Comcast Exposes Customer WiFi SSIDs and Passwords For Customers Paying To Rent A Comcast Router
from the pay-to-be-hacked dept
Look, when it comes to Comcast, it's obviously quite easy to slap the company around for any number of its anti-consumer practices. Just sampling from the most recent news, Comcast was sued over its opt-out mobile hotspot from your home router plan, the company has decided to combat cord-cutting by hiking prices and fees on equipment for customers who cord-cut cable television, and it also has put in place a similar plan to charge all kinds of bullshit fees on equipment installations for customers who aren't bundling in other services with its ISP offering. You should be noticing a trend in there that has to do with how Comcast handles so-called "equipment rental" fees for its broadband customers and how it handles customers that choose to bring their own device to their home networks instead. Comcast has always hated customers that use their own WiFi routers, as the fees for renting a wireless access point represent a huge part of Comcast's revenue.
Which is why you would think that the company would at least not expose the home networks of customers who use that equipment. Sadly, it seems that Comcast's website made the network SSIDs and passwords available in plain text of customers who were renting router equipment, while those that used their own routers were completely safe.
A security hole in a Comcast service-activation website allowed anyone to obtain a customer's Wi-Fi network name and password by entering the customer's account number and a partial street address, ZDNet reported yesterday.
The problem would have let attackers "rename Wi-Fi network names and passwords, temporarily locking users out" of their home networks, ZDNet wrote. Obviously, an attacker could also use a Wi-Fi network name and password to log into an unsuspecting Comcast customer's home network.
It should be noted that Comcast almost immediately addressed the security flaw in its website after ZDNet's report. Still, we're not in the business of giving high marks to a company that fixes a laughable security hole on its website. Comcast reps also claimed that "There's nothing more important than our customers' security." But, if that were true, Comcast's position would be to advocate its customers use their own routers rather than renting Comcast routers, as those who did so were completely protected from this security risk.
Just to be clear, we're talking about really sensitive information exposed by this website flaw. WiFi network names and passwords are one thing, but malicious actors were also presented with the routers' physical home addresses, despite the attacker not needing a customer's full home address in order to access that information. And all of this was presented in plain text.
Any company making these kinds of dangerous mistakes would be bad, but it's worth putting all of this in the context of Comcast both operating in a competition-deprived unregulated ISP market and that it is trying to get even bigger through major acquisitions to gobble up even more market-share. That kind of attempt at ISP monoculture makes any security flaw exponentially worse and Comcast has not demonstrated its ability to live up to the security task.
Meanwhile, why anyone would rent a Comcast WiFi router is completely beyond me.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: passwords, privacy, routers, wifi
Companies: comcast
Reader Comments
Subscribe: RSS
View by: Time | Thread
I LIKE IT!!!
You are a corp and your Computer access and network crashes, BECAUSE the router failed??
This really SHOWS how well their programmers work..
[ link to this | view in chronology ]
he he he... regulations? Those things you keep saying are gonna save you? Good luck, even if they do get fined they will not get fined enough to deter, they will likely get fined just enough for it to still be profitable to screw customers. Meanwhile government gets to collect a nifty payday off the backs of the voters AND gets to claim they did something about it.
Sounds like a Win-Win for politicians and a lose-lose for consumers.
[ link to this | view in chronology ]
Re: Regs
[ link to this | view in chronology ]
Re: Re: Regs
[ link to this | view in chronology ]
Re: Re: Re: Regs
If anyone is living in an altered reality it would be you.
[ link to this | view in chronology ]
Re: Re: Re: Re: Regs
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Regs
Do you know how many other people were against the masses only to be proven right later?
Now, time to back up where I am wrong. What am I wrong about? Right now we are looking at the FCC helping businesses instead of the consumers they are supposed to be protecting. So has the FTC, and so has many other agencies as well.
In fact, with all of the revolving doors between businesses and regulatory agencies combined with all of the donations politicians get from them for their campaigns I just don't know how else to so it...
You guys got suckered... and big time too. In fact this is just like the "Emperor's new clothes" all over again. The emperor is buck fucking naked, but you won't dare say it because everyone has already been told, only intelligent people can see them and you dare not reveal yourself to be stupid.
Don't worry, not only are you being shown for a fool, the emperor is as well. Good luck with all of that, you are clearly going to go far while the business giants continue to rape you as the FCC looks on.
[ link to this | view in chronology ]
Re: Re: Regs
What is even better is that "those regulations" are what is keeping these people from having the ability to move away from the garbage that is comcast.
NN is a farce designed to keep you distracted from the bigger picture.
If you want NN, FINE but only AFTER we get rid of the regulations cementing the monopolies these ISP's are enjoying. Until then, you you are only fighting the symptom and NOT the problem.
[ link to this | view in chronology ]
Re: Re: Re: Regs
I have a single choice for broadband. Fios has cable running down my street but made the economic decision not to offer me service. There isn't any law saying they can't. Spectrum and Fios divied up the city so most areas only have one or the other.
[ link to this | view in chronology ]
Re: Re: Re: Re: Regs
But here you go! A snippet from Wikipedia just to start with.
