Just so you know, if you have an embedded router from a service provider all of that data is _already_ being transmitted and has been for a long long time. If it's being collected via SNMPv2c it is being transmitted in the clear (though hopefully encrypted via BPI+ between the modem and the CMTS). If it's being collected via TR-069 it _may_ (should be) encrypted in transit but in my experience that isn't guaranteed and when its being sent over TLS there's often a self signed cert in the chain.
Scott Helms On Thu, Apr 25, 2019 at 10:45 AM Benjamin Sisco <[email protected]> wrote: > On 4/24/ 2019 10:34 AM, Seth Mattinen wrote: > > > That's looking at it from a technical perspective when it isn't a > technical problem. People that buy "includes wifi" from their ISP often > need extreme amounts of help with it, and thus the wifi credentials are > stored and transmitted in plain text for tech support reasons. > > While I agree that the underlying need is to provide fast and effective > customer service - it is ultimately a technical problem. As it's been > pointed out in subsequent posts WiFi is the leading cause of customer calls > to an ISP offering the service. Security and "ease of use" are often at > odds with each other, and implementing the former with the latter is the > challenge many of us wake up to each and every day. The information should > be encrypted at rest and in transit and could easily be decrypted by the > CSP platform for use by customer support staff at the time of need when > cusetomers call in - which would address the concern. > > In my experience, bad practice is easily replicated. What else is > transmitted in cleartext? Today it's the WiFi password, tomorrow it's your > login, port forwarding, DMZ, and other details that are far more useful to > a remote attacker than your WiFi password. > > > > > -----Original Message----- > From: NANOG <[email protected]> On Behalf Of Seth Mattinen > Sent: Wednesday, April 24, 2019 10:34 AM > To: [email protected] > Subject: Re: Comcast storing WiFi passwords in cleartext? > > Notice: This message originated outside of Just Associates. Verify the > source & exercise caution with links and attachments. > > On 4/24/19 8:13 AM, Benjamin Sisco wrote: > > The bigger concern should be the cleartext portion of the subject. > There’s ZERO reason to store or transmit any credentials (login, service, > keys, etc.), in any location, in an unencrypted fashion regardless of their > perceived value or purpose. Unless you like risk. > > > That's looking at it from a technical perspective when it isn't a > technical problem. People that buy "includes wifi" from their ISP often > need extreme amounts of help with it, and thus the wifi credentials are > stored and transmitted in plain text for tech support reasons. > > ~Seth > Confidentiality Notice: This e-mail communication and any attachments may > contain confidential and privileged information for the use of the > designated recipients named above. If you are not the intended recipient, > you are hereby notified that you have received this communication in error > and that any review, disclosure, dissemination, distribution or copying of > it or its contents is prohibited. If you have received this communication > in error, please notify me immediately by replying to this message and > deleting it from your computer. Thank you. >
