About a year ago, Comcast started modifying the routers of some of their customers to create a quasi-public wireless system called XFINITY WiFi intended for use, mainly, by Comcast customers. Home users would see a new Wi-Fi network called "xfinitywifi" alongside their existing private wireless network.
In pushing the program, Comcast points out that when one of their customers visits another, the visitor can use the xfinitywifi network rather than the homeowners wireless network. They tout it as a security feature, since the homeowner gets to keep their Wi-Fi password secret. Of course, this ignores the fact that many routers offer guest networks to solve just this problem.
The big benefit is that when Comcast customers are traveling to an area served by Comcast, they can use this public Wi-Fi to get online. XFINITY Wi-Fi can save on typically limited 3G/4G bandwidth and it should be faster too.
Comcast makes XFINITY WiFi available to their business customers too and they have installed it at some public areas, such as the Universal Orlando Resort. It may even let someone get away with a cheap Wi-Fi only tablet as opposed to a model with built-in 3G/4G/LTE.
The company claims to have over a million XFINITY WiFi hotspots, another source put the current number at 3 million. Either way, Comcast plans to have 8 million by the end of 2014. To put this in perspective, Comcast has roughly 21 million Internet customers.
Is XFINITY WiFi a good thing or a bad thing?
They, like many others who have addressed the topic, have probably not considered all the security issues. Here I will cover the obvious downsides to the service, some less than obvious drawbacks, and finally, a new security risk that no one has yet raised.
Focused on Defensive Computing as I am, XFINITY WiFi seems like a bad idea for Comcast customers, both those offering the free Wi-Fi on their routers and those using the system away from home. If you read this entire article to the end (warning: it's long), I am sure you will agree.
THE OBVIOUS OBJECTIONS
The knee-jerk objections have been addressed by Comcast.
The first reaction that many have is the fear that outsiders connecting to their home router will hog the bandwidth and slow down the Internet connection speed of the homeowner.
In response, Comcast says that they do not allow more than 5 xfinitywifi guest users at a time on any one router. They also say that "The broadband connection to your home will be unaffected by the XFINITY WiFi feature ... We have provisioned the XFINITY WiFi feature to support robust usage, and therefore, we anticipate minimal impact to the in-home WiFi network."
DOCSIS 3.0 cable modems get their speed, much like the ac flavor of Wi-Fi, by using multiple channels. Unlike Wi-Fi channels, DOCSIS channels refer to wired connections between the cable modem and the home office of the cable provider.
Some DOCSIS 3.0 modems have 4 channels in each direction, others have 8 downstream channels (from the Internet to you) and 4 upstream (from you to the Internet). It is possible that the Comcast gateway devices (Arris Touchstone models in Houston) are configured to send guest traffic over a different channel or channels than traffic from the homeowner. But, to be clear, this is speculation on my part.
I have not run across any tests with hard numbers, but my expectation would be that the bandwidth impact would be minimal.
Another obvious issue is that visitors might be able to interact with computers and other devices on the personal network (wired or wireless) since everything connects to the same gateway device. Addressing this, Comcast says "The XFINITY WiFi service is designed to work on a separate network so that your home network remains entirely secure." Here too, I have not run across any reports that put this claim to the test.
Samara Lynn, of PC Magazine, raised another concern - physical security. She writes that "People locate Comcast hotspots via an Xfinity app or through the Xfinity hotspot locator site. I would be concerned about my address being broadcast by the app or the website". Comcast does address this, but Lynn says "Comcast's vague statement on the matter is not reassuring".
IT WASN'T ME
The last of the obvious objections is accountability. What if a guest, using the Internet connection in your home, does something illegal? Something so bad that law enforcement agencies get involved. This has come up many times before and is, perhaps, the most important reason not to share your home Internet connection.
To the outside world, all computing devices in your home look the same. That is, they share a common public IP address (an IP address is the unique number that identifies a single entity on a TCP/IP network). You can see your public IP address at ipchicken.com, ip2location.com and many other places.
Nothing I have read says that XFINITY WiFi guests are assigned their own public IP address. If they are not, anyone offering the service from their home, runs the risk of men with guns knocking on their door.
Comcast says that if the FBI comes knocking, there is no need to worry; illegal activity can be traced back to the guest who is a known Comcast customer.
That Comcast has to say this, however, shows that illegal activity is not easily traced to real culprit.
