My whole housing development recently changed Internet Service Providers. We now have optical fibre from Ownit, offering hundreds of megabits per second. It works just fine. But there’s a security issue and Ownit aren’t taking it seriously.
All over Sweden, Ownit are deploying wifi routers that work out of the box. If you want to change any settings on your router (such as the name of the access point or the wifi password), you’ll find a URL in the manual which brings up a set of admin menus. Same URL on all their routers. All over Sweden.
Actually, Ownit holds the password to the “admin” account and won’t tell you what it is. But if asked, they will happily tell you that there’s a “user” account with a lot of the same capabilities, and give you its extremely easily guessed preset password. Which is the same on all their routers. All over Sweden. In order to change the “user” account’s password you have to take independent action on that point, tell the new password to user support and ask them to change it for you.
Some users may want to run an unprotected wifi access point. Almost all users will want to give their wifi password to friends and family members, even to casual acquaintances. In either case, most people will believe that all they’re opening up there is the link from people’s laptops and smartphones out onto the net. But unless special care has been taken by a semi-knowledgeable owner, they are also in effect giving the same people access to the router’s (limited) admin menus.
Let’s say your teenage son Jack gives the family wifi password to his girlfriend Jill so she can watch YouTube on her smartphone. Three months later, Jill dumps Jack because of what he did with Zuleika behind the crafts building. Jill then walks past your house one day, stops outside the fence, sets the name of your wifi access point to “Jack.Has.A.Tiny.Penis” and changes the wifi password. All computers in your house are now off the internet. And in order to do something about this, the family’s tech person will need a certain amount of knowhow and an IP cable. Note that the people most likely to end up in this situation are the ones with little knowhow who would’t even recognise an IP cable.
Someone might say, “That’s why people need to change their wifi passwords often!” Well, Ownit’s customers aren’t given the admin login info for their routers unless they ask for it. The easily guessed admin login info they need to change their wifi passwords. The login info that heartbroken and disgruntled Jill already has, for all intents and purposes, since it’s the same on every Ownit router across the country.
Summing up: Ownit gives new customers unique wifi passwords. But they also need to start giving them unique passwords for the “user” account on their routers.