Via the TR-69 mechanism, Verizon FiOS routers send your local wifi password to their central management system. The excuse I've heard for this is to "allow support agents to assist users who forgot their passwords"
The level of effort and obviousness of an email reset is nothing compared to helping someone figure out how to reconfigure every smart device ever made.
So it's a bad usecase for a password, then. Perhaps every router should ship with a preconfigured VLAN for shitty smart home stuff that is a lot more open, or maybe we should stop trying to stick internet into everything ever created.
Why should it be just the IoT devices that get the insecure network? Why not just stop trusting the LAN altogether and instead use technologies like HTTPS and DoH to ensure privacy on the important devices? That seems to be the way the tide is turning anyway.
Personally I'm all for that but people & packages seem to be pretty promiscuous about listen address defaults and assuming everything behind a routers NAT is trusted.
Treating the network as untrusted is good but as long as some people are paying for service, traffic and bandwidth there are reasons to not allow anything to use your network. And there is also a legal question of liability if someone is not quite above board from your IP.
Right, good point. There is of course the option to see saved wifi passwords on most devices... but I can see how an engineer decided to bypass all this bikeshedding and just send the damn password haha.
For Verizon owned routers? For company owned and supported equipment, I can understand it. I might not like it, but I can understand it. Especially if they are on the hook for support.
But, that’s why I run my own router for internet access. It’s my router and I can control what it does. If it goes down, then that’s on me. And I’m okay with that. Would I necessarily want the same setup for my parents? Probably not…
I'm not concerned with this question as it implies that people haven't got a choice between "rent modem, ez for noobs" and "buy own equipment, fully control it." They do have that choice still, it must be some leftover regulation (from back when the US did that) in the case of cable companies, but I have zero problem with the ISP making those tradeoffs. The people who would trust the ISP-owned device likely have already typed that wi-fi password into things like $99 smart TVs which probably transmit their wifi password, location, and microphone data directly to China. Verizon having the wifi password is not cause for concern here.
Those who are security conscious enough to have concerns about their LAN security do not buy "internet + routers + desktop support as a service" by renting the endpoint equipment -- they buy just the internet connectivity and furnish equipment they can control and trust.
> I'm not concerned with this question as it implies that people haven't got a choice between "rent modem, ez for noobs" and "buy own equipment, fully control it."
If you buy the equipment from Verizon, I will bet you a significant amount of money that it still sends your passwords to them [on edit: with exactly zero disclosure that's detectable to 99.99 percent of users]. In fact, I'll bet you Verizon treats customer-owned equipment exactly like rented equipment except in billing. But anyway.
> The people who would trust the ISP-owned device likely have already typed that wi-fi password into things like $99 smart TVs which probably transmit their wifi password, location, and microphone data directly to China. Verizon having the wifi password is not cause for concern here.
You park your car in bad neighborhoods. Had I not stolen your car, somebody else would have done it.
OK, I forgot we're talking about FiOS here. For sure that is slightly weirder than DOCSIS (which is all I've ever known personally). Since it's not really a standard like DOCSIS you probably "must have" some piece of Verizon-proprietary gear whether rented or otherwise and I'm sure Verizon remote-manages those in the same basic ways like you said. But I am pretty sure that still, security-conscious or advanced users can disable the Verizon device's WiFi and drop it into bridge mode and provide their own router and APs. To me this provides a way to opt out of this that is well within the capabilities of anyone sophisticated enough to understand the risks.
Not only. Probably all ISPs around the world who provides their customers a modem with an embedded (or not) WiFi router do the same.
EDIT: also, if your ISP has a mobile app from which you can change any password on ISP provided devices, then most likely it goes around in plain text (inside TCP/TLS packets, at least).
Every WiFi router I've ever owned, you hold the reset button for so many seconds to perform a hard reset, and the WiFi goes back to some default password. From there, you can login to the router and set a new password.
I thought WPS would have been the solution to the inconvenience of wifi passwords. If I were an ISP receiving too many support cases relating to the wifi password, perhaps WPS should be used more?
