Comcast Xfinity Wi-Fi Discloses Customer Names and Addresses

itwbennett writes: Despite assurances that only business listings and not customer names and home addresses would appear in the public search results when someone searches for an Xfinity Wi-Fi hotspot, that is exactly what's happened when the service was initiated 2 years ago — and is still happening now, writes CSO's Steve Ragan. And that isn't the only security issue with the service. Another level of exposure centers on accountability. Ken Smith, senior security architect with K Logix in Brookline, Ma., discovered that Comcast is relying on the device's MAC address as a key component of authentication.

Listen to your technical guys

[qbast]

I can imagine the discussion:
- (technical guy) - we can't rely on MAC for security! MAC can be obtained by eavesdropping and then attacker can figure out how to break in
- (marketing guy) - yes, yes, but the simplicity for user is most important thing
- (management) - nobody will be able to figure out this MAC thingy anyway, make it so.

Don't install Comcast equipment...

[Constantin]

... problem solved. The only reason this attack vector exists in the first place is that people are too lazy to install their own equipment. Instead, they rent a Comcast Wifi router at an exorbitant cost and questionable security. To me, relying on a firewall that was developed by Comcast is like making love with a leaky condom. It might work some of the time, but not for the right reasons.

The solution is simple: If you have to use Comcast, then buy your own cable modem. They can still install it (if you lack the technical skills). Then, put a real firewall between the modem and your network. Whether you buy an integrated router (i.e. with Wifi) or separate components, is totally up to you.

I happen to be very happy with my Edgerouter but past installations with Apple Airports worked well also. Bottom line: Save money and eliminate the potential security risks with renting Comcast equipment by buying your own gear.