The wifi extender security issue is still rearing its head.  Yes there is still one, a major one.

I just bought a couple wifi extenders.  I won’t bother you with the brand but let’s call it tp-link.  I was very pleased it was so easy to set  up.  I had two choices, WPS (wifi protected setup) or manually through a web browser.  I decided to take the easy route and use WPS  so I plugged the extender into the light socket, turned it on, walked over to my modem and clicked WPS, walked back to the extender and hit that button.  A minute later I was up and running. I was chuffed, how simple was that.

A little later I had a thought. I wondered what would happen if I tried to log into the wifi extender using my browser.  Surely I would be locked out as the username and password would be blocked once I connected over WPS.  I used the URL the brand told me to use and was presented with username and password fields.  I used the default ones from the instructions.  I logged in.  Wow was I wrong.  Of course I promptly changed the username and password.

I cannot stress enough how much of a security hole this is.  Anyone, and I do mean anyone, near my house (or business) would have seen the wifi extender listed as a wifi connection.  They’re even nice enough to tell the bad guys the make and model of the extender and by using the default username and password (which can be found in seconds online) they would have been able to log into my home network.  At that point not only could they access the rest of the house network but they would have been able to create hidden accounts for themselves.

I can’t believe that this is still the situation these days.  You’d think they would have sorted this by now……. The takeway from this, the first thing you need to do when setting up new modems (including those supplied by broadband suppliers), wifi range extenders and other password protected devices is change the password!!!!!