Comcast Exposes Customer WiFi SSIDs and Passwords For Customers Paying To Rent A Comcast Router

from the pay-to-be-hacked dept

Look, when it comes to Comcast, it's obviously quite easy to slap the company around for any number of its anti-consumer practices. Just sampling from the most recent news, Comcast was sued over its opt-out mobile hotspot from your home router plan, the company has decided to combat cord-cutting by hiking prices and fees on equipment for customers who cord-cut cable television, and it also has put in place a similar plan to charge all kinds of bullshit fees on equipment installations for customers who aren't bundling in other services with its ISP offering. You should be noticing a trend in there that has to do with how Comcast handles so-called "equipment rental" fees for its broadband customers and how it handles customers that choose to bring their own device to their home networks instead. Comcast has always hated customers that use their own WiFi routers, as the fees for renting a wireless access point represent a huge part of Comcast's revenue.

Which is why you would think that the company would at least not expose the home networks of customers who use that equipment. Sadly, it seems that Comcast's website made the network SSIDs and passwords available in plain text of customers who were renting router equipment, while those that used their own routers were completely safe.

A security hole in a Comcast service-activation website allowed anyone to obtain a customer's Wi-Fi network name and password by entering the customer's account number and a partial street address, ZDNet reported yesterday.

The problem would have let attackers "rename Wi-Fi network names and passwords, temporarily locking users out" of their home networks, ZDNet wrote. Obviously, an attacker could also use a Wi-Fi network name and password to log into an unsuspecting Comcast customer's home network.

It should be noted that Comcast almost immediately addressed the security flaw in its website after ZDNet's report. Still, we're not in the business of giving high marks to a company that fixes a laughable security hole on its website. Comcast reps also claimed that "There's nothing more important than our customers' security." But, if that were true, Comcast's position would be to advocate its customers use their own routers rather than renting Comcast routers, as those who did so were completely protected from this security risk.

Just to be clear, we're talking about really sensitive information exposed by this website flaw. WiFi network names and passwords are one thing, but malicious actors were also presented with the routers' physical home addresses, despite the attacker not needing a customer's full home address in order to access that information. And all of this was presented in plain text.

Any company making these kinds of dangerous mistakes would be bad, but it's worth putting all of this in the context of Comcast both operating in a competition-deprived unregulated ISP market and that it is trying to get even bigger through major acquisitions to gobble up even more market-share. That kind of attempt at ISP monoculture makes any security flaw exponentially worse and Comcast has not demonstrated its ability to live up to the security task.

Meanwhile, why anyone would rent a Comcast WiFi router is completely beyond me.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: passwords, privacy, routers, wifi
Companies: comcast


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    ECA (profile), 24 May 2018 @ 10:56am

    I LIKE IT!!!

    Who can you bitch at if your computer gets hacked??
    You are a corp and your Computer access and network crashes, BECAUSE the router failed??

    This really SHOWS how well their programmers work..

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 24 May 2018 @ 11:03am

    "Look, when it comes to Comcast, it's obviously quite easy to slap the company around for any number of its anti-consumer practices."

    he he he... regulations? Those things you keep saying are gonna save you? Good luck, even if they do get fined they will not get fined enough to deter, they will likely get fined just enough for it to still be profitable to screw customers. Meanwhile government gets to collect a nifty payday off the backs of the voters AND gets to claim they did something about it.

    Sounds like a Win-Win for politicians and a lose-lose for consumers.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 24 May 2018 @ 11:10am

    I just don't understand this. Wireless routers are dirt-cheap, you can buy one from just about anywhere, install it yourself, set it up exactly the way you like, and NO ONE ELSE will know the password or any other details.

    Even if you RENT a router from your cable provider, there should not be any difference. It's hard to imagine that personal information that should remain locally in the router is somehow (and for no good reason) getting transmitted to their corporate office. (But then the MAC address of every computer ever plugged into the modem is transmitted to the ISP, which they log and save forever, an appalling violation of privacy)

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 24 May 2018 @ 11:24am

    The equipment rental doesn't cover protecting customer data...

