Comcast Xfinity Wi-Fi Discloses Customer Names and Addresses (csoonline.com) 49
itwbennett writes: Despite assurances that only business listings and not customer names and home addresses would appear in the public search results when someone searches for an Xfinity Wi-Fi hotspot, that is exactly what's happened when the service was initiated 2 years ago — and is still happening now, writes CSO's Steve Ragan. And that isn't the only security issue with the service. Another level of exposure centers on accountability. Ken Smith, senior security architect with K Logix in Brookline, Ma., discovered that Comcast is relying on the device's MAC address as a key component of authentication.
Listen to your technical guys (Score:5, Interesting)
- (technical guy) - we can't rely on MAC for security! MAC can be obtained by eavesdropping and then attacker can figure out how to break in
- (marketing guy) - yes, yes, but the simplicity for user is most important thing
- (management) - nobody will be able to figure out this MAC thingy anyway, make it so.
Somebody else said this... (Score:2, Funny)
...If I had only two bullets and was locked in a room with Comcast, Hitler, and Osama Bin Laden, I'd shoot Comcast twice.
Re: (Score:1)
What would you do? Press them into Comcast's chest with your hand? Stomp them in [actually that's a great idea]?
Re: (Score:2)
Related / proof of concept exploit:
How to connect your Roku to Xfinitywifi via MAC spoofing
http://fulldecent.blogspot.com... [blogspot.com]
Comcast motto (Score:2)
"You don't have to care when you're the only game in town."
Re: (Score:2)
That's why it's evil.
Don't play the surprised card. (Score:3)
It's cheaper and less complicated to market perforated security systems.The solution is no less complicated than that of the current Muslim problem, and I have little faith our fine legislators will get either one correct.
At this point, do what you can: vote with your wallet and inform like-minded individuals to do the same.
Don't install Comcast equipment... (Score:4, Informative)
... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security. To me, relying on a firewall that was developed by Comcast is like making love with a leaky condom. It might work some of the time, but not for the right reasons.
The solution is simple: If you have to use Comcast, then buy your own cable modem. They can still install it (if you lack the technical skills). Then, put a real firewall between the modem and your network. Whether you buy an integrated router (i.e. with Wifi) or separate components, is totally up to you.
I happen to be very happy with my Edgerouter but past installations with Apple Airports worked well also. Bottom line: Save money and eliminate the potential security risks with renting Comcast equipment by buying your own gear.
Re: (Score:3)
... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security.
This! When Comcast retied to get me to install one of their new routers, I asked about this stupid system, and if they would put in writing that I was not responsible for other people's actions on the router on my property. Crickets chirped.
This is right up there with Windows phone and Windows 10 sharing your WiFi password with a person you allow on it and their social circle. By default. You have to opt out of that invasion The roots of this problem are understandable The amount of data people are tryin
Who wants to do a hotspot with a rolling password? (Score:2)
the problem is that the one deciding that the password is to be shared is THE PERSONS CONNECTING NOT THE HOTSPOT OWNER.
exactly how many services will require you to add something to your SSID to optout??
and what do you want to bet that one or more of these services will require the string to be LAST to "count"
i could see SSIDs landing up as
a_optout_dice_fred_barney_sbucks_foo ... _shootmenow
Re: (Score:2)
Bzzt! Wrong! There is a checkbox when you connect to the network for the first time. That checkbox is UNCHECKED. You have to actually check the box if you want to share the WiFi connection information. Don't spread FUD please.
Buzz! I just did 5 machines that we're exactly NOT as your version of the truth. Waht's more, on teh one machine I doid b efore learning of this, I had to go in and turn it off.
In the end though, it doesn't matter, this feature should not exist in any way shape of form, my shilly little shill, for your shillinglgy levels of shiilieness.
Re: (Score:2)
The service is on, but you have to share it explicitly. Wifi passords are NOT shared by default
You are correct - they do not explicitely give them your password. But they enter it. And thes folks can connect.
Personally, I don't want to have people downloading who knows what on my cable line. Or mooching neighbors, just because they're friends of friends.
And I had to opt out of it, not enable it. And if I want to insure I'm opted out I have to rename my SSID. Which of course, since Microsoft ignores half the privacy settings now anyhow, I believe if I give a W10 user or Windows phone user access
Re: (Score:3)
Unfortunately, Comcast requires their business-class DSL customers with more than one static IP to use rented equipment, even if you are using it in a residential setting. So power-user customers don't have the option to install their own equipment. This is the main reason I'm still on DSL. They quoted me a price for service, then upped it by twenty or thirty bucks a
Re: (Score:3)
Unfortunately, Comcast requires their business-class DSL customers with more than one static IP to use rented equipment, even if you are using it in a residential setting. So power-user customers don't have the option to install their own equipment.