"https://en.wikipedia.org/wiki/Federal_Communications_Commission"
"For many years, the FCC and state officials agreed to regulate the telephone system as a natural monopoly.[39]"
And you can look up all the lawsuits, deals, and subsidies that have happened for the various ISP's. I know this will go over your little noggin, but they have very little reason to compete with each other because if they do, then they might start seriously competing back and the only thing they lose is money! The regulatory landscape is PRO INCUMBENT and ANTI NEW BLOOD! It's not some fucking secret either!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Regs
So, again... which regulations, specifically, are supporting the Comcast monopoly and can be removed in order to open up the market?
Please cite specific regulations from the relevant publications, including links if possible.
[ link to this | view in chronology ]
Re: Re: Re: Regs
Over here in the UK, regulatory agencies generally do their job of protecting the public, but then their heads are not short term appointments, and so there is no revolving door that leads to regulatory capture.
[ link to this | view in chronology ]
Re: Re: Re: Re: Regs
I will agree with you there. But that cannot change until people start holding Congress responsible for not changing how they are setup. Right now people only want to blame the FCC and hold their own politicians blameless during the next election. Sorry but NN just is not an agenda item during elections for most people, they consider other issues far more important.
"Over here in the UK, regulatory agencies generally do their job of protecting the public, but then their heads are not short term appointments, and so there is no revolving door that leads to regulatory capture."
I cannot speak to how the UK does things because I don't care how they do it. I only care how we are doing it. Sure you way might be better but we are not going to get your way either because our politicians get to ignore this problem because my fellow citizens are fucking clueless as can absolutely be.
[ link to this | view in chronology ]
Re: Re: Regs
PS I never said All regulations are BAD quit "lying"!
Every Nation eats the Paint chips it Deserves!
[ link to this | view in chronology ]
Re: Re: Re: Regs
I actually DO say "all regulations are bad"... you can't even lie correctly.
Here is my position.
all regulations are bad, but I do not agree with total deregulation because while regulations are bad, there are worse things to deal with than regulations.
So, I fully support those "bad regulations" to help ensure that anti-trust and anti-monopoly tolls are available to fight off the negative effects of plain old natural "human greed" in Capitalism. You see, when a business obtains a monopoly or builds a trust that creates a conflict of interest it does not serve "the people" so they need a way to fight them other than "free-market". Free market mind you is still essential, but it is clear that people are far to lazy and ignorant to fight corruption, especially when that corruption services them. So there needs to be a 3rd party given power to help get rid of it.
It's not perfect, but nothing is perfect anyways.
I know this is all too much for you to swallow after you have filled up on paint chips but please try anyways!
[ link to this | view in chronology ]
Re: Re: Re: Re: Regs
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Regs
the words "less regulation" means exactly shit and simultaneously reveals that you not only do not know what you are talking about but also think that only adding regulations is the solution.
I propose removing the regulations that allow the businesses to own private property on public lands. This means the wires become public property just like roads. The government can then invite private businesses to bid on how much they would charge to build out infrastructure. The businesses using those wires share the cost of that according to their customers usages.
Keep the anti-trust and anti-monopoly regulations, in fact make the STRONGER!
Now, I am sure that this would results in a net reduction of regulations because I would also want to get rid of all the rules allowing local governments to make exclusive deals with businesses either.
And I would definitely want to send the FTC a huge fucking wake-up call by mass firing the regulators and telling them that their budgets are 80% reliant on the fines the access from the Telco's. When money if a motivator they will jump on them like city cops on traffic violators. ISP will eventually lose enough money to stop playing the game.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Regs
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Regs
Followed by a vague generality about antitrust and anti-monopoly regulation (that's a fairly broad field, but it's still not clear which regulations you do and don't consider to qualify), and a proposal for "fire them all, then give their replacements a strong incentive to over-regulate", which seems so self-evidently stupid I don't even know where to start talking about it.
But hey, one specific regulatory proposal is at least a starting point for a discussion!
[ link to this | view in chronology ]
Re: Re: Re: Re: Regs
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Even if you RENT a router from your cable provider, there should not be any difference. It's hard to imagine that personal information that should remain locally in the router is somehow (and for no good reason) getting transmitted to their corporate office. (But then the MAC address of every computer ever plugged into the modem is transmitted to the ISP, which they log and save forever, an appalling violation of privacy)
[ link to this | view in chronology ]
Re:
I don't know what Comcast is charging... but my local thrift store always has a few (used) routers for sale, for less than what local ISPs charge per month. Sometimes old, sometimes with recent Wifi standards like 'ac'.
[ link to this | view in chronology ]
You need the $2.99/month add-on to do that.
[ link to this | view in chronology ]
Re:
When a guest asks "What's your WiFi password?" you can simply tell them you're on Comcast they can easily look up your WiFi password.
When the neighbor's kid wants to download copyright content, he can easily and conveniently use your WiFi password! That's convenience!
It's the kind of service you've come to expect from the Comcast name.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
I doubt the training is thorough.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[x] rise
[_] fall
to the level we've come to expect from IoT devices!
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Failure? This is a SERVICE!
[ link to this | view in chronology ]
Re: Failure? This is a SERVICE!
[ link to this | view in chronology ]
Re: Re: Failure? This is a SERVICE!
[ link to this | view in chronology ]
A legal twist
Maybe the troll should go after Comcast.
[ link to this | view in chronology ]
I'm happy Netflix grew bigger
[ link to this | view in chronology ]
Oracle Fusion Cloud Financials Training | Oracle Trainings
[ link to this | view in chronology ]
Because Comcast is going to be the ONLY one that steals it's customers credit cards and bank info and sells them to third party scam companies.
[ link to this | view in chronology ]