Comcast storing WiFi passwords in cleartext?
Peter Beckman
beckman at angryox.com
Wed Apr 24 02:13:55 UTC 2019
On Wed, 24 Apr 2019, Luke Guillory wrote:
> OP said they logged into their account and went to the security portion
> of the portal. So one can assume they're the ISP or I don’t see the point
> in asking how Comcast would know the info.
It is entirely possible that an account separate and hidden from the
customer account would be able to access the administrative controls of the
router. It is also plausible that the access does not use a
username/password to authenticate but another, hopefully secure method.
One could make this access secure by:
1. Ensuring any connection originated from Company-controlled IP space
2. Username/Password are not provided to the CS agent but is merely a
button they press, after properly authenticating themselves as well
as authenticating the customer, that would pass a one-time use
token to access the device
3. Every token use was logged and regularly audited
4. Keys were regularly and in an automated fashion rotated, maybe even
daily
If such precautions are taken, it is their router and it is their service,
seems reasonable that Comcast should be able to log into their router and
change configs.
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman at angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
More information about the NANOG
mailing list