And even if Comcast can relate any illegal activity to their customer who was a guest on your home router at 9:56pm on Tuesday, would you trust one of the most hated companies in the U.S. to have your back in this case? That there are no detailed explanations of how this works, just makes one more doubtful.
In addition, XFINITY WiFi is not limited to Comcast customers, making the task of identifying the real perpetrator of illegal activity that much harder.
As shown in the screen shot below of the Comcast FAQ page, there are two ways that anyone can hop onto the system: a free trial and a short term access pass. Bad guys with stolen credit cards can get online for an hour ($2.95), a day ($7.95) or a week ($19.95). Bad guys without a credit card can use two free sessions of an hour each.
In fairness, Comcast offers the one hour free sessions only at "select XFINITY WiFi hotspot locations". But exactly what that means, they don't say. Likewise, the access passes are not available in all locations. Whether that means you can't buy them everywhere or you can't use them everywhere is, again, not spelled out.
THE LESS OBVIOUS DANGERS
The first problem with the Comcast claim that the guest network is separate from the homeowners private network is that there are no technical details on how this is done. The data traffic needs to be separate over the air, in the router and as far as anyone on the Internet can discern.
Comcast has not said if xfinitywifi traffic is encrypted over the air, a huge omission. Their FAQ page has one relevant sentence: "Whenever you sign in, we help protect your privacy and the safety of your Comcast Email or username and password by providing 128-bit encryption on the sign in page". In other words, their sign-in page uses HTTPS. WPA2? None of our business.
Heck, they don't even say which Wi-Fi frequency band (2.4GHz or 5GHz) they use.
Is this miserable documentation due to incompetence or was it carefully crafted to hide oversights in the technology?
However it is done, the device that separates the public and private networks in your home is the gateway device, a combination modem and router.
Next month, at the Hackers On Planet Earth (HOPE) conference, I will be giving a presentation on "Securing a Home Router". In part, I was drawn to the subject because of the huge parade of ghastly security flaws in routers. It seems when it comes to router firmware, quality is job 326.
With 8 million of them in the field, the devices used for XFINITY WiFi will surely be prime targets for bad guys. If they have flaws, someone is sure to find them.
Another security issue involves the userid/password used to logon to XFINITY WiFi. It is the same one used to logon to the Comcast website to manage an account. If a bad guy got hold of it (more on this below) there is a huge potential for abuse.
They can see your billing details and read your webmail. They can add HBO and Cinemax to your account. Worst of all, they can logon to XFINITY WiFi as you, do something illegal and have everything point back to you.
A much better approach would have been for Comcast to let their customers create a new userid and password, one that is only valid for XFINITY Wi-Fi. Better yet, there should be a Wi-Fi only userid/password for each member of the family. A single userid/password being used for everything is too tempting a target.
MAC ADDRESS SPOOFING
Perhaps the biggest security issue with XFINITY WiFi involves the "Automatic Sign In".
According to Comcast anyone using XFINITY WiFi when away from home only has to logon with their Comcast userid/password once from any given wireless device. Afterwards, the system recognizes the device automatically.
... once you have successfully signed in using a Wi-Fi enabled device, your device will be registered for Automatic Sign In and you will not be required to provide your Comcast ID and password to connect to the XFINITY WiFi network using the same device ... You can register up to 20 of your Wi-Fi-enabled devices with our automatic sign-in feature.
After the previous point, this may sound like a good thing, since the Comcast userid/password is not being sent over the air. I suspect, however, that it is a big security flaw.
How does this work? Needless to say at this point, I could find no relevant documentation.
How might it work?
If Comcast required their software on wireless devices, then their software could generate some type of unique identifier that was only known to Comcast. But their software is not required. Any wireless enabled device can logon to XFINITY WiFi. So, how might Comcast uniquely identify a particular device?
By MAC address (MAC, all upper case, is a network identifier; Mac, with the ac in lower case, is a computer from Apple).
All wired and wireless network hardware has a unique 48 bit identifier called a MAC address. From the start, MAC addresses were designed to be globally unique. The first 24 bits identify the company that made the hardware, the last 24 bits function as a serial number for the device.
A router has at least three MAC addresses, one for its WAN connection to the Internet, one for its LAN connection and one for its Wi-Fi radio. A dual band router will have a MAC address for each wireless band. You can usually find the MAC addresses of a router on a sticker on the bottom.
The screen shot below from WiFi Analyzer (an excellent free Android app) illustrates MAC addresses.