    You need the $2.99/month add-on to do that.

    link to this | view in thread ]

  5. icon
    Gary (profile), 24 May 2018 @ 11:33am

    Re: Regs

    So if the customers are getting poor service now with minimal regs in place protecting them, obviously No regs will make things better because?

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 24 May 2018 @ 11:36am

    Re:

    I just don't understand this. Wireless routers are dirt-cheap

    I don't know what Comcast is charging... but my local thrift store always has a few (used) routers for sale, for less than what local ISPs charge per month. Sometimes old, sometimes with recent Wifi standards like 'ac'.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 24 May 2018 @ 11:39am

    Re: Re: Regs

    Because the altered reality in which that poster lives says so.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 24 May 2018 @ 11:42am

    If they hired programmers with knowledge and experience rather than the inexperienced H1Bs maybe there could be a better outcome - but idk - this comcast.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 24 May 2018 @ 11:47am

    Re: Re: Re: Regs

    I know right... says the person watching as those regulations are NOT helping.

    If anyone is living in an altered reality it would be you.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 24 May 2018 @ 11:51am

    Re: Re: Regs

    I didn't say No regs did I? I said "Those things you keep saying are gonna save you?"

    What is even better is that "those regulations" are what is keeping these people from having the ability to move away from the garbage that is comcast.

    NN is a farce designed to keep you distracted from the bigger picture.

    If you want NN, FINE but only AFTER we get rid of the regulations cementing the monopolies these ISP's are enjoying. Until then, you you are only fighting the symptom and NOT the problem.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 24 May 2018 @ 11:57am

    Re:

    But of course they do, as someone's got to train the H1Bs, even if it's for the sole purpose of taking their job away from them when they get laid off.

    link to this | view in thread ]

  12. icon
    Gary (profile), 24 May 2018 @ 12:12pm

    Re: Re: Re: Regs

    Which specific regulations support the comcast monopoly and can be removed that will open up the market?
    I have a single choice for broadband. Fios has cable running down my street but made the economic decision not to offer me service. There isn't any law saying they can't. Spectrum and Fios divied up the city so most areas only have one or the other.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 24 May 2018 @ 12:19pm

    Re: Re: Re: Regs

    You keep attacking regulations that are not exactly the ones you want while ignoring the real problem, the way that regulatory agencies in the US are set up.

    Over here in the UK, regulatory agencies generally do their job of protecting the public, but then their heads are not short term appointments, and so there is no revolving door that leads to regulatory capture.

    link to this | view in thread ]

  14. icon
    DannyB (profile), 24 May 2018 @ 12:30pm

    Failure? This is a SERVICE!

    If you are paying to rent a Comcast router, Comcast provides a service which makes it easy to find your password in case you forget.

    link to this | view in thread ]

  15. icon
    DannyB (profile), 24 May 2018 @ 12:50pm

    Re:

    Amazon needs to step up and make Alexa's security and privacy
    [x] rise
    [_] fall
    to the level we've come to expect from IoT devices!

    link to this | view in thread ]

  16. icon
    DannyB (profile), 24 May 2018 @ 12:53pm

    Re:

    Making your WiFi password public is a free service of Comcast. Free with your equipment rental.

    When a guest asks "What's your WiFi password?" you can simply tell them you're on Comcast they can easily look up your WiFi password.

    When the neighbor's kid wants to download copyright content, he can easily and conveniently use your WiFi password! That's convenience!

    It's the kind of service you've come to expect from the Comcast name.

    link to this | view in thread ]

  17. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 24 May 2018 @ 12:59pm

    Re: Re: Re: Re: Regs

    They are ON RECORD officially regulating them as monopolies. You are either ignorant or too stpuid to take part in this discussion.

    But here you go! A snippet from Wikipedia just to start with.

