Comcast storing WiFi passwords in cleartext?

K. Scott Helms kscott.helms at gmail.com
Wed Apr 24 12:23:45 UTC 2019 

While it's correct that it's stored in the vendor proprietary MIB this
information is commonly retrieved from the CableLabs standard MIB and via
TR-181 in DSL and FTTH gear.

I wrote up an answer on the security forum originally refereneced, but for
convenience here is the same text.


The PSK passphrase is (by design) stored in a retrievable format by the
Modem vendor, in this case Arris, but the same standard is supported by
many other modem vendors. In DOCSIS cable modems this is most commonly done
via SNMP against this specific OID:

clabWIFIAccessPointSecurityKeyPassphrase OBJECT-TYPE SYNTAX SnmpAdminString
(SIZE(0..63))
MAX-ACCESS read-create STATUS current DESCRIPTION "This object is defined
in TR-181 Device.WiFi.AccessPoint{i}.Security.KeyPassphrase." REFERENCE
"TR-181 Device Data Model for TR-069." ::=
{clabWIFIAccessPointSecurityEntry 5

This is part of the CableLabs WiFi MIB:

http://mibs.cablelabs.com/MIBs/wireless/CLAB-WIFI-MIB-2017-09-07.txt

Which is is in turn based on the TR-069 sub-standard of TR-181:

https://cwmp-data-models.broadband-forum.org/tr-181-2-11-0.html#D.Device:2.Device.WiFi.AccessPoint
.{i}.Security.KeyPassphrase

http://www.broadband-forum.org/download/TR-181_Issue-2_Amendment-2.pdf

Not only does this apply to cable modems, but many DSL and FTTH endpoints
will also allow the service provider to retrieve your PSK passphrases and a
litany of other settings.

This allows for end users to have their settings backed up in case of a
device having to be replaced or much more commonly for call centers to be
able to retrieve some of the settings, like the pass phrase, when a
customer calls in because they can't remember it.
Scott Helms



On Tue, Apr 23, 2019 at 11:34 PM Luke Guillory <lguillory at reservetele.com>
wrote:

> Yes it's in the router, accessed via the following MIB.
>
>
>
> Name     arrisRouterWPAPreSharedKey
> OID      .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2
> MIB      ARRIS-ROUTER-DEVICE-MIB
> Syntax   OCTET STRING (SIZE (8..64))
> Access   read-write
> Status   current
>
> Descri   Sets the WPA Pre-Shared Key (PSK) used by this service set.  This
>                value MUST be either a 64 byte hexadecimal number, OR an 8
> to 63
>                character ASCII string.
>
>
> Which returns the following.
>
>
> OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10004
> Value: F2414322EE3D9263
> Type: OctetString
>
> OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10003
> Value: F2414322EE3D9263
> Type: OctetString
>
> OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10002
> Value: F2414322EE3D9263
> Type: OctetString
>
> OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10001
> Value: F2414322EE3D9263
> Type: OctetString
>
>
>
>
>
> Ns
>
>
>
>
>
>
>
> -----Original Message-----
> From: Peter Beckman [mailto:beckman at angryox.com]
> Sent: Tuesday, April 23, 2019 9:35 PM
> To: Luke Guillory
> Cc: Laurent Dumont; NANOG
> Subject: Re: Comcast storing WiFi passwords in cleartext?
>
> On Tue, 23 Apr 2019, Peter Beckman wrote:
>
> > On Wed, 24 Apr 2019, Luke Guillory wrote:
> >
> >> OP said they logged into their account and went to the security
> >> portion of the portal. So one can assume they're the ISP or I don’t
> >> see the point in asking how Comcast would know the info.
> >
> > It is entirely possible that an account separate and hidden from the
> > customer account would be able to access the administrative controls
> > of the router. It is also plausible that the access does not use a
> > username/password to authenticate but another, hopefully secure method.
> >
> > One could make this access secure by:
> >
> >    1. Ensuring any connection originated from Company-controlled IP space
> >    2. Username/Password are not provided to the CS agent but is merely a
> >        button they press, after properly authenticating themselves as
> well
> >        as authenticating the customer, that would pass a one-time use
> >        token to access the device
> >    3. Every token use was logged and regularly audited
> >    4. Keys were regularly and in an automated fashion rotated, maybe even
> >       daily
> >
> > If such precautions are taken, it is their router and it is their
> > service, seems reasonable that Comcast should be able to log into
> > their router and change configs.
>
> ... such that the access of the Wifi Password which is likely stored in
> plain text on the router is accessed by Comcast in a secure manner and not
> stored in plain text in their internal databases.
>
> But I'm guessing probably it's just cached in plain text in their internal
> DBs.
>
> Get your own router if you're worried about your Wifi Password being known
> by Comcast. Or change to WPA2 Enterprise, but I'm guessing that isn't
> supported on the router...
>
> ---------------------------------------------------------------------------
> Peter Beckman                                                  Internet Guy
> beckman at angryox.com
> http://www.angryox.com/
> ---------------------------------------------------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190424/25ec849f/attachment.html>

More information about the NANOG mailing list