Next to the name of the network, in parenthesis is the MAC address of the router creating the network. Based on the first half of the MAC address, the program is able to show which company made the wireless radio for the detected network. Here we see three networks, running on hardware from Belkin, Cisco-Linksys and Arris.
You can also see where the network "Belkin.a18" got its name. The characters after the period are the last three hexadecimal characters of the MAC address.
In other words, it's hard to imagine Comcast using anything but the MAC address to uniquely identify a Wi-Fi device.
If you have ever dealt with configuring a router, you may have run across a security feature called MAC address filtering. This lets you tell the router the MAC addresses of known trusted Wi-Fi devices. These devices are allowed in, all others get blocked. You can see a demo of configuring MAC address filtering for an Asus router here.
Sound like a great security feature? No one uses it.
In reality, it offers hardly any security, at least for wireless.
MAC addresses are always broadcast unencrypted over the air. The underlying communication protocol requires this. So, anyone who found themselves blocked by a router using MAC address filtering, could just listen for a valid MAC addresses communicating with the target network and then pretend to be that device. The pretending (called spoofing) is not all that hard.
Getting back to XFINITY Wifi, we can now understand what I see as its biggest security problem. Rather than use a free one hour session, a bad guy can park near an xfinitywifi network and make a note of the MAC addresses of the devices using the network. Then all they need to do is fake their MAC address, get automatically signed in, do something illegal, and an innocent Comcast customer is in for all kinds of hell.
There is no defense here either.
The best security for public Wi-Fi networks, a VPN, does not protect prevent a bad guy from seeing the MAC address of your wireless device. The VPN will encrypt stuff, but that stuff gets sent to the router in a clump of bits ("packet" is the official term) that includes the unencrypted MAC address.
That said, Comcast has been rolling out XFINITY WiFi for an entire year. At the least, they have over a million hotspots. It's hard to believe that I am the first person to publicly raise this issue.
So I did some searching, and found a six month old reddit posting where someone claimed that spoofing their MAC address to aa:bb:cc:dd:ee:ff (all valid hexadecimal digits) got them on a "CableWiFi" network without having to provide credentials. If true, it would not be a surprise. It would also mean (if it was true) that the CableWiFi system keyed off MAC addresses. And if they do, it is likely that XFINITY WiFi does too.
EVIL TWIN NETWORKS
Then too, there is the classic Wi-Fi issue - evil twin networks.
Last June, when Comcast was offering free access to their XFINITY WiFi system for the July 4th holiday, I warned about evil twin networks. My main point was that assuming a wireless network called "xfinitywifi" actually belonged to Comcast was a leap of faith.
That anyone can name their network anything, is probably the biggest skeleton in the closet for Wi-Fi.
Comcast customers have no way of knowing that they are actually communicating with a Comcast router when they logon to a wireless network named xfinitywifi and provide their Comcast userid and password.
This is also the case at Starbucks, Barnes and Noble, airports, etc. A few days ago Sean Gallagher at Ars Technica wrote about his testing of an evil twin network for "attwifi". This is so common, that Hack5 offers a WiFi Pineapple device for just this sort of thing. Greg Foss has gone so far as to create the necessary HTML and scripts to mimic an XFINITY WiFi logon page. He calls it the Xfinity Pineapple.
And, that's just the initial XFINITY WiFi logon. What about all the other times someone might use an xfinitywifi network? That Comcast automatically signs in devices it has seen before, makes these sessions dangerous too.
As a rule, wireless devices automatically re-connect to Wi-Fi networks they have seen before. How cute. How ridiculous, considering the definition of a network they have seen before is nothing more than the easily spoofed network name (a.k.a. SSID).
If my wife was a wireless device, she would go home with anyone named Michael Horowitz, and there are quite a few of us.
So, customers who have joined an xfinitywifi network, are likely to have their wireless device join another one, be it from Comcast or not.
Smartphones and tablets are online devices. Although there may not be a visible indicator, apps run constantly in the background sending and receiving data over the Internet. Apps that fail to encrypt this data will leak a treasure trove of information to a bad guy running an evil twin network.
Someone I know was recently surprised when their Android device notified them that they have a Time Warner cable bill coming due soon. The My TWC app had phoned home to learn this. Was the conversation between the app and Time Warner encrypted? Who knows? An iPhone may chose to do an iCloud backup while it's connected to a scam xfinititywifi network.