    "https://en.wikipedia.org/wiki/Federal_Communications_Commission"

    "For many years, the FCC and state officials agreed to regulate the telephone system as a natural monopoly.[39]"

    And you can look up all the lawsuits, deals, and subsidies that have happened for the various ISP's. I know this will go over your little noggin, but they have very little reason to compete with each other because if they do, then they might start seriously competing back and the only thing they lose is money! The regulatory landscape is PRO INCUMBENT and ANTI NEW BLOOD! It's not some fucking secret either!

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 24 May 2018 @ 1:03pm

    Re: Re: Re: Re: Regs

    "You keep attacking regulations that are not exactly the ones you want while ignoring the real problem, the way that regulatory agencies in the US are set up."

    I will agree with you there. But that cannot change until people start holding Congress responsible for not changing how they are setup. Right now people only want to blame the FCC and hold their own politicians blameless during the next election. Sorry but NN just is not an agenda item during elections for most people, they consider other issues far more important.

    "Over here in the UK, regulatory agencies generally do their job of protecting the public, but then their heads are not short term appointments, and so there is no revolving door that leads to regulatory capture."

    I cannot speak to how the UK does things because I don't care how they do it. I only care how we are doing it. Sure you way might be better but we are not going to get your way either because our politicians get to ignore this problem because my fellow citizens are fucking clueless as can absolutely be.

    link to this | view in thread ]

  19. identicon
    Chip, 24 May 2018 @ 2:07pm

    Re: Re: Regs

    Because all Regulations are BAD!

    PS I never said All regulations are BAD quit "lying"!

    Every Nation eats the Paint chips it Deserves!

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 24 May 2018 @ 2:20pm

    Re: Re: Re: Regs

    Hey chip! Welcome back you silly fucking idiot!

    I actually DO say "all regulations are bad"... you can't even lie correctly.

    Here is my position.

    all regulations are bad, but I do not agree with total deregulation because while regulations are bad, there are worse things to deal with than regulations.

    So, I fully support those "bad regulations" to help ensure that anti-trust and anti-monopoly tolls are available to fight off the negative effects of plain old natural "human greed" in Capitalism. You see, when a business obtains a monopoly or builds a trust that creates a conflict of interest it does not serve "the people" so they need a way to fight them other than "free-market". Free market mind you is still essential, but it is clear that people are far to lazy and ignorant to fight corruption, especially when that corruption services them. So there needs to be a 3rd party given power to help get rid of it.

    It's not perfect, but nothing is perfect anyways.

    I know this is all too much for you to swallow after you have filled up on paint chips but please try anyways!

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 24 May 2018 @ 2:29pm

    Re: Re: Re: Re: Regs

    .. says the poster that no one else agrees with.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 24 May 2018 @ 2:33pm

    Re: Re:

    I have read about that, how rude.

    I doubt the training is thorough.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 24 May 2018 @ 2:35pm

    Re: Re:

    I have in my garage a tool that can fix alexa so that it will not spy upon anyone ever again. It is a five pound sledge hammer.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 24 May 2018 @ 2:55pm

    Re: Re: Re: Re: Re: Regs

    Well if that is your go to justification then I got some sad news for you.

    Do you know how many other people were against the masses only to be proven right later?

    Now, time to back up where I am wrong. What am I wrong about? Right now we are looking at the FCC helping businesses instead of the consumers they are supposed to be protecting. So has the FTC, and so has many other agencies as well.

    In fact, with all of the revolving doors between businesses and regulatory agencies combined with all of the donations politicians get from them for their campaigns I just don't know how else to so it...

    You guys got suckered... and big time too. In fact this is just like the "Emperor's new clothes" all over again. The emperor is buck fucking naked, but you won't dare say it because everyone has already been told, only intelligent people can see them and you dare not reveal yourself to be stupid.

    Don't worry, not only are you being shown for a fool, the emperor is as well. Good luck with all of that, you are clearly going to go far while the business giants continue to rape you as the FCC looks on.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 24 May 2018 @ 3:33pm

    Re: Re: Re: Re: Regs

    So your "solution" is less regulation and more government? What could possibly go wrong?

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 24 May 2018 @ 3:34pm

    Re: Failure? This is a SERVICE!

    Ha! FaaS == Failure as a Service. We finally know what niche Comcast is in!

