Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security Wireless Networking

Comcast Xfinity Wi-Fi Discloses Customer Names and Addresses (csoonline.com) 49

itwbennett writes: Despite assurances that only business listings and not customer names and home addresses would appear in the public search results when someone searches for an Xfinity Wi-Fi hotspot, that is exactly what's happened when the service was initiated 2 years ago — and is still happening now, writes CSO's Steve Ragan. And that isn't the only security issue with the service. Another level of exposure centers on accountability. Ken Smith, senior security architect with K Logix in Brookline, Ma., discovered that Comcast is relying on the device's MAC address as a key component of authentication.
This discussion has been archived. No new comments can be posted.

Comcast Xfinity Wi-Fi Discloses Customer Names and Addresses

Comments Filter:
  • by qbast ( 1265706 ) on Saturday November 21, 2015 @08:30AM (#50975287)
    I can imagine the discussion:
    - (technical guy) - we can't rely on MAC for security! MAC can be obtained by eavesdropping and then attacker can figure out how to break in
    - (marketing guy) - yes, yes, but the simplicity for user is most important thing
    - (management) - nobody will be able to figure out this MAC thingy anyway, make it so.
  • by Anonymous Coward

    "You don't have to care when you're the only game in town."

  • by rmdingler ( 1955220 ) on Saturday November 21, 2015 @08:48AM (#50975331) Journal
    As the governors continue to use every impetus to reduce security during internet use and message transmission, it becomes quite clear that the corporations, by and large, are not going to come racing in to save the day.

    It's cheaper and less complicated to market perforated security systems.The solution is no less complicated than that of the current Muslim problem, and I have little faith our fine legislators will get either one correct.

    At this point, do what you can: vote with your wallet and inform like-minded individuals to do the same.

  • by Constantin ( 765902 ) on Saturday November 21, 2015 @08:59AM (#50975365)

    ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security. To me, relying on a firewall that was developed by Comcast is like making love with a leaky condom. It might work some of the time, but not for the right reasons.

    The solution is simple: If you have to use Comcast, then buy your own cable modem. They can still install it (if you lack the technical skills). Then, put a real firewall between the modem and your network. Whether you buy an integrated router (i.e. with Wifi) or separate components, is totally up to you.

    I happen to be very happy with my Edgerouter but past installations with Apple Airports worked well also. Bottom line: Save money and eliminate the potential security risks with renting Comcast equipment by buying your own gear.

    • ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security.

      This! When Comcast retied to get me to install one of their new routers, I asked about this stupid system, and if they would put in writing that I was not responsible for other people's actions on the router on my property. Crickets chirped.

      This is right up there with Windows phone and Windows 10 sharing your WiFi password with a person you allow on it and their social circle. By default. You have to opt out of that invasion The roots of this problem are understandable The amount of data people are tryin

    • by dgatwood ( 11270 )

      ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment.

      Unfortunately, Comcast requires their business-class DSL customers with more than one static IP to use rented equipment, even if you are using it in a residential setting. So power-user customers don't have the option to install their own equipment. This is the main reason I'm still on DSL. They quoted me a price for service, then upped it by twenty or thirty bucks a

      • ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment.

        Unfortunately, Comcast requires their business-class DSL customers with more than one static IP to use rented equipment, even if you are using it in a residential setting. So power-user customers don't have the option to install their own equipment.

        Yes you can. You just specify the non-wifi equipment and no NAT. (Like the SMC Broadband Gateway. The Netgear can do it to.) Then set up your own firewall and WiFi. You can use something like www.smallwall.org on an old WinTerminal for under $50.

        • by Gr8Apes ( 679165 )
          Exactly this - what's to stop your own equipment from being the static IP? You can NAT behind your own equipment, and control all aspects of what's happening with it. I use my provided equipment in this exact way - it's about as dumb as it can be. Add in VPNs, and the provided equipment can only state "there is one outbound connection with blah traffic on it. No metrics, no anything.
          • by dgatwood ( 11270 )

            Exactly this - what's to stop your own equipment from being the static IP?

            I think you both misread what I said.

            Comcast requires their business-class DSL customers with more than one static IP to use rented equipment.