Yes you can. You just specify the non-wifi equipment and no NAT. (Like the SMC Broadband Gateway. The Netgear can do it to.) Then set up your own firewall and WiFi. You can use something like www.smallwall.org on an old WinTerminal for under $50.
Re: (Score:2)
Re: (Score:2)
I think you both misread what I said.
They'll let you have a single static IP with your own CPE. They might even allow you two (not certain). They won't let you have a block of eight IPs, which is what I currently have from Covad or Megapath or whatever their name is this week (Global something-or-other).
Re: (Score:1)
Re: (Score:2)
I've never seen any /29 blocks for sale, and even if you could, you'd still have to get the ISP to route it, which they won't do, because they aren't willing to set up static routes, which is why they demand that you use their equipment so that they can use authenticated RIP without giving you the credentials.
Re: (Score:2)
I think you both misread what I said.
They'll let you have a single static IP with your own CPE. They might even allow you two (not certain). They won't let you have a block of eight IPs, which is what I currently have from Covad or Megapath or whatever their name is this week (Global something-or-other).
I think you did not read what I wrote. You use the non-wifi and non-NAT equipment (and you have to demand it, or they will put in the WiFi full wiz bang BS router) and set up your firewall behind it. Yes, you do not own the docsis router. Nor you you own the rest of the routers in their network. But you do own the device doing firewall, NAT and WiFi which nips this security problem in the bud.
Re: (Score:2)
Because 640 kilobits upstream is miserable for folks who upload gigabytes of photos to a remote server on a regular basis.
With phone It's hard to get your own one also (Score:2)
With phone It's hard to get your own one.
also billing is a mess and they mess up a lot.
Now when Comcast goes to IP tv they may force you to rent there gateway.
Not sure I agree (Score:2)
I bought a Arris telephony modem on Amazon that I then provisioned my account with. It took longer than it should have, i.e. multiple phone calls, a visit from Comcast (to replace a shot overhead line), etc. but it can be done, and as far as I am concerned, it should be done.
Sure, there are folks for whom renting makes more sense than owning. But for anyone who is looking to stay in a particular domicile for a couple of years, owning makes a lot of sense. Particularly, if you happen to live in a town that o
Re: (Score:2)
Could you elaborate what you mean about this? What settings should be restricted (beyond the router default ones to protect the LAN from the Internet at large)?
Re: (Score:2)
Basically, I want a firewall that is completely closed by default, whose holes (if any) are explicitly opened by the end user. That cannot be guaranteed with Comcast-supplied equipment.
Given that Comcast can 're-provision' the cable modem at will means that my settings may get wiped at their pleasure. I am happy to given them that freedom (i.e. control the equipment that interfaces with their network) as long as I get to control what enters my network. So that's why I like a separate device to run my firewa
Re: (Score:2)
... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security. ......
Given the size and reach of Comcast the issue of questionable security is an issue
of national security and worth a letter or three to your elected officials.
Individuals can be lazy and will be (yes should not be lazy) but large organizations cannot be.
Security flaws need to be addressed in prompt time frames and agencies that keep them secret
because they believe them to be a tool of power need be squashed and the salary of the managers
reduced %10 for each week beyond 90days should they fail to report to th
Re: (Score:2)
But you can't use your own if you use its business service, phone service, etc. :(
There own in house testing shows up as well (Score:2)
http://hotspots.wifi.xfinity.c... [xfinity.com]
COMAST BW TEST ACCOUNTS
350 N Wolf Rd
Mount Prospect, IL 60056
Network Name: xfinitywifi
Phone book (Score:2)
Exposes names and addresses? Oh, the horror! Next thing you know they'll print a book with all those names and addresses and give one to everyone!
Re: (Score:2)
People can at least opt out of the phone book. And with the prevalence of mobiles and the decline of landlines, there's an entire generation of people now who have never been listed in a phone book and don't have to worry about it. I don't even remember the last time I got an updated white pages tossed on my porch, it's been years for sure.
Battered wives, stalking victims, controversial bloggers, Twitch gamers, and people who just value their privacy in general, really don't need Comcast broadcasting their
Completely verified (Score:2)
As a new Comcast subscriber, I can confirm all of this is true. 100%.
Comcast's own hotspot finder app shows you a map of the hotspots complete with street address and even names in some cases. For this reason, I don't have one of their wifi hotspots running in MY house. Hell no. Do enjoy USING their hotspots when I am out and about. Works really well, far better than any other hotspot service I've ever had. Comcast wifi is all over.
And for validating, once your device (phone, laptop, whatever) authentica