Without a friend fluent in packet sniffing, there is no way for a smartphone owner to know which apps encrypt data in transit. Even apps that do encrypt data may nonetheless leak personal information as NPR found out when Steve Henn recently collaborated with Sean Gallagher of Ars Technica and Dave Porcello of Pwnie Express. Their packet sniffing turned up security flaws in a number of services.
And that's just when a scam Wi-Fi network is passively listening. If the bad guy behind it wants to, he can perform man in the middle attacks which render almost all online security moot.
Again, this is an inherent issue with Wi-Fi, it is not specific to XFINITY.
Over at Ars Technica, Sean Gallagher points out that AT&T configures their smartphones to automatically connect to “attwifi” hotspots out of the box. He adds "The same tools I used to spoof Xfinity could be set to automatically respond to a victim’s phone as any Wi-Fi access point they’ve trusted. That’s because of the probe requests generated by smartphones and Wi-Fi—when you turn on your phone’s Wi-Fi adapter, it will seek out any network you’ve ever connected to that it was not told to forget."
If Comcast required customers to logon to XFINITY WiFi every time, then automatically connecting to evil twin networks would not be a security problem, on legitimate xfinitywifi networks. Any device that connected to the router/gateway would not be immediately allowed out to the Internet.
Convenience is always the enemy of security.
Update: BTWiFi in the UK is very similar to XFINITY WiFi. It requires users to login every time.
But this restriction would not apply to evil twin xfinitywifi networks. Bad guys would gladly let you online without a password so that they could monitor your activity.
But, even this attempt at convenience causes issues. Three of the questions on the XFINITY FAQ page deal with devices being too eager to connect to XFINITY WiFi.
- My device always connects to the “xfinitywifi” signal – how can I set my private home network as the default?
- I cannot connect to my private home WiFi network or printer. What is wrong?
- Even when I’m home, my device always connects to the “xfinitywifi“ signal — how can I set my private home network as the default?
Ars' Gallagher found his iPhone automatically connecting to the xfinitywifi network of a neighbor.
After using the XFINITY WiFi network, or any popular network such as attwifi, the safe thing to do is to prevent your wireless device from automatically connecting to the next network with the same name.
This is harder than it should be.
As far as I know, neither iOS 7, nor Android 4.x can prevent the automatic re-connecting to Wi-Fi networks that have been used previously.
There is an option in iOS 7.1.1 (Settings -> Wi-Fi -> Ask to Join Networks) that sounds like it does this, but it only applies to new networks. Apple is very clear that "Known networks will be joined automatically". The one exception seems to be Android phones from AT&T where you can disable the option to "Automatically connect to AT&T Wi-Fi hotspot when detected".
So, that means we have to convert attwifi, xfinitywifi, CableWifi and other popular network names from known to unknown status.
On Android this is easy. At the bottom of the list of detected Wi-Fi networks are those currently "Not in range". Long press on a network to reveal the option to forget it (i.e. to make it unknown).
On iOS this is not easy.
In my test, an iPad running iOS 7.1.1 did not show previously used networks that are currently not detected. Maybe there are some, maybe there aren't. And the currently detected networks can only be joined, not forgotten. The only way to forget an individual network seems to be to first connect to it. Only then does the option to forget the network appear.
There is, however, a big hammer - erasing all network settings. In iOS 7.1.1, do Settings -> General -> Reset ->Reset network settings.
Then again, Apple users that employ iCloud Keychain may well find Wi-Fi networks from their laptops re-populating their iOS devices. And since iOS 7.1.1. does not reveal the list of known networks, this could easily go undetected. Ugh.
Personally, I leave home with Wi-Fi disabled.
While security is much more important than performance, we can expect XFINITY WiFi to cause wireless slowdowns. Comcast may allocate more wired bandwidth between the modem/router in your home and themselves, but they can't allocate more Wi-Fi channels.
In the 2.4GHz range, things can get ugly with extra guest users.
In crowded areas, this frequency band is already overloaded and not only with Wi-Fi users (my microwave oven interferes with my Wi-Fi something awful). The WiFi Analyzer screen capture below, taken in midtown Manhattan, illustrates the overcrowding.
If the xfinitywifi network runs on the same Wi-Fi channel as the home network, there will certainly be a loss of bandwidth to the private Wi-Fi user. If the xfinitywifi network runs on a nearby channel, things are likely to be even worse as most of the available 2.4GHz channels overlap.
