Comcast storing WiFi passwords in cleartext?

Toma_Gavrichenkov · April 23, 2019, 11:46pm

Hi NANOG,

Here's an issue raised today:
https://security.stackexchange.com/questions/207895/how-does-comcast-know-my-wifi-password

Apparently there's a concern with customers that their seemingly
private passphrases, entered in their own boxes, are being shared with
the upstream ISP without an explicit customer consent, and are kept in
the ISP database for an unspecified period of time. Is it there by
design?

if so, then maybe some tweaks are necessary?

Seth_Mattinen · April 24, 2019, 12:06am

Don't use the built in wifi AP on a cable modem combo would be my first reaction.

~Seth

Toma_Gavrichenkov · April 24, 2019, 12:32am

Totally correct, but that's what s/he claims to have already taken care of!

laurentdumont · April 24, 2019, 1:03am

It’s not exactly clear from the StackExchange post but if the end-user is also using Comcast as an ISP, then I guess the modem simply re-registered under the new customer and is happily providing the visibility to Comcast?

Luke_Guillory · April 24, 2019, 1:21am

OP said they logged into their account and went to the security portion of the portal. So one can assume they’re the ISP or I don’t see the point in asking how Comcast would know the info.

Luke
Ns

Brandon_Jackson · April 24, 2019, 1:32am

This has been a thing for quite a while with Comcast. It is also available to a customer service rep. It is retrieved from the Gateway via SNMP if I’m not mistaken. Customer service reps can also reset your wireless password either to a default or a specific one of yours or their choosing if necessary.

This is something to remember with cable modems and especially gateways. As long as it is connected to their Network it is practically thiers from a configurations standpoint, they are in complete control of the device and can get any information they need or want from said device.

I’m not saying they are doing anything nefarious or packet capping the local network or anything of that nature that is a little on the tin foil hat side for me personally, but you should always consider that any information available to a cable modem Gateway or plain cable modem is available to the ISP.

As many have recommended in the past always get a separate router and a plane modem.

Brandon Jackson

Peter_Beckman · April 24, 2019, 2:13am

It is entirely possible that an account separate and hidden from the
customer account would be able to access the administrative controls of the
router. It is also plausible that the access does not use a
username/password to authenticate but another, hopefully secure method.

One could make this access secure by:

     1. Ensuring any connection originated from Company-controlled IP space
     2. Username/Password are not provided to the CS agent but is merely a
         button they press, after properly authenticating themselves as well
         as authenticating the customer, that would pass a one-time use
         token to access the device
     3. Every token use was logged and regularly audited
     4. Keys were regularly and in an automated fashion rotated, maybe even
        daily

If such precautions are taken, it is their router and it is their service,
seems reasonable that Comcast should be able to log into their router and
change configs.

Beckman

Peter_Beckman · April 24, 2019, 2:35am

... such that the access of the Wifi Password which is likely stored in
plain text on the router is accessed by Comcast in a secure manner and not
stored in plain text in their internal databases.

But I'm guessing probably it's just cached in plain text in their internal
DBs.

Get your own router if you're worried about your Wifi Password being known
by Comcast. Or change to WPA2 Enterprise, but I'm guessing that isn't
supported on the router...

Yang_Yu · April 24, 2019, 3:01am

Not sure what the concern is here. Cable model with builtin WiFi
(managed WiFi) is part of the service you signed up for and you are
free to use your own WiFi solutions. Chances are the CPE is rented
from ISP... Are you expecting the passphrase to get stored as a one
way hash?

Arris Touchstone has TR-069 connecting to ACS for configuration/management.

This platform is ridiculously insecure and the web interface
essentially does SNMP read/write over HTTP.
https://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html

Christopher_Morrow · April 24, 2019, 3:05am

you've seen TR-069 right?

Sean_Figgins · April 24, 2019, 3:22am

Original post seems to be someone that bought a used modem/router combo. Since the combo is part cable model, and needs to be provisioned by the MSP, it is going to have access to parts of the config, including the wireless password. It is unknown if the password is stored in plaintext in Comcast's database, and I doubt that someone from Comcast is going to validate that. It is being displayed to the account owner for their benefit. I honestly see nothing wrong with this in and of itself.

