By Dark Helmet
From the pay-to-be-hacked dept
Look, when it comes to Comcast, it's obviously quite easy to slap the company around for any number of its anti-consumer practices.
Just sampling from the most recent news, Comcast was sued over its opt-out mobile hotspot from your home router plan, the company has decided to combat cord-cutting by hiking prices and fees on equipment for customers who cord-cut cable television, and it also has put in place a similar plan to charge all kinds of bullshit fees on equipment installations for customers who aren't bundling in other services with its ISP offering.
You should be noticing a trend in there that has to do with how Comcast handles so-called "equipment rental" fees for its broadband customers and how it handles customers that choose to bring their own device to their home networks instead. Comcast has always hated customers that use their own WiFi routers, as the fees for renting a wireless access point represent a huge part of Comcast's revenue.
Which is why you would think that the company would at least not expose the home networks of customers who use that equipment.
Sadly, it seems that Comcast's website made the network SSID's and passwords available in plain text of customers who were renting router equipment, while those that used their own routers were completely safe.
It should be noted that Comcast almost immediately addressed the security flaw in its website after ZDNet's report. Still, we're not in the business of giving high marks to a company that fixes a laughable security hole on its website.
Comcast reps also claimed that "There's nothing more important than our customers' security." But, if that were true, Comcast's position would be to advocate its customers use their own routers rather than renting Comcast routers, as those who did so were completely protected from this security risk.
Just to be clear, we're talking about really sensitive information exposed by this website flaw. WiFi network names and passwords are one thing, but malicious actors were also presented with the routers' physical home addresses, despite the attacker not needing a customer's full home address in order to access that information. And all of this was presented in plain text.
Any company making these kinds of dangerous mistakes would be bad, but it's worth putting all of this in the context of Comcast both operating in a competition-deprived unregulated ISP market and that it is trying to get even bigger through major acquisitions to gobble up even more market-share. That kind of attempt at ISP monoculture makes any security flaw exponentially worse, and Comcast has not demonstrated its ability to live up to the security task.
Meanwhile, why anyone would rent a Comcast WiFi router is completely beyond me.
From the pay-to-be-hacked dept
Look, when it comes to Comcast, it's obviously quite easy to slap the company around for any number of its anti-consumer practices.
Just sampling from the most recent news, Comcast was sued over its opt-out mobile hotspot from your home router plan, the company has decided to combat cord-cutting by hiking prices and fees on equipment for customers who cord-cut cable television, and it also has put in place a similar plan to charge all kinds of bullshit fees on equipment installations for customers who aren't bundling in other services with its ISP offering.
You should be noticing a trend in there that has to do with how Comcast handles so-called "equipment rental" fees for its broadband customers and how it handles customers that choose to bring their own device to their home networks instead. Comcast has always hated customers that use their own WiFi routers, as the fees for renting a wireless access point represent a huge part of Comcast's revenue.
Which is why you would think that the company would at least not expose the home networks of customers who use that equipment.
Sadly, it seems that Comcast's website made the network SSID's and passwords available in plain text of customers who were renting router equipment, while those that used their own routers were completely safe.
A security hole in a Comcast service-activation website allowed anyone to obtain a customer's Wi-Fi network name and password by entering the customer's account number and a partial street address, ZDNet reported yesterday.
The problem would have let attackers "rename Wi-Fi network names and passwords, temporarily locking users out" of their home networks, ZDNet wrote. Obviously, an attacker could also use a Wi-Fi network name and password to log into an unsuspecting Comcast customer's home network.
The problem would have let attackers "rename Wi-Fi network names and passwords, temporarily locking users out" of their home networks, ZDNet wrote. Obviously, an attacker could also use a Wi-Fi network name and password to log into an unsuspecting Comcast customer's home network.
Comcast reps also claimed that "There's nothing more important than our customers' security." But, if that were true, Comcast's position would be to advocate its customers use their own routers rather than renting Comcast routers, as those who did so were completely protected from this security risk.
Just to be clear, we're talking about really sensitive information exposed by this website flaw. WiFi network names and passwords are one thing, but malicious actors were also presented with the routers' physical home addresses, despite the attacker not needing a customer's full home address in order to access that information. And all of this was presented in plain text.
Any company making these kinds of dangerous mistakes would be bad, but it's worth putting all of this in the context of Comcast both operating in a competition-deprived unregulated ISP market and that it is trying to get even bigger through major acquisitions to gobble up even more market-share. That kind of attempt at ISP monoculture makes any security flaw exponentially worse, and Comcast has not demonstrated its ability to live up to the security task.
Meanwhile, why anyone would rent a Comcast WiFi router is completely beyond me.
Comment