For example, a network on channel 7 appears as strong radio interference to a network on channel 6 and vice versa. Each suffers. Both networks would be better off on the same channel where they could use the traffic cop feature of the underlying protocol to avoid stepping on each others feet.
Sebastian Anthony of ExtremeTech recently wrote that overlapping channels are "the primary reason for awful throughput on your wireless network." The only 2.4GHz channels that do not overlap are 1, 6 and 11.
The best case for a private home user whose network runs on channel 6, for example, is for the xfinitywifi network to use channel 1 or 11. But, that would create interference for anyone in the area using those channels. There is no good option in the 2.4GHz band.
So, how does XFINITY WiFi allocate channels? Peter Lewis asked, but he got nowhere.
Comcast does come clean on this, saying "Your in-home WiFi network, as well as XFINITY WiFi, use shared spectrum, and as with any shared medium there can be some impact as more devices share WiFi. "
With so many technical details unknown (a full list is below), use of the XFINITY WiFi system requires trust in Comcast. Is this a reasonable thing to do considering how many of their customers hate them? (more here)
In researching this I read my share of XFINITY WiFi documentation at Comcast.com. More than once they provided a link where customers could log in to their account to make changes.
The links are to http://customer.comcast.com, a page where customers enter their Comcast userid and password.
No one should ever enter a password on an insecure HTTP web page. That's what HTTPS is for*. And Comcast has a secure HTTPS version of the page. They just don't bother linking to it.
Then too, consider that XFINITY WiFi is being enabled by default, customers have to actively opt-out.
TURN IT OFF
Comcast has said that only 1% of their customers have opted to disable XFINITY WiFi. It may not be the "egregious monopolistic overreach" that Sebastian Anthony called it, but my guess is that most Comcast customers do not fully understand the risks. If you know a Comcast customer, you would be doing them a favor to point them to this blog.
There are three ways to disable XFINITY WiFi.
1) Go to https://customer.comcast.com from your home network. Login, then click on "Users & Preferences", then "Manage XFINITY Wifi". There have been, however, multiple reports of website errors with this.
2) Call 1-800-XFINITY
3) Don't rent a box (Comcast calls them "gateways") from Comcast. Instead, buy your own cable modem and your own router. A commenter below pointed out that with VOIP service from Comcast, buying your own modem is not an option. In this case, have Comcast modify their gateway so that it runs in "bridge" mode and then add your own router. (Updated July 2, 2014)
Comcast is not my ISP, so there are many aspects of XFINITY WiFi that I can't test or verify. Here is what I don't know.
- Do the guests and homeowner share a public IP address? If not, do all guests share the same public IP address?
- How are Wi-Fi guests segregated from the private network? VLAN? Different IP subnet?
- When the FBI comes calling, how does Comcast differentiate traffic from a guest user vs. the homeowner?
- Can Comcast differentiate traffic among different guest users?
- Is the automatic logging on to XFINITY WiFi keyed off MAC addresses?
- Does XFINITY WiFi operate in the 2.4GHz band, the 5GHz band or both?
- In the 2.4GHz band, how does it allocate a Wi-Fi channel for the xfinitywifi network?
- Same question in the 5GHz band
- Is there any over the air encryption such as WPA2-AES?
Update January 3, 2015: The xfinitywifi networks that I have seen since writing this article have all had no security. No WEP, no WPA, no WPA2.
- Does enabling XFINITY WiFi slow down the private network?
- If a customer opts out of XFINITY WiFi at home, can they still use it away from home?
If a customer has their own modem and router, can they use XFINITY WiFi when away from home?According to a comment below, the answer is yes.
- Can non Comcast customers, with either a free trial or a short term access pass, access a home router?
- How fast is the guest connection?
If I learn more, I'll update this blog.
*In the insecure HTTP version of customer.comcast.com, the form where the password is entered is an IFRAME that is included in the page with HTTPS. But, since the IFRAME is transmitted inside an insecure page, it can be modified in transit before you see it.Thus, your userid and password may be sent to bad guys. One of the benefits of HTTPS is that it insures the data sent is the data received.
NOTE: As mentioned above, I will be speaking on Securing a Home Router at the HOPE (Hackers on Planet Earth) conference next month. The conference is in New York City from July 18th thru the 20th. My presentation is on the 20th at 3PM.
Update January 11, 2015: The San Francisco Chronicle reported on Dec. 9 2014 that Comcast is being sued for turning home Wi-Fi routers into public hotspots.