Comcast Xfinity Wi-Fi Discloses Customer Names and Addresses (csoonline.com)

← Back to Stories (view on slashdot.org)

Comcast Xfinity Wi-Fi Discloses Customer Names and Addresses (csoonline.com)

Posted by timothy on Saturday November 21, 2015 @01:22AM from the little-oopsie dept.

itwbennett writes: Despite assurances that only business listings and not customer names and home addresses would appear in the public search results when someone searches for an Xfinity Wi-Fi hotspot, that is exactly what's happened when the service was initiated 2 years ago — and is still happening now, writes CSO's Steve Ragan. And that isn't the only security issue with the service. Another level of exposure centers on accountability. Ken Smith, senior security architect with K Logix in Brookline, Ma., discovered that Comcast is relying on the device's MAC address as a key component of authentication.

30 of 49 comments (clear)

Min score:

Reason:

Sort:

Listen to your technical guys by qbast · 2015-11-21 01:30 · Score: 4, Interesting

I can imagine the discussion:
- (technical guy) - we can't rely on MAC for security! MAC can be obtained by eavesdropping and then attacker can figure out how to break in
- (marketing guy) - yes, yes, but the simplicity for user is most important thing
- (management) - nobody will be able to figure out this MAC thingy anyway, make it so.
1. Re:Listen to your technical guys by fulldecent · 2015-11-22 10:36 · Score: 1
  
  Related / proof of concept exploit:
  How to connect your Roku to Xfinitywifi via MAC spoofing
  http://fulldecent.blogspot.com...
  
  --
  -- I was raised on the command line, bitch
Comcast motto by Anonymous Coward · 2015-11-21 01:31 · Score: 2

"You don't have to care when you're the only game in town."
1. Re: Comcast motto by freeze128 · 2015-11-21 04:30 · Score: 1
  
  Well, you see how you're posting as anonymous coward? With this list, people would still know who you are.
  
  That's why it's evil.
Don't play the surprised card. by rmdingler · 2015-11-21 01:48 · Score: 2

As the governors continue to use every impetus to reduce security during internet use and message transmission, it becomes quite clear that the corporations, by and large, are not going to come racing in to save the day.
It's cheaper and less complicated to market perforated security systems.The solution is no less complicated than that of the current Muslim problem, and I have little faith our fine legislators will get either one correct.
At this point, do what you can: vote with your wallet and inform like-minded individuals to do the same.

--
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Don't install Comcast equipment... by Constantin · 2015-11-21 01:59 · Score: 3, Informative

... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security. To me, relying on a firewall that was developed by Comcast is like making love with a leaky condom. It might work some of the time, but not for the right reasons.
The solution is simple: If you have to use Comcast, then buy your own cable modem. They can still install it (if you lack the technical skills). Then, put a real firewall between the modem and your network. Whether you buy an integrated router (i.e. with Wifi) or separate components, is totally up to you.
I happen to be very happy with my Edgerouter but past installations with Apple Airports worked well also. Bottom line: Save money and eliminate the potential security risks with renting Comcast equipment by buying your own gear.
1. Re:Don't install Comcast equipment... by Ol+Olsoc · 2015-11-21 02:22 · Score: 2
  
  ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security.
  This! When Comcast retied to get me to install one of their new routers, I asked about this stupid system, and if they would put in writing that I was not responsible for other people's actions on the router on my property. Crickets chirped.
  This is right up there with Windows phone and Windows 10 sharing your WiFi password with a person you allow on it and their social circle. By default. You have to opt out of that invasion The roots of this problem are understandable The amount of data people are trying to consume with their smartphones has become a problem. That and the tons of ads and tracking scripts placed on a mobile device will take you to and beyond your cap pretty quickly. So they are getting desperate to hand the web off to any wifi they can.
  Not
  My
  Problem
  I want to see the face and shake the hand of anyone who attaches to my wifi.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
2. Re:Don't install Comcast equipment... by dgatwood · 2015-11-21 02:35 · Score: 2
  
  ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment.
  Unfortunately, Comcast requires their business-class DSL customers with more than one static IP to use rented equipment, even if you are using it in a residential setting. So power-user customers don't have the option to install their own equipment. This is the main reason I'm still on DSL. They quoted me a price for service, then upped it by twenty or thirty bucks a month for equipment rental that wasn't in their original price. I told them I wasn't renting. They told me that it wasn't an option. I stayed with slow-but-largely-under-my-control DSL.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
3. Re:Don't install Comcast equipment... by houstonbofh · 2015-11-21 03:24 · Score: 2
  
  ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment.
  Unfortunately, Comcast requires their business-class DSL customers with more than one static IP to use rented equipment, even if you are using it in a residential setting. So power-user customers don't have the option to install their own equipment.
  Yes you can. You just specify the non-wifi equipment and no NAT. (Like the SMC Broadband Gateway. The Netgear can do it to.) Then set up your own firewall and WiFi. You can use something like www.smallwall.org on an old WinTerminal for under $50.
4. Re:Don't install Comcast equipment... by Gr8Apes · 2015-11-21 04:12 · Score: 2
  
  Exactly this - what's to stop your own equipment from being the static IP? You can NAT behind your own equipment, and control all aspects of what's happening with it. I use my provided equipment in this exact way - it's about as dumb as it can be. Add in VPNs, and the provided equipment can only state "there is one outbound connection with blah traffic on it. No metrics, no anything.
  
  --
  The cesspool just got a check and balance.
5. Re:Don't install Comcast equipment... by mrchaotica · 2015-11-21 06:11 · Score: 1
  
  Then, put a real firewall between the modem and your network.
  Could you elaborate what you mean about this? What settings should be restricted (beyond the router default ones to protect the LAN from the Internet at large)?
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
6. Re:Don't install Comcast equipment... by Constantin · 2015-11-21 07:17 · Score: 1
  
  Basically, I want a firewall that is completely closed by default, whose holes (if any) are explicitly opened by the end user. That cannot be guaranteed with Comcast-supplied equipment.
  Given that Comcast can 're-provision' the cable modem at will means that my settings may get wiped at their pleasure. I am happy to given them that freedom (i.e. control the equipment that interfaces with their network) as long as I get to control what enters my network. So that's why I like a separate device to run my firewall than ISP-supplied gear.
  Also, Comcast is not necessarily the source of the problem. For example, consider that Comcast packages that include phone service require an eMTA telephony modem (i.e. one that allows a telephone to be attached to the modem). Arris modems appear to be the only kind that allow this on the US market and thanks to innumerable back-doors Arris' modems have been pwned in more ways than should be possible. Given that Arris has shown apparent zero interest in patching these issues, I would consider any Arris-made modem to be a potential malware/etc/ cesspool.
  I have a lot more trust in equipment like my Edgerouter (see online tutorials re: preferred settings or use the HTTP Wizard) than relying on Comcast to have the 'right' firewall settings on their router. And if you put in the time to learn the specifics of your firewall/network equipment, there is a huge benefit, such as being able to segment the network between guest and home users (to keep your server separate), prevent visiting friends from abusing your network connection (i.e. data caps), and so on.
  Even relatively inexpensive (and easy to set up) consumer grade gear like the Airport Extreme can offer these features. While the Edgerouter I currently use has a *very* steep learning curve for an inexperienced network admin, there are other solutions out there that are equally effective. Plus, you can retrofit a large number of older routers with DD-WRT and like firmware replacements to add features, etc.
7. Re:Don't install Comcast equipment... by Ol+Olsoc · 2015-11-21 07:39 · Score: 1
  
