable for anything, m'lud....)