Comcast has just been caught in a major security snafu: revealing the passwords of the Xfinity wireless routers provided by its clients in clear on the web. Anyone with an account number and a street number from the subscriber will receive the Wi-Fi name and password via the company's Xfinity Internet Activation service.
Security researchers Karan Saini and Ryan Stevenson reported the problem to ZDnet.
The site is intended to help users configure their Internet for the first time: ideally, you put your data and Comcast returns the router's credentials when activating the service.
The problem is threefold:
- You can "activate" an already active account
- The data required to do this are minimal and are not verified by text message or email
- The wireless name and password are sent to the Web in clear text
This means anyone with your account number and street number (eg 1425 in "1425 Alder Ave", no street name, city or apartment number) can be found on your invoice paper or in an e-mail, will instantly be given SSID and password of your router, allowing them to connect and use as they like or monitor its traffic. They could also rename the router's network or change its password, locking subscribers.
This only affects people who use a router provided by Xfinity / Comcast that has its own name and password. Although it also returns SSIDs and custom passwords because they are synchronized with your account and can be changed via the app and other methods.
What can you do? While this is a general problem, there is no point in changing your password – Comcast will simply provide a malicious actor to the new one. So, until further notice, all Comcast Xfinity clients with routers provided by the company are in danger.
One thing you can do for the moment is to treat your home network like it's a public network – if you have to use it, make sure you want encryption enabled if you're doing private things like buying things online. What will likely happen is that Comcast will post a notice and ask users to change their router password in general.
Another is to buy your own router – it's a good idea because it will pay for itself in a few months and you can do more things with it. Which to buy and how to install it, however, are beyond the scope of this article. But if you are really worried, you might be able to solve this security problem by bringing your own hardware on the market.
I contacted the company to comment and I will update when I have heard it.