Last night I decided I wanted to see what might appear over my network if I booted two of my computers up and started surfing the web. I hadn’t touched Wireshark in ages, but as I have recently committed myself to Information Security, I thought I would let my curiosities run wild.
My router, a Century Link ZyXEL, is currently configured to allocate IP addresses statically, but I hadn’t checked which addresses were assigned to my devices. I logged into the router, stopped my capture session, and sure enough I found the admin username and password in plaintext in the HTTP POST call.
This makes sense since you aren’t typically accessing a router from outside your network, and it also makes sense because you need to set the router up before you have internet connection. The device needs to work without access to a certificate authority. What I do find very interesting, however, is that somewhere, somehow, the router is running a web server, which is the primary interface for configuration. Is there even a way to force a security connection over http without an external certificate authority for https?
I can imagine any number of social engineering attempts at coffee shops where I could ask a savvy owner or manager to check the connection because “the wifi isn’t working for me”. One simple login from the owner/manager and the entire network could be compromised. Not that coffee shop wifi is secure anyway.
Since I am surrounded by XfinityWifi routers in my apartment, I wonder too whether the actual Xfinity logins are encrypted, though I don’t believe I have ever seen an Xfinity router that was. I’m going to assume that the logins are encrypted, but I am rather curious.