I just moved into a new apt, and my neighbor has a wireless router that is completely open (no MAC whitelist, not even WEP or WPA). 192.168.1.1 shows me the Netgear login screen, and the default Netgear password works. Curious and a little concerned, I logged in and poked around.
They have all the default settings, and the logs just show the same two computers connecting over and over again. Clearly, they bought it, plugged it in, it worked, and so they stopped caring.
We all know what the unethical course of action would be. You could easily route every bank’s IP address to a phishing site. Or, just install a packet sniffer on the router that will faithfully log any POST requests that they make, then look for anything looking like a password. If they use the same password twice, try that password everywhere. Once you have access to their email, game over.
If you just wanted to be annoying, you could block access to all the most popular websites for the 15 minutes when they always seem to connect, so that it’ll start working seemingly randomly just about the time that they’re calling the cable or DSL company in a huff. Or, expose their computer to the internet and just wait for various bits of malware to wriggle in.
Those are all of course completely evil. The real question is, do you protect them from their own ignorance? Do you leave their wifi network completely open, or lock it down? And, do you change the password?
I decided to leave their network open. If they want to share their internet connection with the world, far be it from me to tell them they can’t. That’s a lovely thing to do for the universe. And I don’t see a problem with using it once in a while until I get my own set up.
I did change their password. Clearly, that doesn’t matter to them. I know better, they don’t, I’d want someone to do that kind of thing for me. It’s a little presumptuous, but it also might keep them from being victimized by identity theft.
There’s an interesting lesson here. No one likes your control panel. Most users will use the defaults, always. These kinds of things are nice when you really want fine-grained control, but completely annoying, complicated, and tedious for most users. They just wanna check their email, play some scrabulous, download some porn, and go back to their normal non-technical lives.
We can of course blame the victim. How could they be so stupid to have their router open to the world. Don’t people think?!?
But it would be very hypocritical for me to say that, and I don’t think I’m unusual.
- I have never read the owner’s manual of a car I’ve driven.
- I have only a few times read the full drug information on any medications I’ve been prescribed, and then only because I was really bored.
- I plug it in. I turn it on. I only mess with it if it’s broken (or interesting.)
The difference is that, in any of these cases, the default value is not likely to be harmful. If you don’t change your oil at the right time, your car’s performance will suffer; but as long as you change it once in a while, it’ll keep moving. If a doctor is prescribing a medication, it’s probably not going to kill you, and if there’s any serious risk, they’ll usually tell you what to watch out for. Most electronic devices don’t have access to your bank accounts.
As software and hardware engineers, if our defaults put users in an unsafe situation, where their credit and savings are placed at risk, then we’ve failed them, and we’ve acted unethically.
6 Comments
I agree completely. Designing any product should include consideration of how that product will be used, and we already know that most people don’t change most defaults. A harmful default therefore counts as a design flaw.
As for accessing the dashboard and changing the password, you obviously didn’t do anything wrong there since you were given access to the system and used it responsibly. If they ever need to change anything, they can always press the reset button and fix it with little effort in the future.
Aside: it would be funny to design a captcha that only makes you type disturbing combinations of words.
Great post Isaac. You are indeed a gentleman and a scholar. I would say a lot of the newer routers ship from the factory with a random password which is printed on a sticker on the bottom of the device. This is a big step forward.
A friend of mine even got a router which when he used it for the first time prompted him to use a wizard to configure the privacy of his network which I thought was cool.
I would take away 2 points
1) always generate a random default for each user and give it to them in a way which is secure. e.g. a sticker on the bottom for the router, or an email of their default password for software
2) give users the opportunity to tell you how they want to use a product the first time they use it (as long as you have a “skip” option)
Unfortunately, by making this post, you’ve publicly admitted to breaking federal law. People have been convicted of breaking computer crime laws for using a neighbor’s open wifi internet before.
If it is for his personal use, i would rather tell him about the status. I would like to know my mistake from the others rather than being in the dark
@tom
Printing a random password on the bottom of the device is a good move, I have seen that. However, that adds manufacturing cost, because the software has to be synced up with the thing putting on the stickers. Routing software that requires a password change before granting access to the internet would be more effective, cheaper, and more secure. I’ve never seen a router with this feature, however, and it’s definitely not standard.
For many applications, a “skip” option makes sense, except where the users’ safety is concerned. In my opinion, we have a responsibility as tool makers to ensure that it’s at least somewhat inconvenient to choose the unsafe option.
@dan
IANAL, but there’s actually no federal law regarding this, as far as I can find, but rather it varies from state to state. While people have been convicted for less, in California at least, you really have to be abusing your neighbor’s pipe in order to be noticed, let alone convicted of any wrongdoing. In this case, I think “being a good samaritan and protecting my neighbor’s online security” is probably a decent affirmative defense.
It seems to me that a WiFi router should be treated like any other radio broadcasting equipment. If you start broadcasting on a frequency, it isn’t sensible to tell me that I can’t listen and broadcast a response on the same frequency, if doing so wouldn’t affect your use of the technology. If I take measures to circumvent encryption that you put up, then that’s fence-hopping.
As far as I can find, it seems the law in California puts pressure on router manufacturers to provide the user with a warning that they need to secure the network (either via a sticker, start-up screen, etc.) but does not require that routers be locked down by default, and it considers “unauthorized access” as “circumventing encryption, or being told that you’re not authorized” rather than “not explicitly receiving authorization”. (Compare this with Michigan, where checking your email is apparently illegal.)
While a warning sticker is effectively useless (look how well they stop people from smoking cigarettes), it’s about the furthest that *government* intervention should go. IMO, it’s up to the people building these tools to make sure they’re built responsibly. Government officials routinely persist in deep fundamental misunderstandings of technology, and their requirements are often worse than useless.
@saeed
I don’t doubt that you probably would. But you’re also the kind of nerd that reads about routers and feels strongly enough to comment
I’m not 100% sure which neighbor it is, and I am guessing they just want their internet to work. The reason users almost always take the defaults is because they *don’t* care. In this case, it’s not his mistake, but rather Netgear’s mistake. There is a limit to my benevolence; I don’t really feel like canvassing my apartment building to find the person with the router I locked down. 
This essay sums up pretty clearly what I was trying to get at about technology makers being ethical: “Ethicists should be inside a profession, rather than outside, because ethics itself should be inside rather than outside.” “If you’re doing ethics right, you can’t separate it from your profession.”