At the same time, I refuse to use one of these combo modem/router/WAP. I don't want Comcast to steal my Internet for their roaming wireless, and also don't trust their security. I do all that myself on my own hardware, and prefer to be responsible for my own security. I suspect most people to be lazy.

-Sean

Luke_Guillory · April 24, 2019, 3:32am

Yes it's in the router, accessed via the following MIB.

Name arrisRouterWPAPreSharedKey
OID .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2
MIB ARRIS-ROUTER-DEVICE-MIB
Syntax OCTET STRING (SIZE (8..64))
Access read-write
Status current

Descri Sets the WPA Pre-Shared Key (PSK) used by this service set. This
value MUST be either a 64 byte hexadecimal number, OR an 8 to 63
character ASCII string.

Which returns the following.

OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10004
Value: F2414322EE3D9263
Type: OctetString

OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10003
Value: F2414322EE3D9263
Type: OctetString

OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10002
Value: F2414322EE3D9263
Type: OctetString

OID: .1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10001
Value: F2414322EE3D9263
Type: OctetString

Ns

K_Scott_Helms · April 24, 2019, 12:23pm

While it’s correct that it’s stored in the vendor proprietary MIB this information is commonly retrieved from the CableLabs standard MIB and via TR-181 in DSL and FTTH gear.

I wrote up an answer on the security forum originally refereneced, but for convenience here is the same text.

Matt_Hoppes · April 24, 2019, 12:26pm

I don’t really see the issue here. What was the concern of the O. P. ?

That a Comcast tech will know your Wifi password? If you’re really running something that requires that kind of security you may want to get your own wireless access point.

Otherwise, that’s just how it works for a multitude of reasons.

Luke_Guillory · April 24, 2019, 12:58pm

Matt,

I believe the thought process is that if I'm not renting the device from the MSO, why would they log said info. As Scott said, there can be many reasons as to why they would grab it and add to the users account.

Same as making sure modems, whether that's MSO owned or customer owned are on the latest firmware.

Luke

Ns

Toma_Gavrichenkov · April 24, 2019, 1:27pm

Like I said: the OP claims that's what s/he did.

Tom_Beecher · April 24, 2019, 2:24pm

The Stackexchange post does NOT say that they got their own AP. It says they got their own DOCSIS Modem / Router / Wifi combo device. That’s an important distinction.

When I worked at Adelphia many years ago, the only distinction between customer owned CPE and company owned CPE was billing. All modems received the same DOCSIS config file when they booted up. While I have not worked in that industry for many years now, from what I am aware of the same behavior still applies. The modem management and configuration is 100% in the hands of the MSO.

This is why, in my opinion, people should avoid modem/router combo units whenever possible. Any information/configuration entered into such a device could be accessible to the MSO (intentionally or otherwise) , as is happening here. I’m sure they would come back and say this is necessary to provide support for customers who pay them for WiFi service, but it clearly shows they don’t turn off that functionality for customers who don’t.

Treat you cable modems as foreign network elements. Cause that’s what they are.

Bandy_Rush1 · April 24, 2019, 2:33pm

you've seen TR-069 right?

that was 2004, security had not been invented yet. oh wait.

Stephen_Satchell · April 24, 2019, 3:49pm

+1. Encountered this with an AT&T install. AT&T provided router/wifi
combo. After the installer was done, first thing I did was to turn the
combo's wifi off, and hook up the access point the customer has been
using for years. Verified that the MAC filtering was still correct
during the post-install. Customer is happy.

The next step is to build a Protectli firewall to go between the AT&T
modem and the access point. Block any chance of AT&T using SNMP to
sniff the access point. (Moved the Access Point's IP address for
management and gateway, too.)

Aaron_C_de_Bruyn1 · April 24, 2019, 4:11pm

I’d wager at least 95% of Comcast’s users aren’t network engineers, security bros, or in some technically competent field.
If you were building a system to support hundreds of thousands or millions of users who couldn’t distinguish between a DVD drive and a cup holder, how would you make it easy for your front-line support staff to help them use the service they paid for? Want to walk them through factory resetting an old WTR54, hardwire a computer/laptop to it (if they have one), sign in with default creds and then properly configure wireless?

I’d rather say “What do you want your wireless network name to be?” “Ok, and what do you want your password to be?” “Done. Try connecting now.”

In any sort of business environment you should be briding the modem and putting your own firewall in.

-A