Slashdot Mirror

← Back to Stories (view on slashdot.org)

Comcast Xfinity Wi-Fi Discloses Customer Names and Addresses (csoonline.com)

Posted by timothy on from the little-oopsie dept.

itwbennett writes: Despite assurances that only business listings and not customer names and home addresses would appear in the public search results when someone searches for an Xfinity Wi-Fi hotspot, that is exactly what's happened when the service was initiated 2 years ago — and is still happening now, writes CSO's Steve Ragan. And that isn't the only security issue with the service. Another level of exposure centers on accountability. Ken Smith, senior security architect with K Logix in Brookline, Ma., discovered that Comcast is relying on the device's MAC address as a key component of authentication.

49 comments

  1. Listen to your technical guys by qbast · · Score: 4, Interesting

    I can imagine the discussion:
    - (technical guy) - we can't rely on MAC for security! MAC can be obtained by eavesdropping and then attacker can figure out how to break in
    - (marketing guy) - yes, yes, but the simplicity for user is most important thing
    - (management) - nobody will be able to figure out this MAC thingy anyway, make it so.

    1. Re:Listen to your technical guys by Anonymous Coward · · Score: 0

      - (management) - nobody will be able to figure out this MAC thingy anyway, make it so.

      - (technical guy) Except the very people who the subscribers DON'T want to figure it out.
      - (management) We don't care the government and the subscribers will pay for our negligence. Do it anyway. Also if you tell anyone about this conversation you'll be replaced with the first warm body we can find. Now then, excuse me while I and the marketing guy go determine how much more money we can make off of subscribers this month.

      They don't want to listen because it makes them more money. Until security costs less than the cost of a breach (in their minds), things will remain this way.

    2. Re:Listen to your technical guys by fulldecent · · Score: 1

      Related / proof of concept exploit:

      How to connect your Roku to Xfinitywifi via MAC spoofing
      http://fulldecent.blogspot.com...

      --

      -- I was raised on the command line, bitch

  2. Comcast motto by Anonymous Coward · · Score: 2

    "You don't have to care when you're the only game in town."

    1. Re: Comcast motto by Anonymous Coward · · Score: 0

      Haters going to hate?

      How is this list from Comcast more evil than a phone book?

    2. Re: Comcast motto by freeze128 · · Score: 1

      Well, you see how you're posting as anonymous coward? With this list, people would still know who you are.

      That's why it's evil.

  3. Comcast uses the integrated face system by Anonymous Coward · · Score: 0

    The integrated face system lists users names and addresses using Comcast Xfinity.

  4. Don't play the surprised card. by rmdingler · · Score: 2
    As the governors continue to use every impetus to reduce security during internet use and message transmission, it becomes quite clear that the corporations, by and large, are not going to come racing in to save the day.

    It's cheaper and less complicated to market perforated security systems.The solution is no less complicated than that of the current Muslim problem, and I have little faith our fine legislators will get either one correct.

    At this point, do what you can: vote with your wallet and inform like-minded individuals to do the same.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  5. Don't install Comcast equipment... by Constantin · · Score: 3, Informative

    ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security. To me, relying on a firewall that was developed by Comcast is like making love with a leaky condom. It might work some of the time, but not for the right reasons.

    The solution is simple: If you have to use Comcast, then buy your own cable modem. They can still install it (if you lack the technical skills). Then, put a real firewall between the modem and your network. Whether you buy an integrated router (i.e. with Wifi) or separate components, is totally up to you.

    I happen to be very happy with my Edgerouter but past installations with Apple Airports worked well also. Bottom line: Save money and eliminate the potential security risks with renting Comcast equipment by buying your own gear.

    1. Re:Don't install Comcast equipment... by Ol+Olsoc · · Score: 2

      ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security.

      This! When Comcast retied to get me to install one of their new routers, I asked about this stupid system, and if they would put in writing that I was not responsible for other people's actions on the router on my property. Crickets chirped.

