My Plea to Wireless Router Manufacturers

11 May 2012Chris Fairey

I had an interesting experience last week - I was asked if I could help someone figure out their wireless network key. I started thinking that I would need to crack the key (as they couldn't remember it, and didn't have it recorded anywhere), then I thought "it's probably stored in the administration interface somewhere, and that would be the best place to look", so I told them to access the admin interface and look for the key.

As this was the first time they had accessed the admin interface, they hadn't changed the default admin password, so it was easy to log in. Once logged in, they went to the wireless settings section and, there was the key. However it was stored in a password form field, which hides the characters from you. Unfortunately, and this is where it gets interesting, the value of the password field is present in the HTML, so if you view the source of the admin page, the password is there for you to copy!

No Passwords Please

My plea to the manufacturers of wireless routers is that they only provide means for you to change the wireless passphrase/key. I want them to do this, as it would safeguard the existing key from unauthorised access, should an attacker gain access to the web interface.

This may cause issues, should you forget your wireless key and then the only option you have is to change it to a new one and then re-set all your connected devices, but, in the interests of security, I feel it is the best option. It also relies on you setting a strong password to protect the admin interface, but this has always been the case, as you could use this access to change the passphrase/key.

Other Problems I've Come Across

A few years ago, I set up a Netgear wireless router, and was astounded that the keys are stored in a normal form field (not a password field). This has come in handy several times, as I can tell people with Netgear routers exactly where to go to find a copy of their keys, but is totally unacceptable, especially given the fact that most routers have remote access to their admin interfaces enabled.

My Advice

When you set up your wireless router, the first thing you should do is change the default administration password, then, once you set your wireless key, store it in an encrypted database, provided by a tool such as KeePass. This will enable you to locate it when you need it, without putting it at risk by writing it down on pieces of paper.

If you feel your wireless network key may have been compromised, then you should change it as soon as possible, preventing the unauthorised devices from accessing your network, and using it to access illegal content. If you give your wireless key to a guest when the come and stay with you for an extended period, as soon as they leave, change your keys, preventing them from accessing your network without your knowledge.

We take the pain out of IT and Cyber Security

Contact us today to cure your IT & Cyber Security headache

Tell us about your Issues
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram