[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Comcast storing WiFi passwords in cleartext?
No, and I would hope that they were storing it in an encrypted format and
then decrypting it on the fly for display in the customer portal.
On Thu, Apr 25, 2019 at 1:55 PM Tom Beecher <beecher at beecher.cc> wrote:
> As much as it pains me to Devil's Advocate for Comcast... Has anyone
> proven that they are storing this PSK in cleartext? From the original
> StackExchange post :
> " When I went to the account web page, it showed me my password. I
> changed the password and it instantly showed the new password on the
> account web page (after refresh). "
> The SNMP response is essentially cleartext , sure. But perhaps they are
> performing the query from a modem management network only accessible from
> the RF side, the transmission back to the CS backend is encrypted in
> flight, and the data is also encrypted at rest until retrieved and
> decrypted by a agent or the end user via the web portal. Nothing has been
> shown that I can recall reading that proves or disproves any of that.
> On Thu, Apr 25, 2019 at 1:17 PM Doug Barton <dougb at dougbarton.us> wrote:
>> On 4/25/19 8:04 AM, K. Scott Helms wrote:
>> > Just so you know, if you have an embedded router from a service
>> > all of that data is _already_ being transmitted and has been for a long
>> > long time.
>> Responding to a pseudo-random message ...
>> If you are an average consumer and purchase a managed solution (in this
>> case a WAP that comes as part of your package) I think it's perfectly
>> reasonable for the vendor to manage it accordingly, even if said
>> consumer doesn't fully understand the implications of that decision.
>> In my mind, the problem here is not that the vendor has access to this
>> data, it's that they are STORING it in the first place, and storing it
>> in the clear to boot. In the hypothetical service call that we've
>> speculated is the driver for this, the extra 15 or 20 seconds that it
>> would take to pull the data via SNMP is in the noise.
>> There are two mindsets that desperately need changing in the tech world:
>> 1. Do not store data that you don't have a legitimate requirement to store
>> 2. Do not store anything even remotely sensitive in the clear
>> We live in a world of all breaches, all of the time. So we need to start
>> thinking not in terms of just protecting said data from the outside, but
>> rather in terms of limiting the attack surface to start with, and
>> protecting the data at rest. So that WHEN there is a breach, whether
>> from within or without, the damage will be minimal.
>> As many have pointed out, this information is freely available via SNMP,
>> so it's a classic example of something that didn't need to be stored in
>> the first place.
-------------- next part --------------
An HTML attachment was scrubbed...