Westell 327W Security Flaw - WPA2 Key Shown on Status Screen - No Login Required
stargate
Enthusiast - Level 1

Has anyone at Verizon addressed the issue with the Westell 327W in that the security key is accessible to ANYONE that is on the network.  While home users may not be seen as priority number one in motivation to write a patch for the firmware - - small business users are indeed a group that is at high risk here.   Anyone that has a computer on the network may gain access to the security key and pass that on to others and/or come back at night with their personal laptops and gain access to the network.

I have had at least two clients express concern about this issue.

Issue Location: Wireless Status Page :  http://GATEWAY-IP-HERE/wireless_status.htm

May Problem: NO LOGIN REQUIRED to view WPA2 Shared Key and below, WPA, WEP, etc.

Risk:  Severe Security Flaw

I urge Verzion advanced technical group to push a firmware patch to resolve this issue.

0 Likes
Re: Westell 327W Security Flaw - WPA2 Key Shown on Status Screen - No Login Required
dslr595148
Community Leader
Community Leader

#1 What web browser are you on?

---

#1 If I log-in to my router and do not close the web browser when done, the web browser will remember my log-in info.

#2 I do not have the web browser set to remember the log-in to the router.

a) Since I am using Firefox, I went the screen that is addressed at http://support.mozilla.com/en-US/kb/Options+window+-+Security+panel?style_mode=inproduct

b) Then I went to Saved Passwords.

c) The user name and password of my router is not in that area.

^^

0 Likes
Re: Westell 327W Security Flaw - WPA2 Key Shown on Status Screen - No Login Required
SGC
Newbie

Hi, I am the same person that posted this thread however somehow misplaced by PW.  In any event, new name, same issue.

The issue is recreated on any browser, Opera, IE6, IE8 x86 and x64.

The issue can be recreated on any computer - even computers I never used prior to access the gateway.  Further, while I can view the "status" screen without authentication the router indeed requests a User Name / PW when clicking on the "Basic Wireless Settings", Firewall and so forth.

The gateways that I have seen this problem on are all updated to the new VZ branded Firmware, VER:4.04.03.00  and have been updated in most cases to take advantage of WPA2.

It is an odd flaw, surely an oversight when the firmware was coded.  However, a major problem for any network that is used by employees or any other people that may not be "full trusted".   My examples in the prior post of an employee gaining access to the network on an off day or after hours is a prime example of how this flaw could be exploited.  I hope that the VZ team pushes a fix and  if they sub the work to Westell ... surely a patched firmware should be given to VZ  without much of an issue.

Searching the forum here, I found one old post on the issue... so it is and has been an issue for a while now.

To recreate this issue using on the latest firmware .. go to (from internal LAN where gateway is connected):

http://GATEWAY-IP/wireless_status.htm There you will see a summary page and included on the page you will see the WPA Key along with other status information

0 Likes
Re: Westell 327W Security Flaw - WPA2 Key Shown on Status Screen - No Login Required
dslr595148
Community Leader
Community Leader

Ok.

I was critical thinking about this issue.

For the user to see that info they have to be on your network (Wired or Wireless).

So, how is this a problem - If they are on your network (Wired or Wireless) and they see the WPA2 key?

Now if the router has a Default Wireless key that is based upon the MAC Address, while I understand something is better than nothing, that is a problem.

For example I point you to http://www.grc.com/sn/sn-220.htm

Quick quote from there.


Eric Nichols in Odessa, Delaware, with the Security Disaster of the Week. Subject: FIOS WEP crack - say that three times fast - no packet sniffing necessary.
0 Likes
Re: Westell 327W Security Flaw - WPA2 Key Shown on Status Screen - No Login Required
BETA
Newbie

Like stated above, this is a security problem because an employee could gain access to the network with a wireless device off hours.

Using WPA2, nothing can be sniffed.

So, the question is, will Verizon address this security issue??

Some small businesses have a lot of employees and certainly not all of them are "trusted" and let's not forget the disgruntled that may be let go, etc.

While home users are less likely to have an issue here, there is still the problem of a kids friends getting access or other such silly things but you are right  that with the home user this is less an issue.

That said, this DSL modem is used by many small businesses that VZ serves.  It is, I feel, their duty to address this issue and I am happy to see someone bring attention to the matter.

Sadly, I fear VZ doesn't read these forums and we may get more action if we bring this issue up at dslreports.com aka broadbandreports.com

Keeping my fingers crossed in seeing how VZ responds to this issue.

0 Likes
Re: Westell 327W Security Flaw - WPA2 Key Shown on Status Screen - No Login Required
dslr595148
Community Leader
Community Leader

I posted over at DSLR about this.

Someone told me, that it depends on the firmware of the router.

^^

0 Likes
Re: Westell 327W Security Flaw - WPA2 Key Shown on Status Screen - No Login Required
Hubrisnxs
Legend

disregard

0 Likes