Comcast storing WiFi passwords in cleartext?

Thu Apr 25 15:04:15 UTC 2019

Just so you know, if you have an embedded router from a service provider
all of that data is _already_ being transmitted and has been for a long
long time.  If it's being collected via SNMPv2c it is being transmitted in
the clear (though hopefully encrypted via BPI+ between the modem and the
CMTS).  If it's being collected via TR-069 it _may_ (should be) encrypted
in transit but in my experience that isn't guaranteed and when its being
sent over TLS there's often a self signed cert in the chain.

Scott Helms

On Thu, Apr 25, 2019 at 10:45 AM Benjamin Sisco <bsisco at justassociates.com>
wrote:

> On 4/24/ 2019 10:34 AM, Seth Mattinen wrote:
>
> > That's looking at it from a technical perspective when it isn't a
> technical problem. People that buy "includes wifi" from their ISP often
> need extreme amounts of help with it, and thus the wifi credentials are
> stored and transmitted in plain text for tech support reasons.
>
> While I agree that the underlying need is to provide fast and effective
> customer service - it is ultimately a technical problem.  As it's been
> pointed out in subsequent posts WiFi is the leading cause of customer calls
> to an ISP offering the service.  Security and "ease of use" are often at
> odds with each other, and implementing the former with the latter is the
> challenge many of us wake up to each and every day.  The information should
> be encrypted at rest and in transit and could easily be decrypted by the
> CSP platform for use by customer support staff at the time of need when
> cusetomers call in - which would address the concern.
>
> In my experience, bad practice is easily replicated.  What else is
> transmitted in cleartext?  Today it's the WiFi password, tomorrow it's your
> login, port forwarding, DMZ, and other details that are far more useful to
> a remote attacker than your WiFi password.
>
>
>
>
> -----Original Message-----
> From: NANOG <nanog-bounces at nanog.org> On Behalf Of Seth Mattinen
> Sent: Wednesday, April 24, 2019 10:34 AM
> To: nanog at nanog.org
> Subject: Re: Comcast storing WiFi passwords in cleartext?
>
> Notice: This message originated outside of Just Associates. Verify the
> source & exercise caution with links and attachments.
>
> On 4/24/19 8:13 AM, Benjamin Sisco wrote:
> > The bigger concern should be the cleartext portion of the subject.
> There’s ZERO reason to store or transmit any credentials (login, service,
> keys, etc.), in any location, in an unencrypted fashion regardless of their
> perceived value or purpose.  Unless you like risk.
>
>
> That's looking at it from a technical perspective when it isn't a
> technical problem. People that buy "includes wifi" from their ISP often
> need extreme amounts of help with it, and thus the wifi credentials are
> stored and transmitted in plain text for tech support reasons.
>
> ~Seth
> Confidentiality Notice: This e-mail communication and any attachments may
> contain confidential and privileged information for the use of the
> designated recipients named above. If you are not the intended recipient,
> you are hereby notified that you have received this communication in error
> and that any review, disclosure, dissemination, distribution or copying of
> it or its contents is prohibited. If you have received this communication
> in error, please notify me immediately by replying to this message and
> deleting it from your computer. Thank you.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190425/d9d57aeb/attachment.html>