Comcast storing WiFi passwords in cleartext?
Hi NANOG, Here's an issue raised today: https://security.stackexchange.com/questions/207895/how-does-comcast-know-my... Apparently there's a concern with customers that their seemingly private passphrases, entered in their own boxes, are being shared with the upstream ISP without an explicit customer consent, and are kept in the ISP database for an unspecified period of time. Is it there by design? if so, then maybe some tweaks are necessary? -- Töma
On 4/23/19 16:46, Töma Gavrichenkov wrote:
Apparently there's a concern with customers that their seemingly private passphrases, entered in their own boxes, are being shared with the upstream ISP without an explicit customer consent, and are kept in the ISP database for an unspecified period of time. Is it there by design?
if so, then maybe some tweaks are necessary?
Don't use the built in wifi AP on a cable modem combo would be my first reaction. ~Seth
It's not exactly clear from the StackExchange post but if the end-user is also using Comcast as an ISP, then I guess the modem simply re-registered under the new customer and is happily providing the visibility to Comcast? On Tue, Apr 23, 2019 at 8:34 PM Töma Gavrichenkov <ximaera@gmail.com> wrote:
On Wed, Apr 24, 2019 at 3:07 AM Seth Mattinen <sethm@rollernet.us> wrote:
Don't use the built in wifi AP on a cable modem combo would be my first reaction.
Totally correct, but that's what s/he claims to have already taken care of!
-- Töma
OP said they logged into their account and went to the security portion of the portal. So one can assume they're the ISP or I don’t see the point in asking how Comcast would know the info. Luke Ns Sent from my iPad On Apr 23, 2019, at 8:05 PM, Laurent Dumont <laurentfdumont@gmail.com<mailto:laurentfdumont@gmail.com>> wrote: It's not exactly clear from the StackExchange post but if the end-user is also using Comcast as an ISP, then I guess the modem simply re-registered under the new customer and is happily providing the visibility to Comcast? On Tue, Apr 23, 2019 at 8:34 PM Töma Gavrichenkov <ximaera@gmail.com<mailto:ximaera@gmail.com>> wrote: On Wed, Apr 24, 2019 at 3:07 AM Seth Mattinen <sethm@rollernet.us<mailto:sethm@rollernet.us>> wrote:
Don't use the built in wifi AP on a cable modem combo would be my first reaction.
Totally correct, but that's what s/he claims to have already taken care of! -- Töma
On Wed, 24 Apr 2019, Luke Guillory wrote:
OP said they logged into their account and went to the security portion of the portal. So one can assume they're the ISP or I don’t see the point in asking how Comcast would know the info.
It is entirely possible that an account separate and hidden from the customer account would be able to access the administrative controls of the router. It is also plausible that the access does not use a username/password to authenticate but another, hopefully secure method. One could make this access secure by: 1. Ensuring any connection originated from Company-controlled IP space 2. Username/Password are not provided to the CS agent but is merely a button they press, after properly authenticating themselves as well as authenticating the customer, that would pass a one-time use token to access the device 3. Every token use was logged and regularly audited 4. Keys were regularly and in an automated fashion rotated, maybe even daily If such precautions are taken, it is their router and it is their service, seems reasonable that Comcast should be able to log into their router and change configs. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
On Tue, 23 Apr 2019, Peter Beckman wrote:
On Wed, 24 Apr 2019, Luke Guillory wrote:
OP said they logged into their account and went to the security portion of the portal. So one can assume they're the ISP or I don’t see the point in asking how Comcast would know the info.
It is entirely possible that an account separate and hidden from the customer account would be able to access the administrative controls of the router. It is also plausible that the access does not use a username/password to authenticate but another, hopefully secure method.
One could make this access secure by:
1. Ensuring any connection originated from Company-controlled IP space 2. Username/Password are not provided to the CS agent but is merely a button they press, after properly authenticating themselves as well as authenticating the customer, that would pass a one-time use token to access the device 3. Every token use was logged and regularly audited 4. Keys were regularly and in an automated fashion rotated, maybe even daily
If such precautions are taken, it is their router and it is their service, seems reasonable that Comcast should be able to log into their router and change configs.
... such that the access of the Wifi Password which is likely stored in plain text on the router is accessed by Comcast in a secure manner and not stored in plain text in their internal databases. But I'm guessing probably it's just cached in plain text in their internal DBs. Get your own router if you're worried about your Wifi Password being known by Comcast. Or change to WPA2 Enterprise, but I'm guessing that isn't supported on the router... --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
On 4/23/19 8:35 PM, Peter Beckman wrote:
Get your own router if you're worried about your Wifi Password being known by Comcast. Or change to WPA2 Enterprise, but I'm guessing that isn't supported on the router...