  ...Windows 10 sharing your WiFi password with a person you allow on it and their social circle. By default. You have to opt out of that invasion.
  Bzzt! Wrong! There is a checkbox when you connect to the network for the first time. That checkbox is UNCHECKED. You have to actually check the box if you want to share the WiFi connection information. Don't spread FUD please.
  Buzz! I just did 5 machines that we're exactly NOT as your version of the truth. Waht's more, on teh one machine I doid b efore learning of this, I had to go in and turn it off.
  In the end though, it doesn't matter, this feature should not exist in any way shape of form, my shilly little shill, for your shillinglgy levels of shiilieness.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
8. Re:Don't install Comcast equipment... by niftymitch · 2015-11-21 08:13 · Score: 1
  
  ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security. ......
  Given the size and reach of Comcast the issue of questionable security is an issue
  of national security and worth a letter or three to your elected officials.
  Individuals can be lazy and will be (yes should not be lazy) but large organizations cannot be.
  Security flaws need to be addressed in prompt time frames and agencies that keep them secret
  because they believe them to be a tool of power need be squashed and the salary of the managers
  reduced %10 for each week beyond 90days should they fail to report to the vendor discoveries
  of security flaws.
  
  --
  Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
9. Re:Don't install Comcast equipment... by dgatwood · 2015-11-21 12:26 · Score: 1
  
  Exactly this - what's to stop your own equipment from being the static IP?
  I think you both misread what I said.
  
  Comcast requires their business-class DSL customers with more than one static IP to use rented equipment.
  They'll let you have a single static IP with your own CPE. They might even allow you two (not certain). They won't let you have a block of eight IPs, which is what I currently have from Covad or Megapath or whatever their name is this week (Global something-or-other).
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
10. Re: Don't install Comcast equipment... by dgatwood · 2015-11-21 12:29 · Score: 1
  
  Because 640 kilobits upstream is miserable for folks who upload gigabytes of photos to a remote server on a regular basis.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
11. Re:Don't install Comcast equipment... by antdude · 2015-11-21 14:48 · Score: 1
  
  But you can't use your own if you use its business service, phone service, etc. :(
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
12. Re:Don't install Comcast equipment... by Gr8Apes · 2015-11-21 18:41 · Score: 1
  
  You can still have your own eq masquerade as the static IP(s).
  
  --
  The cesspool just got a check and balance.
13. Re:Don't install Comcast equipment... by dgatwood · 2015-11-22 01:35 · Score: 1
  
  I've never seen any /29 blocks for sale, and even if you could, you'd still have to get the ISP to route it, which they won't do, because they aren't willing to set up static routes, which is why they demand that you use their equipment so that they can use authenticated RIP without giving you the credentials.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
14. Re:Don't install Comcast equipment... by houstonbofh · 2015-11-22 13:58 · Score: 1
  
  Exactly this - what's to stop your own equipment from being the static IP?
  I think you both misread what I said.
  
  Comcast requires their business-class DSL customers with more than one static IP to use rented equipment.
  They'll let you have a single static IP with your own CPE. They might even allow you two (not certain). They won't let you have a block of eight IPs, which is what I currently have from Covad or Megapath or whatever their name is this week (Global something-or-other).
  I think you did not read what I wrote. You use the non-wifi and non-NAT equipment (and you have to demand it, or they will put in the WiFi full wiz bang BS router) and set up your firewall behind it. Yes, you do not own the docsis router. Nor you you own the rest of the routers in their network. But you do own the device doing firewall, NAT and WiFi which nips this security problem in the bud.
15. Re: Don't install Comcast equipment... by Ol+Olsoc · 2015-12-05 16:57 · Score: 1
  
  The service is on, but you have to share it explicitly. Wifi passords are NOT shared by default
  You are correct - they do not explicitely give them your password. But they enter it. And thes folks can connect.
  Personally, I don't want to have people downloading who knows what on my cable line. Or mooching neighbors, just because they're friends of friends.
  And I had to opt out of it, not enable it. And if I want to insure I'm opted out I have to rename my SSID. Which of course, since Microsoft ignores half the privacy settings now anyhow, I believe if I give a W10 user or Windows phone user access, they are probably allowing it regardless of my settings. So they get no access. at all - ever.
  If this isn't pernicious to you, not much is.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Somebody else said this... by Anonymous Coward · 2015-11-21 03:52 · Score: 2, Funny

