So I did some searching, and found a six month old reddit posting where someone claimed that spoofing their MAC address to aa:bb:cc:dd:ee:ff (all valid hexadecimal digits) got them on a "CableWiFi" network without having to provide credentials. If true, it would not be a surprise. It would also mean (if it was true) that the CableWiFi system keyed off MAC addresses. And if they do, it is likely that XFINITY WiFi does too.
EVIL TWIN NETWORKS
Then too, there is the classic Wi-Fi issue - evil twin networks.
Last June, when Comcast was offering free access to their XFINITY WiFi system for the July 4th holiday, I warned about evil twin networks. My main point was that assuming a wireless network called "xfinitywifi" actually belonged to Comcast was a leap of faith.
That anyone can name their network anything, is probably the biggest skeleton in the closet for Wi-Fi.
Comcast customers have no way of knowing that they are actually communicating with a Comcast router when they logon to a wireless network named xfinitywifi and provide their Comcast userid and password.
This is also the case at Starbucks, Barnes and Noble, airports, etc. A few days ago Sean Gallagher at Ars Technica wrote about his testing of an evil twin network for "attwifi". This is so common, that Hack5 offers a WiFi Pineapple device for just this sort of thing. Greg Foss has gone so far as to create the necessary HTML and scripts to mimic an XFINITY WiFi logon page. He calls it the Xfinity Pineapple.
And, that's just the initial XFINITY WiFi logon. What about all the other times someone might use an xfinitywifi network? That Comcast automatically signs in devices it has seen before, makes these sessions dangerous too.
As a rule, wireless devices automatically re-connect to Wi-Fi networks they have seen before. How cute. How ridiculous, considering the definition of a network they have seen before is nothing more than the easily spoofed network name (a.k.a. SSID).
If my wife was a wireless device, she would go home with anyone named Michael Horowitz, and there are quite a few of us.
So, customers who have joined an xfinitywifi network, are likely to have their wireless device join another one, be it from Comcast or not.
Smartphones and tablets are online devices. Although there may not be a visible indicator, apps run constantly in the background sending and receiving data over the Internet. Apps that fail to encrypt this data will leak a treasure trove of information to a bad guy running an evil twin network.
Someone I know was recently surprised when their Android device notified them that they have a Time Warner cable bill coming due soon. The My TWC app had phoned home to learn this. Was the conversation between the app and Time Warner encrypted? Who knows? An iPhone may chose to do an iCloud backup while it's connected to a scam xfinititywifi network.
Without a friend fluent in packet sniffing, there is no way for a smartphone owner to know which apps encrypt data in transit. Even apps that do encrypt data may nonetheless leak personal information as NPR found out when Steve Henn recently collaborated with Sean Gallagher of Ars Technica and Dave Porcello of Pwnie Express. Their packet sniffing turned up security flaws in a number of services.
And that's just when a scam Wi-Fi network is passively listening. If the bad guy behind it wants to, he can perform man in the middle attacks which render almost all online security moot.
Again, this is an inherent issue with Wi-Fi, it is not specific to XFINITY.
Over at Ars Technica, Sean Gallagher points out that AT&T configures their smartphones to automatically connect to “attwifi” hotspots out of the box. He adds "The same tools I used to spoof Xfinity could be set to automatically respond to a victim’s phone as any Wi-Fi access point they’ve trusted. That’s because of the probe requests generated by smartphones and Wi-Fi—when you turn on your phone’s Wi-Fi adapter, it will seek out any network you’ve ever connected to that it was not told to forget."
If Comcast required customers to logon to XFINITY WiFi every time, then automatically connecting to evil twin networks would not be a security problem, on legitimate xfinitywifi networks. Any device that connected to the router/gateway would not be immediately allowed out to the Internet.
Convenience is always the enemy of security.
Update: BTWiFi in the UK is very similar to XFINITY WiFi. It requires users to login every time.
But this restriction would not apply to evil twin xfinitywifi networks. Bad guys would gladly let you online without a password so that they could monitor your activity.
But, even this attempt at convenience causes issues. Three of the questions on the XFINITY FAQ page deal with devices being too eager to connect to XFINITY WiFi.
- My device always connects to the “xfinitywifi” signal – how can I set my private home network as the default?
- I cannot connect to my private home WiFi network or printer. What is wrong?
- Even when I’m home, my device always connects to the “xfinitywifi“ signal — how can I set my private home network as the default?
Ars' Gallagher found his iPhone automatically connecting to the xfinitywifi network of a neighbor.
After using the XFINITY WiFi network, or any popular network such as attwifi, the safe thing to do is to prevent your wireless device from automatically connecting to the next network with the same name.
This is harder than it should be.
As far as I know, neither iOS 7, nor Android 4.x can prevent the automatic re-connecting to Wi-Fi networks that have been used previously.
There is an option in iOS 7.1.1 (Settings -> Wi-Fi -> Ask to Join Networks) that sounds like it does this, but it only applies to new networks. Apple is very clear that "Known networks will be joined automatically". The one exception seems to be Android phones from AT&T where you can disable the option to "Automatically connect to AT&T Wi-Fi hotspot when detected".
So, that means we have to convert attwifi, xfinitywifi, CableWifi and other popular network names from known to unknown status.
On Android this is easy. At the bottom of the list of detected Wi-Fi networks are those currently "Not in range". Long press on a network to reveal the option to forget it (i.e. to make it unknown).
On iOS this is not easy.
In my test, an iPad running iOS 7.1.1 did not show previously used networks that are currently not detected. Maybe there are some, maybe there aren't. And the currently detected networks can only be joined, not forgotten. The only way to forget an individual network seems to be to first connect to it. Only then does the option to forget the network appear.