      This is right up there with Windows phone and Windows 10 sharing your WiFi password with a person you allow on it and their social circle. By default. You have to opt out of that invasion The roots of this problem are understandable The amount of data people are trying to consume with their smartphones has become a problem. That and the tons of ads and tracking scripts placed on a mobile device will take you to and beyond your cap pretty quickly. So they are getting desperate to hand the web off to any wifi they can.

      Not

      My

      Problem

      I want to see the face and shake the hand of anyone who attaches to my wifi.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:Don't install Comcast equipment... by Anonymous Coward · · Score: 0

      To me, relying on a firewall that was developed by Comcast

      They didn't, it's a Cisco router with a standard firewall just like the one you'd have if you bought it off the shelf and used it yourself.

      The solution is simple: If you have to use Comcast, then buy your own cable modem.

      Or call them up, and have them put the modem into 'bridge mode'. This will disable the wifi and router, and just work like a standalone cable modem.

      There are advantages to renting, and advantages to buying your own. Do whichever you like.

    3. Re:Don't install Comcast equipment... by dgatwood · · Score: 2

      ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment.

      Unfortunately, Comcast requires their business-class DSL customers with more than one static IP to use rented equipment, even if you are using it in a residential setting. So power-user customers don't have the option to install their own equipment. This is the main reason I'm still on DSL. They quoted me a price for service, then upped it by twenty or thirty bucks a month for equipment rental that wasn't in their original price. I told them I wasn't renting. They told me that it wasn't an option. I stayed with slow-but-largely-under-my-control DSL.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    4. Re:Don't install Comcast equipment... by houstonbofh · · Score: 2

      ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment.

      Unfortunately, Comcast requires their business-class DSL customers with more than one static IP to use rented equipment, even if you are using it in a residential setting. So power-user customers don't have the option to install their own equipment.

      Yes you can. You just specify the non-wifi equipment and no NAT. (Like the SMC Broadband Gateway. The Netgear can do it to.) Then set up your own firewall and WiFi. You can use something like www.smallwall.org on an old WinTerminal for under $50.

    5. Re:Don't install Comcast equipment... by Gr8Apes · · Score: 2

      Exactly this - what's to stop your own equipment from being the static IP? You can NAT behind your own equipment, and control all aspects of what's happening with it. I use my provided equipment in this exact way - it's about as dumb as it can be. Add in VPNs, and the provided equipment can only state "there is one outbound connection with blah traffic on it. No metrics, no anything.

      --
      The cesspool just got a check and balance.
    6. Re: Don't install Comcast equipment... by Anonymous Coward · · Score: 0

      If you're on DSL anyway, why the heck patronize the cable monopoly?

    7. Re:Don't install Comcast equipment... by Anonymous Coward · · Score: 0

      I use Comcast. I use my own router.

      When I signed up with Comcast, I had my own DOCSIS 3 modem already from another provider in the last state where I lived. I signed up on Comcast's website using a Starbucks up the street for internet connection that day. Comcast's signup page had an express install option for those of us who know what we're doing and already have a modem. I drove home from coffee and found that internet was turned on and ready to go. I plugged in my own DOCSIS modem and my own router, and boom, online.

      Just don't use Comcast's gear.

    8. Re:Don't install Comcast equipment... by Anonymous Coward · · Score: 0

      ...Windows 10 sharing your WiFi password with a person you allow on it and their social circle. By default. You have to opt out of that invasion.

      Bzzt! Wrong! There is a checkbox when you connect to the network for the first time. That checkbox is UNCHECKED. You have to actually check the box if you want to share the WiFi connection information. Don't spread FUD please.

    9. Re:Don't install Comcast equipment... by mrchaotica · · Score: 1

      Then, put a real firewall between the modem and your network.

      Could you elaborate what you mean about this? What settings should be restricted (beyond the router default ones to protect the LAN from the Internet at large)?

