Comcast Exposes Customer WiFi SSIDs and Passwords For Customers Paying To Rent A Comcast Router

from the pay-to-be-hacked dept

Look, when it comes to Comcast, it's obviously quite easy to slap the company around for any number of its anti-consumer practices. Just sampling from the most recent news, Comcast was sued over its opt-out mobile hotspot from your home router plan, the company has decided to combat cord-cutting by hiking prices and fees on equipment for customers who cord-cut cable television, and it also has put in place a similar plan to charge all kinds of bullshit fees on equipment installations for customers who aren't bundling in other services with its ISP offering. You should be noticing a trend in there that has to do with how Comcast handles so-called "equipment rental" fees for its broadband customers and how it handles customers that choose to bring their own device to their home networks instead. Comcast has always hated customers that use their own WiFi routers, as the fees for renting a wireless access point represent a huge part of Comcast's revenue.

Which is why you would think that the company would at least not expose the home networks of customers who use that equipment. Sadly, it seems that Comcast's website made the network SSIDs and passwords available in plain text of customers who were renting router equipment, while those that used their own routers were completely safe.

A security hole in a Comcast service-activation website allowed anyone to obtain a customer's Wi-Fi network name and password by entering the customer's account number and a partial street address, ZDNet reported yesterday.

The problem would have let attackers "rename Wi-Fi network names and passwords, temporarily locking users out" of their home networks, ZDNet wrote. Obviously, an attacker could also use a Wi-Fi network name and password to log into an unsuspecting Comcast customer's home network.

It should be noted that Comcast almost immediately addressed the security flaw in its website after ZDNet's report. Still, we're not in the business of giving high marks to a company that fixes a laughable security hole on its website. Comcast reps also claimed that "There's nothing more important than our customers' security." But, if that were true, Comcast's position would be to advocate its customers use their own routers rather than renting Comcast routers, as those who did so were completely protected from this security risk.

Just to be clear, we're talking about really sensitive information exposed by this website flaw. WiFi network names and passwords are one thing, but malicious actors were also presented with the routers' physical home addresses, despite the attacker not needing a customer's full home address in order to access that information. And all of this was presented in plain text.

Any company making these kinds of dangerous mistakes would be bad, but it's worth putting all of this in the context of Comcast both operating in a competition-deprived unregulated ISP market and that it is trying to get even bigger through major acquisitions to gobble up even more market-share. That kind of attempt at ISP monoculture makes any security flaw exponentially worse and Comcast has not demonstrated its ability to live up to the security task.

Meanwhile, why anyone would rent a Comcast WiFi router is completely beyond me.

Filed Under: passwords, privacy, routers, wifi
Companies: comcast

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Chip, 24 May 2018 @ 2:07pm

    Re: Re: Regs

    Because all Regulations are BAD!

    PS I never said All regulations are BAD quit "lying"!

    Every Nation eats the Paint chips it Deserves!

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.