There is, however, a big hammer - erasing all network settings. In iOS 7.1.1, do Settings -> General -> Reset ->Reset network settings.
Then again, Apple users that employ iCloud Keychain may well find Wi-Fi networks from their laptops re-populating their iOS devices. And since iOS 7.1.1. does not reveal the list of known networks, this could easily go undetected. Ugh.
Personally, I leave home with Wi-Fi disabled.
While security is much more important than performance, we can expect XFINITY WiFi to cause wireless slowdowns. Comcast may allocate more wired bandwidth between the modem/router in your home and themselves, but they can't allocate more Wi-Fi channels.
In the 2.4GHz range, things can get ugly with extra guest users.
In crowded areas, this frequency band is already overloaded and not only with Wi-Fi users (my microwave oven interferes with my Wi-Fi something awful). The WiFi Analyzer screen capture below, taken in midtown Manhattan, illustrates the overcrowding.
If the xfinitywifi network runs on the same Wi-Fi channel as the home network, there will certainly be a loss of bandwidth to the private Wi-Fi user. If the xfinitywifi network runs on a nearby channel, things are likely to be even worse as most of the available 2.4GHz channels overlap.
For example, a network on channel 7 appears as strong radio interference to a network on channel 6 and vice versa. Each suffers. Both networks would be better off on the same channel where they could use the traffic cop feature of the underlying protocol to avoid stepping on each others feet.
Sebastian Anthony of ExtremeTech recently wrote that overlapping channels are "the primary reason for awful throughput on your wireless network." The only 2.4GHz channels that do not overlap are 1, 6 and 11.
The best case for a private home user whose network runs on channel 6, for example, is for the xfinitywifi network to use channel 1 or 11. But, that would create interference for anyone in the area using those channels. There is no good option in the 2.4GHz band.
So, how does XFINITY WiFi allocate channels? Peter Lewis asked, but he got nowhere.
Comcast does come clean on this, saying "Your in-home WiFi network, as well as XFINITY WiFi, use shared spectrum, and as with any shared medium there can be some impact as more devices share WiFi. "
With so many technical details unknown (a full list is below), use of the XFINITY WiFi system requires trust in Comcast. Is this a reasonable thing to do considering how many of their customers hate them? (more here)
In researching this I read my share of XFINITY WiFi documentation at Comcast.com. More than once they provided a link where customers could log in to their account to make changes.
The links are to http://customer.comcast.com, a page where customers enter their Comcast userid and password.
No one should ever enter a password on an insecure HTTP web page. That's what HTTPS is for*. And Comcast has a secure HTTPS version of the page. They just don't bother linking to it.
Then too, consider that XFINITY WiFi is being enabled by default, customers have to actively opt-out.
TURN IT OFF
Comcast has said that only 1% of their customers have opted to disable XFINITY WiFi. It may not be the "egregious monopolistic overreach" that Sebastian Anthony called it, but my guess is that most Comcast customers do not fully understand the risks. If you know a Comcast customer, you would be doing them a favor to point them to this blog.
There are three ways to disable XFINITY WiFi.
1) Go to https://customer.comcast.com from your home network. Login, then click on "Users & Preferences", then "Manage XFINITY Wifi". There have been, however, multiple reports of website errors with this.
2) Call 1-800-XFINITY
3) Don't rent a box (Comcast calls them "gateways") from Comcast. Instead, buy your own cable modem and your own router. A commenter below pointed out that with VOIP service from Comcast, buying your own modem is not an option. In this case, have Comcast modify their gateway so that it runs in "bridge" mode and then add your own router. (Updated July 2, 2014)
Comcast is not my ISP, so there are many aspects of XFINITY WiFi that I can't test or verify. Here is what I don't know.
- Do the guests and homeowner share a public IP address? If not, do all guests share the same public IP address?
- How are Wi-Fi guests segregated from the private network? VLAN? Different IP subnet?
- When the FBI comes calling, how does Comcast differentiate traffic from a guest user vs. the homeowner?
- Can Comcast differentiate traffic among different guest users?
- Is the automatic logging on to XFINITY WiFi keyed off MAC addresses?
- Does XFINITY WiFi operate in the 2.4GHz band, the 5GHz band or both?
- In the 2.4GHz band, how does it allocate a Wi-Fi channel for the xfinitywifi network?
- Same question in the 5GHz band
- Is there any over the air encryption such as WPA2-AES?
Update January 3, 2015: The xfinitywifi networks that I have seen since writing this article have all had no security. No WEP, no WPA, no WPA2.
- Does enabling XFINITY WiFi slow down the private network?
- If a customer opts out of XFINITY WiFi at home, can they still use it away from home?
If a customer has their own modem and router, can they use XFINITY WiFi when away from home?According to a comment below, the answer is yes.
- Can non Comcast customers, with either a free trial or a short term access pass, access a home router?
- How fast is the guest connection?
If I learn more, I'll update this blog.
*In the insecure HTTP version of customer.comcast.com, the form where the password is entered is an IFRAME that is included in the page with HTTPS. But, since the IFRAME is transmitted inside an insecure page, it can be modified in transit before you see it.Thus, your userid and password may be sent to bad guys. One of the benefits of HTTPS is that it insures the data sent is the data received.
NOTE: As mentioned above, I will be speaking on Securing a Home Router at the HOPE (Hackers on Planet Earth) conference next month. The conference is in New York City from July 18th thru the 20th. My presentation is on the 20th at 3PM.
Update January 11, 2015: The San Francisco Chronicle reported on Dec. 9 2014 that Comcast is being sued for turning home Wi-Fi routers into public hotspots.