Sure, it’s what I do as a Verizon->Frontier->Ziply FiOS user. But most users are not going to go out and procur a bunch of Ubiquiti equipment or whatever, they’re going to take the defaults.
Also, with services like Xfinity, the monthly cost is substantially lower if you are using their router. This is because they scan the traffic for ad targeting, but most people don't care and don't want to buy their own router and then have to pay more per month to use it.
I thought it was more using their router, especially over time. They charge $15/month for the router/modem which doesn’t sound too bad, but is $180/year on a device that retails for $180 or so. And they’ll happily keep charging that, forever - long past when their costs and a reasonable profit have been made.
They also force you to share your cable/wifi connection with other Xfinity users who are near you.
Buying your own router and modem is a much better deal.
I've never been offered a better deal with Comcast/Xfinity for using their modems or hardware. Renting their stuff is $10/mo and a modem is $100, last I bought something like 5 years ago now, for a higher end one that supports gigabit service.
So, $100 or pay $10/mo forever, and over the past 5 years that $10 would be $600, or $500 saved by buying my own modem.
I use my own modem and router with XFinity, and I don't pay any more for doing it. In fact, I pay a little bit less because I'm not paying the monthly equipment rental fee.
That is, as long as I stay on top of it. Every 3 months like clockwork, they "forget" that I'm not renting their equipment and start billing me for it. I have to call them up and remind them.
Most of the CPE from various ISPs I've seen are barely powered enough to keep track of enough NAT connections. They're handing out devices capable of DPI on 100mb/s+ connections now?
This must be new. It's been about 8 years since I've had Xfinity but I always had my own modem and router and got a discount (i.e. didn't have to "rent" the modem).
Iirc it was something small like $5 or $15 a month... I really only did it for the better hardware and software.
This was earlier in the year, we had started hitting the monthly data caps on our plan and getting penalized.
I went in and the unlimited plan was about $15 less per month using their modem/router than my own (which I already had), plus the router was free (I'm not paying a monthly equipment "rental" fee).
One annoyance was that their router didn't allow spaces in the WiFi password, so I had to reconfigure all my devices.
I could set up the router in bridge mode where it acts like a dumb modem and continue to use my own router, but I have not bothered with that.
Honestly it would never even occur to me to call my ISP to help if I'd forgotten my wifi password.
Also I feel like if you are concerned about forgetting your wifi password you'd probably just keep the one that's written on the device (and which is probably quite a bit more secure than the password you'd come up with yourself).
Xfinity these days will have the tech set up your WiFi with your password. It's an integrated device so he'll set up the cable internet and then your WiFi. Monkeybrains is all "you're set up!" and then you add your own WiFi router. Sonic has you set up your own WiFi. AT&T has the WiFi password printed on the device along with the admin password.
That's my experience with ISPs in SF. It's clear that many people don't buy Internet access. They buy "WiFi" which is that Xfinity integrated service. The components don't matter.
I'm certain that nearly most, if not all users on hacker news have a pretty solid mental model of the basics of how internet connection works, and the responsibilities between the computer or device, wifi, home router, ISP, and internet web sites or other services.
But I've assisted people who's mental model is simply "Verizon put this box in my home and now I have internet". Who panic when a site doesn't load, and will call the first person they think is responsible for the problem. (typically, the company that gave them internet). Or more commonly nowadays, "my phone is my internet connection" -- and the only thing they think they have the power to do is to wave the phone in the air to find 'more bars'.
I suppose it makes sense from Verizon's (or any ISPs) perspective, and honesty, if you understand how all this works, then you understand how to trivially eliminate the issue, and then of course, you know when and when not to call Verizon with problems. (Of course, it'd be awful nice if they offered 'Shibboleet' [1] service for folks who do undertsand when the problem is between the site and the router.) HOWEVER, it'd be nice if they were more upfront with the disclosure of this password sharing ...
:-/