Comcast Exposes Customer WiFi SSIDs and Passwords For Customers Paying To Rent A Comcast Router

from the pay-to-be-hacked dept

Look, when it comes to Comcast, it's obviously quite easy to slap the company around for any number of its anti-consumer practices. Just sampling from the most recent news, Comcast was sued over its opt-out mobile hotspot from your home router plan, the company has decided to combat cord-cutting by hiking prices and fees on equipment for customers who cord-cut cable television, and it also has put in place a similar plan to charge all kinds of bullshit fees on equipment installations for customers who aren't bundling in other services with its ISP offering. You should be noticing a trend in there that has to do with how Comcast handles so-called "equipment rental" fees for its broadband customers and how it handles customers that choose to bring their own device to their home networks instead. Comcast has always hated customers that use their own WiFi routers, as the fees for renting a wireless access point represent a huge part of Comcast's revenue.

Which is why you would think that the company would at least not expose the home networks of customers who use that equipment. Sadly, it seems that Comcast's website made the network SSIDs and passwords available in plain text of customers who were renting router equipment, while those that used their own routers were completely safe.

A security hole in a Comcast service-activation website allowed anyone to obtain a customer's Wi-Fi network name and password by entering the customer's account number and a partial street address, ZDNet reported yesterday.

The problem would have let attackers "rename Wi-Fi network names and passwords, temporarily locking users out" of their home networks, ZDNet wrote. Obviously, an attacker could also use a Wi-Fi network name and password to log into an unsuspecting Comcast customer's home network.

It should be noted that Comcast almost immediately addressed the security flaw in its website after ZDNet's report. Still, we're not in the business of giving high marks to a company that fixes a laughable security hole on its website. Comcast reps also claimed that "There's nothing more important than our customers' security." But, if that were true, Comcast's position would be to advocate its customers use their own routers rather than renting Comcast routers, as those who did so were completely protected from this security risk.

Just to be clear, we're talking about really sensitive information exposed by this website flaw. WiFi network names and passwords are one thing, but malicious actors were also presented with the routers' physical home addresses, despite the attacker not needing a customer's full home address in order to access that information. And all of this was presented in plain text.

Any company making these kinds of dangerous mistakes would be bad, but it's worth putting all of this in the context of Comcast both operating in a competition-deprived unregulated ISP market and that it is trying to get even bigger through major acquisitions to gobble up even more market-share. That kind of attempt at ISP monoculture makes any security flaw exponentially worse and Comcast has not demonstrated its ability to live up to the security task.

Meanwhile, why anyone would rent a Comcast WiFi router is completely beyond me.

Filed Under: passwords, privacy, routers, wifi
Companies: comcast

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 24 May 2018 @ 2:20pm

    Re: Re: Re: Regs

    Hey chip! Welcome back you silly fucking idiot!

    I actually DO say "all regulations are bad"... you can't even lie correctly.

    Here is my position.

    all regulations are bad, but I do not agree with total deregulation because while regulations are bad, there are worse things to deal with than regulations.

    So, I fully support those "bad regulations" to help ensure that anti-trust and anti-monopoly tolls are available to fight off the negative effects of plain old natural "human greed" in Capitalism. You see, when a business obtains a monopoly or builds a trust that creates a conflict of interest it does not serve "the people" so they need a way to fight them other than "free-market". Free market mind you is still essential, but it is clear that people are far to lazy and ignorant to fight corruption, especially when that corruption services them. So there needs to be a 3rd party given power to help get rid of it.

    It's not perfect, but nothing is perfect anyways.

    I know this is all too much for you to swallow after you have filled up on paint chips but please try anyways!

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.