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    10. Re:Don't install Comcast equipment... by Constantin · · Score: 1

      Basically, I want a firewall that is completely closed by default, whose holes (if any) are explicitly opened by the end user. That cannot be guaranteed with Comcast-supplied equipment.

      Given that Comcast can 're-provision' the cable modem at will means that my settings may get wiped at their pleasure. I am happy to given them that freedom (i.e. control the equipment that interfaces with their network) as long as I get to control what enters my network. So that's why I like a separate device to run my firewall than ISP-supplied gear.

      Also, Comcast is not necessarily the source of the problem. For example, consider that Comcast packages that include phone service require an eMTA telephony modem (i.e. one that allows a telephone to be attached to the modem). Arris modems appear to be the only kind that allow this on the US market and thanks to innumerable back-doors Arris' modems have been pwned in more ways than should be possible. Given that Arris has shown apparent zero interest in patching these issues, I would consider any Arris-made modem to be a potential malware/etc/ cesspool.

      I have a lot more trust in equipment like my Edgerouter (see online tutorials re: preferred settings or use the HTTP Wizard) than relying on Comcast to have the 'right' firewall settings on their router. And if you put in the time to learn the specifics of your firewall/network equipment, there is a huge benefit, such as being able to segment the network between guest and home users (to keep your server separate), prevent visiting friends from abusing your network connection (i.e. data caps), and so on.

      Even relatively inexpensive (and easy to set up) consumer grade gear like the Airport Extreme can offer these features. While the Edgerouter I currently use has a *very* steep learning curve for an inexperienced network admin, there are other solutions out there that are equally effective. Plus, you can retrofit a large number of older routers with DD-WRT and like firmware replacements to add features, etc.

    11. Re:Don't install Comcast equipment... by Ol+Olsoc · · Score: 1

      ...Windows 10 sharing your WiFi password with a person you allow on it and their social circle. By default. You have to opt out of that invasion.

      Bzzt! Wrong! There is a checkbox when you connect to the network for the first time. That checkbox is UNCHECKED. You have to actually check the box if you want to share the WiFi connection information. Don't spread FUD please.

      Buzz! I just did 5 machines that we're exactly NOT as your version of the truth. Waht's more, on teh one machine I doid b efore learning of this, I had to go in and turn it off.

      In the end though, it doesn't matter, this feature should not exist in any way shape of form, my shilly little shill, for your shillinglgy levels of shiilieness.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    12. Re:Don't install Comcast equipment... by niftymitch · · Score: 1

      ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security. ......

      Given the size and reach of Comcast the issue of questionable security is an issue
      of national security and worth a letter or three to your elected officials.

      Individuals can be lazy and will be (yes should not be lazy) but large organizations cannot be.

      Security flaws need to be addressed in prompt time frames and agencies that keep them secret
      because they believe them to be a tool of power need be squashed and the salary of the managers
      reduced %10 for each week beyond 90days should they fail to report to the vendor discoveries
      of security flaws.

      --
      Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
    13. Re:Don't install Comcast equipment... by dgatwood · · Score: 1

      Exactly this - what's to stop your own equipment from being the static IP?

      I think you both misread what I said.

      Comcast requires their business-class DSL customers with more than one static IP to use rented equipment.

      They'll let you have a single static IP with your own CPE. They might even allow you two (not certain). They won't let you have a block of eight IPs, which is what I currently have from Covad or Megapath or whatever their name is this week (Global something-or-other).

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    14. Re: Don't install Comcast equipment... by dgatwood · · Score: 1

      Because 640 kilobits upstream is miserable for folks who upload gigabytes of photos to a remote server on a regular basis.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    15. Re:Don't install Comcast equipment... by Anonymous Coward · · Score: 0

      pfSense pfSense pfSense

    16. Re:Don't install Comcast equipment... by antdude · · Score: 1

      But you can't use your own if you use its business service, phone service, etc. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    17. Re:Don't install Comcast equipment... by Anonymous Coward · · Score: 0

      Who calls it 'making love' anymore, except beta faggots?