            They'll let you have a single static IP with your own CPE. They might even allow you two (not certain). They won't let you have a block of eight IPs, which is what I currently have from Covad or Megapath or whatever their name is this week (Global something-or-other).

            • by Gr8Apes ( 679165 )
              You can still have your own eq masquerade as the static IP(s).
              • by dgatwood ( 11270 )

                I've never seen any /29 blocks for sale, and even if you could, you'd still have to get the ISP to route it, which they won't do, because they aren't willing to set up static routes, which is why they demand that you use their equipment so that they can use authenticated RIP without giving you the credentials.

            • Exactly this - what's to stop your own equipment from being the static IP?

              I think you both misread what I said.

              Comcast requires their business-class DSL customers with more than one static IP to use rented equipment.

              They'll let you have a single static IP with your own CPE. They might even allow you two (not certain). They won't let you have a block of eight IPs, which is what I currently have from Covad or Megapath or whatever their name is this week (Global something-or-other).

              I think you did not read what I wrote. You use the non-wifi and non-NAT equipment (and you have to demand it, or they will put in the WiFi full wiz bang BS router) and set up your firewall behind it. Yes, you do not own the docsis router. Nor you you own the rest of the routers in their network. But you do own the device doing firewall, NAT and WiFi which nips this security problem in the bud.

    • With phone It's hard to get your own one.

      also billing is a mess and they mess up a lot.

      Now when Comcast goes to IP tv they may force you to rent there gateway.

      • I bought a Arris telephony modem on Amazon that I then provisioned my account with. It took longer than it should have, i.e. multiple phone calls, a visit from Comcast (to replace a shot overhead line), etc. but it can be done, and as far as I am concerned, it should be done.

        Sure, there are folks for whom renting makes more sense than owning. But for anyone who is looking to stay in a particular domicile for a couple of years, owning makes a lot of sense. Particularly, if you happen to live in a town that o

    • Then, put a real firewall between the modem and your network.

      Could you elaborate what you mean about this? What settings should be restricted (beyond the router default ones to protect the LAN from the Internet at large)?

      • Basically, I want a firewall that is completely closed by default, whose holes (if any) are explicitly opened by the end user. That cannot be guaranteed with Comcast-supplied equipment.

        Given that Comcast can 're-provision' the cable modem at will means that my settings may get wiped at their pleasure. I am happy to given them that freedom (i.e. control the equipment that interfaces with their network) as long as I get to control what enters my network. So that's why I like a separate device to run my firewa

    • ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security. ......

      Given the size and reach of Comcast the issue of questionable security is an issue
      of national security and worth a letter or three to your elected officials.

      Individuals can be lazy and will be (yes should not be lazy) but large organizations cannot be.

      Security flaws need to be addressed in prompt time frames and agencies that keep them secret
      because they believe them to be a tool of power need be squashed and the salary of the managers
      reduced %10 for each week beyond 90days should they fail to report to th

    • by antdude ( 79039 )

      But you can't use your own if you use its business service, phone service, etc. :(

  • Exposes names and addresses? Oh, the horror! Next thing you know they'll print a book with all those names and addresses and give one to everyone!

    • by ShaunC ( 203807 )

      People can at least opt out of the phone book. And with the prevalence of mobiles and the decline of landlines, there's an entire generation of people now who have never been listed in a phone book and don't have to worry about it. I don't even remember the last time I got an updated white pages tossed on my porch, it's been years for sure.

      Battered wives, stalking victims, controversial bloggers, Twitch gamers, and people who just value their privacy in general, really don't need Comcast broadcasting their

  • As a new Comcast subscriber, I can confirm all of this is true. 100%.

    Comcast's own hotspot finder app shows you a map of the hotspots complete with street address and even names in some cases. For this reason, I don't have one of their wifi hotspots running in MY house. Hell no. Do enjoy USING their hotspots when I am out and about. Works really well, far better than any other hotspot service I've ever had. Comcast wifi is all over.

    And for validating, once your device (phone, laptop, whatever) authentica

You know you've landed gear-up when it takes full power to taxi.

Working...