...If I had only two bullets and was locked in a room with Comcast, Hitler, and Osama Bin Laden, I'd shoot Comcast twice.
1. Re:Somebody else said this... by davester666 · 2015-11-21 08:25 · Score: 1
  
  What would you do? Press them into Comcast's chest with your hand? Stomp them in [actually that's a great idea]?
  
  --
  Sleep your way to a whiter smile...date a dentist!
There own in house testing shows up as well by Joe_Dragon · 2015-11-21 03:59 · Score: 1

http://hotspots.wifi.xfinity.c...
COMAST BW TEST ACCOUNTS
350 N Wolf Rd
Mount Prospect, IL 60056
Network Name: xfinitywifi
With phone It's hard to get your own one also by Joe_Dragon · 2015-11-21 04:03 · Score: 1

With phone It's hard to get your own one.
also billing is a mess and they mess up a lot.
Now when Comcast goes to IP tv they may force you to rent there gateway.
Phone book by bws111 · 2015-11-21 04:56 · Score: 1

Exposes names and addresses? Oh, the horror! Next thing you know they'll print a book with all those names and addresses and give one to everyone!
1. Re:Phone book by ShaunC · 2015-11-21 05:57 · Score: 1
  
  People can at least opt out of the phone book. And with the prevalence of mobiles and the decline of landlines, there's an entire generation of people now who have never been listed in a phone book and don't have to worry about it. I don't even remember the last time I got an updated white pages tossed on my porch, it's been years for sure.
  Battered wives, stalking victims, controversial bloggers, Twitch gamers, and people who just value their privacy in general, really don't need Comcast broadcasting their home address to the world. Especially when nobody knew it was happening, and especially when Comcast explicitly said they wouldn't do that. Getting doxxed and stalked/swatted/etc. is a big enough threat already without one's ISP making things even easier.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Who wants to do a hotspot with a rolling password? by laurencetux · 2015-11-21 06:14 · Score: 1

the problem is that the one deciding that the password is to be shared is THE PERSONS CONNECTING NOT THE HOTSPOT OWNER.
exactly how many services will require you to add something to your SSID to optout??
and what do you want to bet that one or more of these services will require the string to be LAST to "count"
i could see SSIDs landing up as
a_optout_dice_fred_barney_sbucks_foo ... _shootmenow
Not sure I agree by Constantin · 2015-11-21 07:23 · Score: 1

I bought a Arris telephony modem on Amazon that I then provisioned my account with. It took longer than it should have, i.e. multiple phone calls, a visit from Comcast (to replace a shot overhead line), etc. but it can be done, and as far as I am concerned, it should be done.
Sure, there are folks for whom renting makes more sense than owning. But for anyone who is looking to stay in a particular domicile for a couple of years, owning makes a lot of sense. Particularly, if you happen to live in a town that only has one high-speed ISP, i.e. where you have little to no opportunity to switch among providers.
Completely verified by RubberDogBone · 2015-11-21 16:18 · Score: 1

As a new Comcast subscriber, I can confirm all of this is true. 100%.
Comcast's own hotspot finder app shows you a map of the hotspots complete with street address and even names in some cases. For this reason, I don't have one of their wifi hotspots running in MY house. Hell no. Do enjoy USING their hotspots when I am out and about. Works really well, far better than any other hotspot service I've ever had. Comcast wifi is all over.
And for validating, once your device (phone, laptop, whatever) authenticates once with Xfinity Wifi or Cablewifi, their system adds your MAC to the approved list and you don't need to login again. It's very handy.

--
Sig for hire.