Original post seems to be someone that bought a used modem/router combo. Since the combo is part cable model, and needs to be provisioned by the MSP, it is going to have access to parts of the config, including the wireless password. It is unknown if the password is stored in plaintext in Comcast's database, and I doubt that someone from Comcast is going to validate that. It is being displayed to the account owner for their benefit. I honestly see nothing wrong with this in and of itself. At the same time, I refuse to use one of these combo modem/router/WAP. I don't want Comcast to steal my Internet for their roaming wireless, and also don't trust their security. I do all that myself on my own hardware, and prefer to be responsible for my own security. I suspect most people to be lazy. -Sean
Yes it's in the router, accessed via the following MIB. Name arrisRouterWPAPreSharedKey OID .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2 MIB ARRIS-ROUTER-DEVICE-MIB Syntax OCTET STRING (SIZE (8..64)) Access read-write Status current Descri Sets the WPA Pre-Shared Key (PSK) used by this service set. This value MUST be either a 64 byte hexadecimal number, OR an 8 to 63 character ASCII string. Which returns the following. OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10004 Value: F2414322EE3D9263 Type: OctetString OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10003 Value: F2414322EE3D9263 Type: OctetString OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10002 Value: F2414322EE3D9263 Type: OctetString OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10001 Value: F2414322EE3D9263 Type: OctetString Ns -----Original Message----- From: Peter Beckman [mailto:beckman@angryox.com] Sent: Tuesday, April 23, 2019 9:35 PM To: Luke Guillory Cc: Laurent Dumont; NANOG Subject: Re: Comcast storing WiFi passwords in cleartext? On Tue, 23 Apr 2019, Peter Beckman wrote:
On Wed, 24 Apr 2019, Luke Guillory wrote:
OP said they logged into their account and went to the security portion of the portal. So one can assume they're the ISP or I don’t see the point in asking how Comcast would know the info.
It is entirely possible that an account separate and hidden from the customer account would be able to access the administrative controls of the router. It is also plausible that the access does not use a username/password to authenticate but another, hopefully secure method.
One could make this access secure by:
1. Ensuring any connection originated from Company-controlled IP space 2. Username/Password are not provided to the CS agent but is merely a button they press, after properly authenticating themselves as well as authenticating the customer, that would pass a one-time use token to access the device 3. Every token use was logged and regularly audited 4. Keys were regularly and in an automated fashion rotated, maybe even daily
If such precautions are taken, it is their router and it is their service, seems reasonable that Comcast should be able to log into their router and change configs.
... such that the access of the Wifi Password which is likely stored in plain text on the router is accessed by Comcast in a secure manner and not stored in plain text in their internal databases. But I'm guessing probably it's just cached in plain text in their internal DBs. Get your own router if you're worried about your Wifi Password being known by Comcast. Or change to WPA2 Enterprise, but I'm guessing that isn't supported on the router... --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
While it's correct that it's stored in the vendor proprietary MIB this information is commonly retrieved from the CableLabs standard MIB and via TR-181 in DSL and FTTH gear. I wrote up an answer on the security forum originally refereneced, but for convenience here is the same text. The PSK passphrase is (by design) stored in a retrievable format by the Modem vendor, in this case Arris, but the same standard is supported by many other modem vendors. In DOCSIS cable modems this is most commonly done via SNMP against this specific OID: clabWIFIAccessPointSecurityKeyPassphrase OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..63)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is defined in TR-181 Device.WiFi.AccessPoint{i}.Security.KeyPassphrase." REFERENCE "TR-181 Device Data Model for TR-069." ::= {clabWIFIAccessPointSecurityEntry 5 This is part of the CableLabs WiFi MIB: http://mibs.cablelabs.com/MIBs/wireless/CLAB-WIFI-MIB-2017-09-07.txt Which is is in turn based on the TR-069 sub-standard of TR-181: https://cwmp-data-models.broadband-forum.org/tr-181-2-11-0.html#D.Device:2.D... .{i}.Security.KeyPassphrase http://www.broadband-forum.org/download/TR-181_Issue-2_Amendment-2.pdf Not only does this apply to cable modems, but many DSL and FTTH endpoints will also allow the service provider to retrieve your PSK passphrases and a litany of other settings. This allows for end users to have their settings backed up in case of a device having to be replaced or much more commonly for call centers to be able to retrieve some of the settings, like the pass phrase, when a customer calls in because they can't remember it. Scott Helms On Tue, Apr 23, 2019 at 11:34 PM Luke Guillory <lguillory@reservetele.com> wrote:
Yes it's in the router, accessed via the following MIB.