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 24 May 2018 @ 4:37pm

    Re: Re: Re: Re: Re: Regs

    lets talk specifics.

    the words "less regulation" means exactly shit and simultaneously reveals that you not only do not know what you are talking about but also think that only adding regulations is the solution.

    I propose removing the regulations that allow the businesses to own private property on public lands. This means the wires become public property just like roads. The government can then invite private businesses to bid on how much they would charge to build out infrastructure. The businesses using those wires share the cost of that according to their customers usages.

    Keep the anti-trust and anti-monopoly regulations, in fact make the STRONGER!

    Now, I am sure that this would results in a net reduction of regulations because I would also want to get rid of all the rules allowing local governments to make exclusive deals with businesses either.

    And I would definitely want to send the FTC a huge fucking wake-up call by mass firing the regulators and telling them that their budgets are 80% reliant on the fines the access from the Telco's. When money if a motivator they will jump on them like city cops on traffic violators. ISP will eventually lose enough money to stop playing the game.

    link to this | view in thread ]

  28. icon
    lars626 (profile), 24 May 2018 @ 5:00pm

    A legal twist

    This could be good news to anyone that is being sued by one of the copyright trolls. If they rent from Comcast they have a perfect defense: Comcast gave away my ID and Password. No one could prove that they had not been compromised.

    Maybe the troll should go after Comcast.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 24 May 2018 @ 6:16pm

    I'm happy Netflix grew bigger

    With news like this cropping up every week, I am very happy to learn that Netflix has passed the market value for Comcast. Long live the streaming video competitors.

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 24 May 2018 @ 9:22pm

    Re: Re: Re: Re: Regs

    You also say “I never insult people.” And I know what words mean.” And I know well over two quotes!”

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 24 May 2018 @ 11:21pm

    Re:

    Oh, well, if it would be like 10% of yearly revenue, it might make a dent.

    link to this | view in thread ]

  32. This comment has been flagged by the community. Click here to show it
    identicon
    erptree503, 24 May 2018 @ 11:41pm

    Oracle Fusion Cloud Financials Training | Oracle Trainings

    Oracle Fusion Cloud Financials Training | Oracle Trainings

    link to this | view in thread ]

  33. icon
    DannyB (profile), 25 May 2018 @ 6:30am

    Re: Re: Failure? This is a SERVICE!

    FaaS is produced using FoP. (Failure Oriented Programming)

    link to this | view in thread ]

  34. identicon
    Anonymous Coward, 25 May 2018 @ 9:14am

    Re: Re: Re: Re: Re: Re: Regs

    Richard Bennett is not going to let you suck Pai off instead, you know. Monopoly and all that.

    link to this | view in thread ]

  35. icon
    The Wanderer (profile), 25 May 2018 @ 1:57pm

    Re: Re: Re: Re: Re: Regs

    The phrase "regulate X as a natural monopoly" does not mean "grant a monopoly on X", but rather "recognize that X is naturally a monopoly, and therefore needs to be regulated so that the monopoly is not abused".

    So, again... which regulations, specifically, are supporting the Comcast monopoly and can be removed in order to open up the market?

    Please cite specific regulations from the relevant publications, including links if possible.

    link to this | view in thread ]

  36. icon
    The Wanderer (profile), 25 May 2018 @ 2:02pm

    Re: Re: Re: Re: Re: Re: Regs

    Oh, hey, here's an actual specific regulatory proposal!

    Followed by a vague generality about antitrust and anti-monopoly regulation (that's a fairly broad field, but it's still not clear which regulations you do and don't consider to qualify), and a proposal for "fire them all, then give their replacements a strong incentive to over-regulate", which seems so self-evidently stupid I don't even know where to start talking about it.

    But hey, one specific regulatory proposal is at least a starting point for a discussion!

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 25 May 2018 @ 3:22pm

    "there's nothing more important to us than our customers security" - Comcast.

    Because Comcast is going to be the ONLY one that steals it's customers credit cards and bank info and sells them to third party scam companies.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.