Comcast storing WiFi passwords in cleartext?

• Previous message (by thread): Comcast storing WiFi passwords in cleartext?
• Next message (by thread): Comcast storing WiFi passwords in cleartext?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tom,

No, and I would hope that they were storing it in an encrypted format and
then decrypting it on the fly for display in the customer portal.

Scott Helms



On Thu, Apr 25, 2019 at 1:55 PM Tom Beecher <beecher at beecher.cc> wrote:

> As much as it pains me to Devil's Advocate for Comcast... Has anyone
> proven that they are storing this PSK in cleartext? From the original
> StackExchange post :
>
> " When I went to the account web page, it showed me my password. I
> changed the password and it instantly showed the new password on the
> account web page (after refresh). "
>
> The SNMP response is essentially cleartext , sure. But perhaps they are
> performing the query from a modem management network only accessible from
> the RF side, the transmission back to the CS backend is encrypted in
> flight, and the data is also encrypted at rest until retrieved and
> decrypted by a agent or the end user via the web portal. Nothing has been
> shown that I can recall reading that proves or disproves any of that.
>
>
>
> On Thu, Apr 25, 2019 at 1:17 PM Doug Barton <dougb at dougbarton.us> wrote:
>
>> On 4/25/19 8:04 AM, K. Scott Helms wrote:
>> > Just so you know, if you have an embedded router from a service
>> provider
>> > all of that data is _already_ being transmitted and has been for a long
>> > long time.
>>
>> Responding to a pseudo-random message ...
>>
>> If you are an average consumer and purchase a managed solution (in this
>> case a WAP that comes as part of your package) I think it's perfectly
>> reasonable for the vendor to manage it accordingly, even if said
>> consumer doesn't fully understand the implications of that decision.
>>
>> In my mind, the problem here is not that the vendor has access to this
>> data, it's that they are STORING it in the first place, and storing it
>> in the clear to boot. In the hypothetical service call that we've
>> speculated is the driver for this, the extra 15 or 20 seconds that it
>> would take to pull the data via SNMP is in the noise.
>>
>> There are two mindsets that desperately need changing in the tech world:
>>
>> 1. Do not store data that you don't have a legitimate requirement to store
>> 2. Do not store anything even remotely sensitive in the clear
>>
>> We live in a world of all breaches, all of the time. So we need to start
>> thinking not in terms of just protecting said data from the outside, but
>> rather in terms of limiting the attack surface to start with, and
>> protecting the data at rest. So that WHEN there is a breach, whether
>> from within or without, the damage will be minimal.
>>
>> As many have pointed out, this information is freely available via SNMP,
>> so it's a classic example of something that didn't need to be stored in
>> the first place.
>>
>> Doug
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190425/390859fb/attachment.html>

• Previous message (by thread): Comcast storing WiFi passwords in cleartext?
• Next message (by thread): Comcast storing WiFi passwords in cleartext?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]