Name arrisRouterWPAPreSharedKey OID .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2 MIB ARRIS-ROUTER-DEVICE-MIB Syntax OCTET STRING (SIZE (8..64)) Access read-write Status current
Descri Sets the WPA Pre-Shared Key (PSK) used by this service set. This value MUST be either a 64 byte hexadecimal number, OR an 8 to 63 character ASCII string.
Which returns the following.
OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10004 Value: F2414322EE3D9263 Type: OctetString
OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10003 Value: F2414322EE3D9263 Type: OctetString
OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10002 Value: F2414322EE3D9263 Type: OctetString
OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10001 Value: F2414322EE3D9263 Type: OctetString
Ns
-----Original Message----- From: Peter Beckman [mailto:beckman@angryox.com] Sent: Tuesday, April 23, 2019 9:35 PM To: Luke Guillory Cc: Laurent Dumont; NANOG Subject: Re: Comcast storing WiFi passwords in cleartext?
On Tue, 23 Apr 2019, Peter Beckman wrote:
On Wed, 24 Apr 2019, Luke Guillory wrote:
OP said they logged into their account and went to the security portion of the portal. So one can assume they're the ISP or I don’t see the point in asking how Comcast would know the info.
It is entirely possible that an account separate and hidden from the customer account would be able to access the administrative controls of the router. It is also plausible that the access does not use a username/password to authenticate but another, hopefully secure method.
One could make this access secure by:
1. Ensuring any connection originated from Company-controlled IP space 2. Username/Password are not provided to the CS agent but is merely a button they press, after properly authenticating themselves as well as authenticating the customer, that would pass a one-time use token to access the device 3. Every token use was logged and regularly audited 4. Keys were regularly and in an automated fashion rotated, maybe even daily
If such precautions are taken, it is their router and it is their service, seems reasonable that Comcast should be able to log into their router and change configs.
... such that the access of the Wifi Password which is likely stored in plain text on the router is accessed by Comcast in a secure manner and not stored in plain text in their internal databases.
But I'm guessing probably it's just cached in plain text in their internal DBs.
Get your own router if you're worried about your Wifi Password being known by Comcast. Or change to WPA2 Enterprise, but I'm guessing that isn't supported on the router...
--------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
I don’t really see the issue here. What was the concern of the O. P. ? That a Comcast tech will know your Wifi password? If you’re really running something that requires that kind of security you may want to get your own wireless access point. Otherwise, that’s just how it works for a multitude of reasons.
Matt, I believe the thought process is that if I'm not renting the device from the MSO, why would they log said info. As Scott said, there can be many reasons as to why they would grab it and add to the users account. Same as making sure modems, whether that's MSO owned or customer owned are on the latest firmware. Luke Ns -----Original Message----- From: Matt Hoppes [mailto:mattlists@rivervalleyinternet.net] Sent: Wednesday, April 24, 2019 7:27 AM To: K. Scott Helms Cc: Luke Guillory; NANOG Subject: Re: Comcast storing WiFi passwords in cleartext? I don’t really see the issue here. What was the concern of the O. P. ? That a Comcast tech will know your Wifi password? If you’re really running something that requires that kind of security you may want to get your own wireless access point. Otherwise, that’s just how it works for a multitude of reasons.
The Stackexchange post does NOT say that they got their own AP. It says they got their own DOCSIS Modem / Router / Wifi combo device. That's an important distinction. When I worked at Adelphia many years ago, the only distinction between customer owned CPE and company owned CPE was billing. All modems received the same DOCSIS config file when they booted up. While I have not worked in that industry for many years now, from what I am aware of the same behavior still applies. The modem management and configuration is 100% in the hands of the MSO. This is why, in my opinion, people should avoid modem/router combo units whenever possible. Any information/configuration entered into such a device could be accessible to the MSO (intentionally or otherwise) , as is happening here. I'm sure they would come back and say this is necessary to provide support for customers who pay them for WiFi service, but it clearly shows they don't turn off that functionality for customers who don't. Treat you cable modems as foreign network elements. Cause that's what they are. On Wed, Apr 24, 2019 at 9:28 AM Töma Gavrichenkov <ximaera@gmail.com> wrote:
On Wed, Apr 24, 2019 at 3:27 PM Matt Hoppes <mattlists@rivervalleyinternet.net> wrote:
If you’re really running something that requires that kind of security you may want to get your own wireless access point.
