Slashdot Mirror

← Back to Stories (view on slashdot.org)

Comcast Xfinity Wi-Fi Discloses Customer Names and Addresses (csoonline.com)

Posted by timothy on from the little-oopsie dept.

itwbennett writes: Despite assurances that only business listings and not customer names and home addresses would appear in the public search results when someone searches for an Xfinity Wi-Fi hotspot, that is exactly what's happened when the service was initiated 2 years ago — and is still happening now, writes CSO's Steve Ragan. And that isn't the only security issue with the service. Another level of exposure centers on accountability. Ken Smith, senior security architect with K Logix in Brookline, Ma., discovered that Comcast is relying on the device's MAC address as a key component of authentication.

9 of 49 comments (clear)

  1. Listen to your technical guys by qbast · · Score: 4, Interesting

    I can imagine the discussion:
    - (technical guy) - we can't rely on MAC for security! MAC can be obtained by eavesdropping and then attacker can figure out how to break in
    - (marketing guy) - yes, yes, but the simplicity for user is most important thing
    - (management) - nobody will be able to figure out this MAC thingy anyway, make it so.

  2. Comcast motto by Anonymous Coward · · Score: 2

    "You don't have to care when you're the only game in town."

  3. Don't play the surprised card. by rmdingler · · Score: 2
    As the governors continue to use every impetus to reduce security during internet use and message transmission, it becomes quite clear that the corporations, by and large, are not going to come racing in to save the day.

    It's cheaper and less complicated to market perforated security systems.The solution is no less complicated than that of the current Muslim problem, and I have little faith our fine legislators will get either one correct.

    At this point, do what you can: vote with your wallet and inform like-minded individuals to do the same.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  4. Don't install Comcast equipment... by Constantin · · Score: 3, Informative

    ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security. To me, relying on a firewall that was developed by Comcast is like making love with a leaky condom. It might work some of the time, but not for the right reasons.

    The solution is simple: If you have to use Comcast, then buy your own cable modem. They can still install it (if you lack the technical skills). Then, put a real firewall between the modem and your network. Whether you buy an integrated router (i.e. with Wifi) or separate components, is totally up to you.

    I happen to be very happy with my Edgerouter but past installations with Apple Airports worked well also. Bottom line: Save money and eliminate the potential security risks with renting Comcast equipment by buying your own gear.

    1. Re:Don't install Comcast equipment... by Ol+Olsoc · · Score: 2

      ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security.

      This! When Comcast retied to get me to install one of their new routers, I asked about this stupid system, and if they would put in writing that I was not responsible for other people's actions on the router on my property. Crickets chirped.

      This is right up there with Windows phone and Windows 10 sharing your WiFi password with a person you allow on it and their social circle. By default. You have to opt out of that invasion The roots of this problem are understandable The amount of data people are trying to consume with their smartphones has become a problem. That and the tons of ads and tracking scripts placed on a mobile device will take you to and beyond your cap pretty quickly. So they are getting desperate to hand the web off to any wifi they can.

      Not

      My

      Problem

      I want to see the face and shake the hand of anyone who attaches to my wifi.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:Don't install Comcast equipment... by dgatwood · · Score: 2

      ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment.

      Unfortunately, Comcast requires their business-class DSL customers with more than one static IP to use rented equipment, even if you are using it in a residential setting. So power-user customers don't have the option to install their own equipment. This is the main reason I'm still on DSL. They quoted me a price for service, then upped it by twenty or thirty bucks a month for equipment rental that wasn't in their original price. I told them I wasn't renting. They told me that it wasn't an option. I stayed with slow-but-largely-under-my-control DSL.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    3. Re:Don't install Comcast equipment... by houstonbofh · · Score: 2

      ... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment.

      Unfortunately, Comcast requires their business-class DSL customers with more than one static IP to use rented equipment, even if you are using it in a residential setting. So power-user customers don't have the option to install their own equipment.

      Yes you can. You just specify the non-wifi equipment and no NAT. (Like the SMC Broadband Gateway. The Netgear can do it to.) Then set up your own firewall and WiFi. You can use something like www.smallwall.org on an old WinTerminal for under $50.

    4. Re:Don't install Comcast equipment... by Gr8Apes · · Score: 2

      Exactly this - what's to stop your own equipment from being the static IP? You can NAT behind your own equipment, and control all aspects of what's happening with it. I use my provided equipment in this exact way - it's about as dumb as it can be. Add in VPNs, and the provided equipment can only state "there is one outbound connection with blah traffic on it. No metrics, no anything.

      --
      The cesspool just got a check and balance.
  5. Somebody else said this... by Anonymous Coward · · Score: 2, Funny

    ...If I had only two bullets and was locked in a room with Comcast, Hitler, and Osama Bin Laden, I'd shoot Comcast twice.