Just so you know, if you have an embedded router from a service provider all of that data is _already_ being transmitted and has been for a long long time. If it's being collected via SNMPv2c it is being transmitted in the clear (though hopefully encrypted via BPI+ between the modem and the CMTS). If it's being collected via TR-069 it _may_ (should be) encrypted in transit but in my experience that isn't guaranteed and when its being sent over TLS there's often a self signed cert in the chain. Scott Helms On Thu, Apr 25, 2019 at 10:45 AM Benjamin Sisco <bsisco@justassociates.com> wrote:
On 4/24/ 2019 10:34 AM, Seth Mattinen wrote:
That's looking at it from a technical perspective when it isn't a technical problem. People that buy "includes wifi" from their ISP often need extreme amounts of help with it, and thus the wifi credentials are stored and transmitted in plain text for tech support reasons.
While I agree that the underlying need is to provide fast and effective customer service - it is ultimately a technical problem. As it's been pointed out in subsequent posts WiFi is the leading cause of customer calls to an ISP offering the service. Security and "ease of use" are often at odds with each other, and implementing the former with the latter is the challenge many of us wake up to each and every day. The information should be encrypted at rest and in transit and could easily be decrypted by the CSP platform for use by customer support staff at the time of need when cusetomers call in - which would address the concern.
In my experience, bad practice is easily replicated. What else is transmitted in cleartext? Today it's the WiFi password, tomorrow it's your login, port forwarding, DMZ, and other details that are far more useful to a remote attacker than your WiFi password.
-----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of Seth Mattinen Sent: Wednesday, April 24, 2019 10:34 AM To: nanog@nanog.org Subject: Re: Comcast storing WiFi passwords in cleartext?
Notice: This message originated outside of Just Associates. Verify the source & exercise caution with links and attachments.
The bigger concern should be the cleartext portion of the subject. There’s ZERO reason to store or transmit any credentials (login, service, keys, etc.), in any location, in an unencrypted fashion regardless of their
On 4/24/19 8:13 AM, Benjamin Sisco wrote: perceived value or purpose. Unless you like risk.
That's looking at it from a technical perspective when it isn't a technical problem. People that buy "includes wifi" from their ISP often need extreme amounts of help with it, and thus the wifi credentials are stored and transmitted in plain text for tech support reasons.
~Seth Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you.