Like I said: the OP claims that's what s/he did.
-- Töma
On 4/24/19 7:24 AM, Tom Beecher wrote:
This is why, in my opinion, people should avoid modem/router combo units whenever possible. Any information/configuration entered into such a device could be accessible to the MSO (intentionally or otherwise) , as is happening here. I'm sure they would come back and say this is necessary to provide support for customers who pay them for WiFi service, but it clearly shows they don't turn off that functionality for customers who don't.
Treat you cable modems as foreign network elements. Cause that's what they are.
+1. Encountered this with an AT&T install. AT&T provided router/wifi combo. After the installer was done, first thing I did was to turn the combo's wifi off, and hook up the access point the customer has been using for years. Verified that the MAC filtering was still correct during the post-install. Customer is happy. The next step is to build a Protectli firewall to go between the AT&T modem and the access point. Block any chance of AT&T using SNMP to sniff the access point. (Moved the Access Point's IP address for management and gateway, too.)
This has been a thing for quite a while with Comcast. It is also available to a customer service rep. It is retrieved from the Gateway via SNMP if I'm not mistaken. Customer service reps can also reset your wireless password either to a default or a specific one of yours or their choosing if necessary. This is something to remember with cable modems and especially gateways. As long as it is connected to their Network it is practically thiers from a configurations standpoint, they are in complete control of the device and can get any information they need or want from said device. I'm not saying they are doing anything nefarious or packet capping the local network or anything of that nature that is a little on the tin foil hat side for me personally, but you should always consider that any information available to a cable modem Gateway or plain cable modem is available to the ISP. As many have recommended in the past always get a separate router and a plane modem. Brandon Jackson On Tue, Apr 23, 2019, 19:47 Töma Gavrichenkov <ximaera@gmail.com> wrote:
Hi NANOG,
Here's an issue raised today:
https://security.stackexchange.com/questions/207895/how-does-comcast-know-my...
Apparently there's a concern with customers that their seemingly private passphrases, entered in their own boxes, are being shared with the upstream ISP without an explicit customer consent, and are kept in the ISP database for an unspecified period of time. Is it there by design?
if so, then maybe some tweaks are necessary?
-- Töma
On Wed, Apr 24, 2019 at 9:05 AM Brandon Jackson via NANOG <nanog@nanog.org> wrote:
I'm not saying they are doing anything nefarious or packet capping the local network or anything of that nature that is a little on the tin foil hat side for me personally, but you should always consider that any information available to a cable modem Gateway or plain cable modem is available to the ISP.
I'd wager at least 95% of Comcast's users aren't network engineers, security bros, or in some technically competent field. If you were building a system to support hundreds of thousands or millions of users who couldn't distinguish between a DVD drive and a cup holder, how would you make it easy for your front-line support staff to help them use the service they paid for? Want to walk them through factory resetting an old WTR54, hardwire a computer/laptop to it (if they have one), sign in with default creds and then properly configure wireless? I'd rather say "What do you want your wireless network name to be?" "Ok, and what do you want your password to be?" "Done. Try connecting now." In any sort of business environment you should be briding the modem and putting your own firewall in. -A
On Tue, Apr 23, 2019 at 4:48 PM Töma Gavrichenkov <ximaera@gmail.com> wrote:
Apparently there's a concern with customers that their seemingly private passphrases, entered in their own boxes, are being shared with the upstream ISP without an explicit customer consent, and are kept in the ISP database for an unspecified period of time. Is it there by design?
Not sure what the concern is here. Cable model with builtin WiFi (managed WiFi) is part of the service you signed up for and you are free to use your own WiFi solutions. Chances are the CPE is rented from ISP... Are you expecting the passphrase to get stored as a one way hash? Arris Touchstone has TR-069 connecting to ACS for configuration/management. This platform is ridiculously insecure and the web interface essentially does SNMP read/write over HTTP. https://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html
participants (15)
-
Aaron C. de Bruyn -
Brandon Jackson -
Christopher Morrow -
K. Scott Helms -
Laurent Dumont -
Luke Guillory -
Matt Hoppes -
Peter Beckman -
Randy Bush -
Sean Figgins -
Seth Mattinen -
Stephen Satchell -
Tom Beecher -
Töma Gavrichenkov -
Yang Yu