12

I was recently at a village hall (in the UK), some distance from where I live, for a party. I noticed that they had unsecured wi-fi with an SSID of NETGEAR. I assumed it was free wi-fi for users of the hall so I connected with my phone (now I think about it, I don't recall seeing the free wi-fi logo). The fact that the SSID of NETGEAR was the default that many routers are shipped with didn't go unnoticed by me, so I found the gateway IP, connected with safari, and out of curiosity, tried the default username and password for the majority of netgear routers - it let me in to the admin console.

I guess I shouldn't have tried to log in to the admin console without the owner's permission, but I feel I should let them know that they are vulnerable, and should change the password from default. I could perhaps make up a story that I thought I was connected via VPN to my router at home, but the connection had failed, or some such rubbish, but I'd rather not lie.

What should I do? Should I just forget it because I shouldn't have tried to gain access? Should I tell them the truth because I didn't do anything malicious?

Mark Davidson
  • 9,427
  • 6
  • 45
  • 61
AnonID
  • 121
  • 3
  • 2
    Interesting question. I'd be interested in any opinions you get on this one. – Grezzo Jul 09 '12 at 15:32
  • 2
    Are you sure it was the Wi-Fi of the village hall? Could have been a neighbouring house? The village halls I've been to have been surrounded with residential places. I would be sure who it was before you start thinking about informing anyone. – SomethingSmithe Jul 09 '12 at 15:51
  • 2
    I would just leave it alone. – Ramhound Jul 09 '12 at 15:57
  • First sentence of your second paragraph pretty much covers it. Don't mess wit' networks you ain't s'posed to be messin' wit'. – Iszi Jul 09 '12 at 16:38
  • Let this be a lesson to you, no finger poken among der blinken lights lest der bolts of electricity rise out and smite thyne asse. Same goes with networks, back off, forget it and never return. This is one of those situations where no good deed goes unpunished, no harm, no foul and keep your fingers crossed. – Fiasco Labs Jul 10 '12 at 00:28
  • It does not like theses people attempted any security -- just send them an email. – November Jul 10 '12 at 13:57
  • Please sit still, sir. The harmony enforcers are on the way. If you hear sirens, know that it will all be over soon. – Mark Buffalo Nov 23 '17 at 07:59

5 Answers5

12

Send them an anonymous email/snailmail. What they do with it is their responsibility. Your conscience will be clear.

Matrix
  • 4,028
  • 14
  • 25
4

Honestly, I wouldn't do anything (including ever connecting to their network again).

Someone set up the router and left the default password on the admin account. This same person configured it so the wifi router has no security for connections.

It seems to me either the person setting it up doesn't care at all about security of that network, or purposely left it as insecure as possible -- e.g., for plausible deniability of actions a government could make illegal.

People have a history of acting badly to reports of these things. My guess is that informing them of their bad decisions will only direct ire towards you; and that they are likely to leave it weakly configured in some other way. You could attempt to report it to them anonymously; but personally I wouldn't bother.

dr jimbob
  • 38,936
  • 8
  • 92
  • 162
3

Report it to a CSIRT anonymously and don't test things you are not meant to! It can easily get you into big troubles depending where you live!

Andrei Botalov
  • 5,317
  • 10
  • 46
  • 73
balgan
  • 316
  • 1
  • 6
0

Just tell them, if this neatgear is theirs and if so, tell them it's unsecure. Simple. What's the problem. Nobody says actually that you will start using or hacking thru it.

Andrew Smith
  • 1
  • 1
  • 6
  • 20
  • 5
    Yes, but the problem is that by using the WiFi without permission, OP already trespassed. The fact that the WiFi was completely unsecured does not matter in this regard. – tdammers Jul 09 '12 at 21:02
0

It sounds like you didn't do anything more than explore. Either way, you kind of went somewhere you may not have been invited to go. Q: do you know it's their network and not a neighboring house/business?

IF it is indeed theirs, I'd say that, for me as a professional whose job includes security, it would be irresponsible of me to not say something. I'd suggest something along the lines of "I noticed you have a wireless network that uses the default name of 'Netgear'. That comes with a default admin name and password of [X and Y], which can be looked up at [site]. It's not my network, but I'd suggest considering changing those three things. Otherwise anyone can access your wireless network." You don't need to confess to a potential criminal act; just telling them someone could is sufficient.

(I used to work with a guy whose response to this was to gain access like you describe and change the SSID to "You've been hacked". I don't recommend that.)

baldPrussian
  • 2,778
  • 2
  • 10
  • 14