    18. Re:Don't install Comcast equipment... by Gr8Apes · · Score: 1

      You can still have your own eq masquerade as the static IP(s).

      --
      The cesspool just got a check and balance.
    19. Re:Don't install Comcast equipment... by dgatwood · · Score: 1

      I've never seen any /29 blocks for sale, and even if you could, you'd still have to get the ISP to route it, which they won't do, because they aren't willing to set up static routes, which is why they demand that you use their equipment so that they can use authenticated RIP without giving you the credentials.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    20. Re:Don't install Comcast equipment... by houstonbofh · · Score: 1

      Exactly this - what's to stop your own equipment from being the static IP?

      I think you both misread what I said.

      Comcast requires their business-class DSL customers with more than one static IP to use rented equipment.

      They'll let you have a single static IP with your own CPE. They might even allow you two (not certain). They won't let you have a block of eight IPs, which is what I currently have from Covad or Megapath or whatever their name is this week (Global something-or-other).

      I think you did not read what I wrote. You use the non-wifi and non-NAT equipment (and you have to demand it, or they will put in the WiFi full wiz bang BS router) and set up your firewall behind it. Yes, you do not own the docsis router. Nor you you own the rest of the routers in their network. But you do own the device doing firewall, NAT and WiFi which nips this security problem in the bud.

    21. Re:Don't install Comcast equipment... by Anonymous Coward · · Score: 0

      If you use static public IP addresses, running your own modem on comcast is not possible. They require you to use their modem.

    22. Re: Don't install Comcast equipment... by Anonymous Coward · · Score: 0

      The service is on, but you have to share it explicitly. Wifi passords are NOT shared by default

    23. Re: Don't install Comcast equipment... by Ol+Olsoc · · Score: 1

      The service is on, but you have to share it explicitly. Wifi passords are NOT shared by default

      You are correct - they do not explicitely give them your password. But they enter it. And thes folks can connect.

      Personally, I don't want to have people downloading who knows what on my cable line. Or mooching neighbors, just because they're friends of friends.

      And I had to opt out of it, not enable it. And if I want to insure I'm opted out I have to rename my SSID. Which of course, since Microsoft ignores half the privacy settings now anyhow, I believe if I give a W10 user or Windows phone user access, they are probably allowing it regardless of my settings. So they get no access. at all - ever.

      If this isn't pernicious to you, not much is.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  6. Subject by Anonymous Coward · · Score: 0

    So sue then. Complaining won't help. Businesses only understand money. What's an identity worth, 10 mil a pop?
    Bankrupt them, the execs, the board, ect.

  7. Somebody else said this... by Anonymous Coward · · Score: 2, Funny

    ...If I had only two bullets and was locked in a room with Comcast, Hitler, and Osama Bin Laden, I'd shoot Comcast twice.

    1. Re:Somebody else said this... by davester666 · · Score: 1

      What would you do? Press them into Comcast's chest with your hand? Stomp them in [actually that's a great idea]?

      --
      Sleep your way to a whiter smile...date a dentist!
    2. Re:Somebody else said this... by Anonymous Coward · · Score: 0

      ...If I had only two bullets and was locked in a room with Comcast, Hitler, and Osama Bin Laden, I'd shoot Comcast twice.

      Their business practices are shit tier and indistinguishable from Jewish.

      Hitler greedy? no
      Osama Bin Laden greedy? no
      Comcast greedy? bagels and lox 24/7 365

  8. Map in story? by Anonymous Coward · · Score: 0

    How does a non-Comcast subscriber view the map from the story with subscriber names and addresses?

  9. There own in house testing shows up as well by Joe_Dragon · · Score: 1

    http://hotspots.wifi.xfinity.c...

    COMAST BW TEST ACCOUNTS
    350 N Wolf Rd
    Mount Prospect, IL 60056
    Network Name: xfinitywifi

  10. With phone It's hard to get your own one also by Joe_Dragon · · Score: 1

    With phone It's hard to get your own one.

    also billing is a mess and they mess up a lot.

