o2 BB - Security Issues

Discussion in 'Home Networking' started by Paul, Apr 15, 2008.

  1. Paul

    Paul Guest

    Just got myself an o2 connection after many years on Zen (first at 2MB
    then the 8MB package). o2 Speed and reliability seems ok so far
    however, their ideas on security are scary.

    First, they give out your o2 username on every outgoing email sent via
    their smtp servers (which require authentication), it goes something
    like this...
    Next, the router they provide (speedtouch) shows up an "unknown"
    device as the first device on the Lan. Here's the divice listing
    complete with mac and IP addresses.
    So I have an actual networked device attached to my network from
    outside. This is not a node, or a gateway, it's a network device
    complete with Mac addy and fixed IP. here's the network whois info
    (trimmed) on the IP...
    So, if they just grab my "workgroup" ID they can have a good poke
    around my "shared" files. Great eh?

    Looks like I'll have to crawl back to Zen and beg forgiveness.
     
    Paul, Apr 15, 2008
    #1
    1. Advertisements

  2. What packet types or protocols can "they" use to pass through the NATting
    router with no forwards to access your LAN hosts that are sharing files?
    Tony
     
    Anthony R. Gold, Apr 15, 2008
    #2
    1. Advertisements

  3. Paul

    Adrian C Guest

    Well, that's interesting. I'm a pre-O2 Be customer. I'm on a different
    email system (OutBlaze). I'd choose a very strong password if I were you.
    <snip>

    It's the gateway port... Same IP
    Please do that. It'll mean a little more bandwidth for me :p
    Got 12mbps, could always do with a little more :)
     
    Adrian C, Apr 15, 2008
    #3
  4. Paul

    Andy Furniss Guest

    Unless things have changed if you wanted a /29 fron Zen they insisted on
    registering it in your name which I found strange given the normal
    advice to children not to give out personal details...

    Andy.

    PS I know I post from a server that gives out my ip address - but my
    kids grew up, so I don't care anymore and it's not quite as "on a plate"
    for anyone who uses msn and wants to get the details of who they are
    talking to.
     
    Andy Furniss, Apr 15, 2008
    #4
  5. Paul

    Alex Fraser Guest

    Paul wrote:
    [snip]
    There are countless email systems where the email address (or local-part
    of the email address) is the username. Is it any worse to give away the
    username part of the ADSL connection details?
    It sounds likely that this is the remote gateway of the PPP connection.
    In any case, I would be very surprised if it was anything to worry about.

    Alex
     
    Alex Fraser, Apr 16, 2008
    #5
  6. Paul

    Paul Guest

    They tell their users to keep their username/password safe then give
    out half of that info to every email recipient. Seems a tad daft to
    me, but that aside, the main worry is that the breach is hidden, so
    most users won't even know. Christ, I only checked myself because I
    was being nosey.
    I agree.
    I wouldn't.
     
    Paul, Apr 16, 2008
    #6
  7. Paul

    Paul Guest

    Yes, the 8-IP addy option, not good.
    Can one's IP addy still be grabbed via msn these days?
     
    Paul, Apr 16, 2008
    #7
  8. Paul

    Paul Guest

    They can do what they like, they are connected to the router with as
    much control as I have, if not more (hidden service menu?). O2 openly
    claim to be able to access the router for service and update (firmware
    etc.) issues. How hard would it be to configure their connection as
    part of my local network via NAT on "their" router?
     
    Paul, Apr 16, 2008
    #8
  9. Paul

    Paul Guest

    I use an alternative smtp server, much easier and safer.
    No nntp server though eh? Forgot to ask that one *before* I subbed.
     
    Paul, Apr 16, 2008
    #9
  10. Sure they can log in to help you configure or update the router, but only
    if you give them your router's administrative password.

    Hidden service menu?

    Attach to your LAN from the WAN side?

    A wild guess - did you make your foil pyramid hat with the shiny side
    facing inwards? I read somewhere they don't work properly that way around.

    :)

    Tony
     
    Anthony R. Gold, Apr 16, 2008
    #10
  11. Paul

    Paul Guest

    Hmm.. Their "technical" sales people claim their support dept can
    update the router remotely, sans login details. Does seem unlikely,
    but then these are oem routers supplied to o2's spec.
    Just a thought.
    I'm considering a second firewalled hub between the lan and the
    router, or a Zen account. TBH, Zen's 8meg seemed generally quicker
    than o2's 16meg.
    lol. There are people out there who ought to be so paranoid.
     
    Paul, Apr 16, 2008
    #11
  12. Paul

    Alex Fraser Guest

    Keeping it safe could also mean not losing it, as opposed to revealing
    it to others. That said, I do see your point about seeming "a tad daft".
    The point is, it is attached to your router (ie WAN side), not to your
    network (ie LAN side), which makes it no different to the rest of the
    Internet.

    Alex
     
    Alex Fraser, Apr 16, 2008
    #12
  13. Paul

    Herman Guest

    Just google "O2 wireless superuser" to find out how they do it. I would
    hope they have some other authentication in place to verify who has access
    though, considering the username and password are all over the place now...

    I am now off the wireless box...
     
    Herman, Apr 16, 2008
    #13
  14. Paul

    Adrian C Guest

    Yup. Dodgy Email service, no NNTP server. Don't join BE/O2 broadband....

    Best service on the planet, but I don't recommend it :)
     
    Adrian C, Apr 16, 2008
    #14
  15. Paul

    Alex Fraser Guest

    Old Speedtouch routers had an IP address configured in them which was
    incorporated into the firewall rules, effectively allowing access
    authenticated by remote IP.

    Alex
     
    Alex Fraser, Apr 16, 2008
    #15
  16. Paul

    tinnews Guest

    Surely that's akin to PVR updates etc., the new firmware is "made
    available" and the router pulls it down. Yes, thay can update the
    firmware but only when the router says so. If they wanted they could
    obviously put some sort of trojan in there but I would guess that is
    probably beyond ISP personnel anyway, the updates will come from the
    manufacturer.
     
    tinnews, Apr 17, 2008
    #16
  17. Paul

    Paul Guest

    But the point is, the router lists the 'outside' connection as a "lan"
    network device.
     
    Paul, Apr 17, 2008
    #17
  18. Paul

    Paul Guest

    Do you work for them?
     
    Paul, Apr 17, 2008
    #18
  19. Paul

    Paul Guest

    I bloody *knew* it, no way the standard 'user' interface could be
    showing all the available settings.

    Thanks chaps.
     
    Paul, Apr 17, 2008
    #19
  20. Paul

    Paul Guest

    As Alex and Herman have pointed out, there is a "hidden menu" which is
    accessible remotely with the O2 login details. Those details are...

    Name: SuperUser
    Pass: O2Br0ad64nd

    Both are case sensitive. Lots of info on the hidden stuff here.
    http://preview.tinyurl.com/6y987y
    or for the less paranoid http://tinyurl.com/6y987y

    There is also another hidden "TechnicalSupport" login name: "O2Care"
    I don't have a password but the SuperUser can reset al other user
    passwords or their user status,.

    My Admin login is now a SuperUser and the Tech Supp login "O2Care" is
    now a lowly "user". I have also changed the "SuperUser" password.

    I hace 0wned "my" new router. </joke>

    /me happy.
     
    Paul, Apr 17, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.