    Now when Comcast goes to IP tv they may force you to rent there gateway.

    1. Re: With phone It's hard to get your own one also by Anonymous Coward · · Score: 0

      Use one of the many separate voice line services out there instead. I used to work for a cable company's call center and the view was the voice service cable companies provide is "hey look we can do that too" when Verizon and AT&T started providing their bundled phone and digital video offerings. They billed it as a way to reduce the separate bills youd have to pay otherwise.

      To put it another way, cable companies' voice service offerings are an afterthought on their part, and there are many many alternatives to use.

  11. Phone book by bws111 · · Score: 1

    Exposes names and addresses? Oh, the horror! Next thing you know they'll print a book with all those names and addresses and give one to everyone!

    1. Re:Phone book by ShaunC · · Score: 1

      People can at least opt out of the phone book. And with the prevalence of mobiles and the decline of landlines, there's an entire generation of people now who have never been listed in a phone book and don't have to worry about it. I don't even remember the last time I got an updated white pages tossed on my porch, it's been years for sure.

      Battered wives, stalking victims, controversial bloggers, Twitch gamers, and people who just value their privacy in general, really don't need Comcast broadcasting their home address to the world. Especially when nobody knew it was happening, and especially when Comcast explicitly said they wouldn't do that. Getting doxxed and stalked/swatted/etc. is a big enough threat already without one's ISP making things even easier.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    2. Re:Phone book by Anonymous Coward · · Score: 0

      I haven't been listed in the phone book for twenty years, you insufferable fuck.

      CAPTCHA: douchenozzle

    3. Re:Phone book by Anonymous Coward · · Score: 0

      The crooks have been exploiting the fact that the names, addresses and loan documents of property owners are available online free of charge from most local property appraisers for years. Some years ago, our local government started to redact SSNs from online mortgage documents but every once in a while I see a document that was missed.

  12. Who wants to do a hotspot with a rolling password? by laurencetux · · Score: 1

    the problem is that the one deciding that the password is to be shared is THE PERSONS CONNECTING NOT THE HOTSPOT OWNER.

    exactly how many services will require you to add something to your SSID to optout??

    and what do you want to bet that one or more of these services will require the string to be LAST to "count"

    i could see SSIDs landing up as

    a_optout_dice_fred_barney_sbucks_foo ... _shootmenow

  13. Not sure I agree by Constantin · · Score: 1

    I bought a Arris telephony modem on Amazon that I then provisioned my account with. It took longer than it should have, i.e. multiple phone calls, a visit from Comcast (to replace a shot overhead line), etc. but it can be done, and as far as I am concerned, it should be done.

    Sure, there are folks for whom renting makes more sense than owning. But for anyone who is looking to stay in a particular domicile for a couple of years, owning makes a lot of sense. Particularly, if you happen to live in a town that only has one high-speed ISP, i.e. where you have little to no opportunity to switch among providers.

    1. Re:Not sure I agree by Anonymous Coward · · Score: 0

      Is your Arris modem one of the "backdoor inside a backdoor, with also a third backdoor installed' type? Just hit the internet a few days ago that Arris modems (at least one model) have multiple backdoors built into the firmware.

  14. Completely verified by RubberDogBone · · Score: 1

    As a new Comcast subscriber, I can confirm all of this is true. 100%.

    Comcast's own hotspot finder app shows you a map of the hotspots complete with street address and even names in some cases. For this reason, I don't have one of their wifi hotspots running in MY house. Hell no. Do enjoy USING their hotspots when I am out and about. Works really well, far better than any other hotspot service I've ever had. Comcast wifi is all over.

    And for validating, once your device (phone, laptop, whatever) authenticates once with Xfinity Wifi or Cablewifi, their system adds your MAC to the approved list and you don't need to login again. It's very handy.

    --
    Sig for hire.
    1. Re:Completely verified by Anonymous Coward · · Score: 0

      That IS handy! What's your MAC?