About a year ago, Comcast started modifying the routers of some of their customers to create a quasi-public wireless system called XFINITY WiFi intended for use, mainly, by Comcast customers. Home users would see a new Wi-Fi network called "xfinitywifi" alongside their existing private wireless network.
In pushing the program, Comcast points out that when one of their customers visits another, the visitor can use the xfinitywifi network rather than the homeowners wireless network. They tout it as a security feature, since the homeowner gets to keep their Wi-Fi password secret. Of course, this ignores the fact that many routers offer guest networks to solve just this problem.
The big benefit is that when Comcast customers are traveling to an area served by Comcast, they can use this public Wi-Fi to get online. XFINITY Wi-Fi can save on typically limited 3G/4G bandwidth and it should be faster too.
Comcast makes XFINITY WiFi available to their business customers too and they have installed it at some public areas, such as the Universal Orlando Resort. It may even let someone get away with a cheap Wi-Fi only tablet as opposed to a model with built-in 3G/4G/LTE.
The company claims to have over a million XFINITY WiFi hotspots, another source put the current number at 3 million. Either way, Comcast plans to have 8 million by the end of 2014. To put this in perspective, Comcast has roughly 21 million Internet customers.
Is XFINITY WiFi a good thing or a bad thing?
On his This Week in Tech podcast on June 15th, Leo Laporte didn't know what to think. At Lifehacker, Melanie Pinola recently wrote "It isn't necessarily a terrible thing."
They, like many others who have addressed the topic, have probably not considered all the security issues. Here I will cover the obvious downsides to the service, some less than obvious drawbacks, and finally, a new security risk that no one has yet raised.
Focused on Defensive Computing as I am, XFINITY WiFi seems like a bad idea for Comcast customers, both those offering the free Wi-Fi on their routers and those using the system away from home. If you read this entire article to the end (warning: it's long), I am sure you will agree.
THE OBVIOUS OBJECTIONS
The knee-jerk objections have been addressed by Comcast.
The first reaction that many have is the fear that outsiders connecting to their home router will hog the bandwidth and slow down the Internet connection speed of the homeowner.
In response, Comcast says that they do not allow more than 5 xfinitywifi guest users at a time on any one router. They also say that "The broadband connection to your home will be unaffected by the XFINITY WiFi feature ... We have provisioned the XFINITY WiFi feature to support robust usage, and therefore, we anticipate minimal impact to the in-home WiFi network."
DOCSIS 3.0 cable modems get their speed, much like the ac flavor of Wi-Fi, by using multiple channels. Unlike Wi-Fi channels, DOCSIS channels refer to wired connections between the cable modem and the home office of the cable provider.
Some DOCSIS 3.0 modems have 4 channels in each direction, others have 8 downstream channels (from the Internet to you) and 4 upstream (from you to the Internet). It is possible that the Comcast gateway devices (Arris Touchstone models in Houston) are configured to send guest traffic over a different channel or channels than traffic from the homeowner. But, to be clear, this is speculation on my part.
I have not run across any tests with hard numbers, but my expectation would be that the bandwidth impact would be minimal.
Another obvious issue is that visitors might be able to interact with computers and other devices on the personal network (wired or wireless) since everything connects to the same gateway device. Addressing this, Comcast says "The XFINITY WiFi service is designed to work on a separate network so that your home network remains entirely secure." Here too, I have not run across any reports that put this claim to the test.
Samara Lynn, of PC Magazine, raised another concern - physical security. She writes that "People locate Comcast hotspots via an Xfinity app or through the Xfinity hotspot locator site. I would be concerned about my address being broadcast by the app or the website". Comcast does address this, but Lynn says "Comcast's vague statement on the matter is not reassuring".
IT WASN'T ME
The last of the obvious objections is accountability. What if a guest, using the Internet connection in your home, does something illegal? Something so bad that law enforcement agencies get involved. This has come up many times before and is, perhaps, the most important reason not to share your home Internet connection.
To the outside world, all computing devices in your home look the same. That is, they share a common public IP address (an IP address is the unique number that identifies a single entity on a TCP/IP network). You can see your public IP address at ipchicken.com, ip2location.com and many other places.
Nothing I have read says that XFINITY WiFi guests are assigned their own public IP address. If they are not, anyone offering the service from their home, runs the risk of men with guns knocking on their door.
Comcast says that if the FBI comes knocking, there is no need to worry; illegal activity can be traced back to the guest who is a known Comcast customer.
That Comcast has to say this, however, shows that illegal activity is not easily traced to real culprit.
And even if Comcast can relate any illegal activity to their customer who was a guest on your home router at 9:56pm on Tuesday, would you trust one of the most hated companies in the U.S. to have your back in this case? That there are no detailed explanations of how this works, just makes one more doubtful.
In addition, XFINITY WiFi is not limited to Comcast customers, making the task of identifying the real perpetrator of illegal activity that much harder.
As shown in the screen shot below of the Comcast FAQ page, there are two ways that anyone can hop onto the system: a free trial and a short term access pass. Bad guys with stolen credit cards can get online for an hour ($2.95), a day ($7.95) or a week ($19.95). Bad guys without a credit card can use two free sessions of an hour each.
In fairness, Comcast offers the one hour free sessions only at "select XFINITY WiFi hotspot locations". But exactly what that means, they don't say. Likewise, the access passes are not available in all locations. Whether that means you can't buy them everywhere or you can't use them everywhere is, again, not spelled out.
THE LESS OBVIOUS DANGERS
The first problem with the Comcast claim that the guest network is separate from the homeowners private network is that there are no technical details on how this is done. The data traffic needs to be separate over the air, in the router and as far as anyone on the Internet can discern.
Comcast has not said if xfinitywifi traffic is encrypted over the air, a huge omission. Their FAQ page has one relevant sentence: "Whenever you sign in, we help protect your privacy and the safety of your Comcast Email or username and password by providing 128-bit encryption on the sign in page". In other words, their sign-in page uses HTTPS. WPA2? None of our business.
Heck, they don't even say which Wi-Fi frequency band (2.4GHz or 5GHz) they use.
Is this miserable documentation due to incompetence or was it carefully crafted to hide oversights in the technology?
However it is done, the device that separates the public and private networks in your home is the gateway device, a combination modem and router.
Next month, at the Hackers On Planet Earth (HOPE) conference, I will be giving a presentation on "Securing a Home Router". In part, I was drawn to the subject because of the huge parade of ghastly security flaws in routers. It seems when it comes to router firmware, quality is job 326.
With 8 million of them in the field, the devices used for XFINITY WiFi will surely be prime targets for bad guys. If they have flaws, someone is sure to find them.
Another security issue involves the userid/password used to logon to XFINITY WiFi. It is the same one used to logon to the Comcast website to manage an account. If a bad guy got hold of it (more on this below) there is a huge potential for abuse.
They can see your billing details and read your webmail. They can add HBO and Cinemax to your account. Worst of all, they can logon to XFINITY WiFi as you, do something illegal and have everything point back to you.
A much better approach would have been for Comcast to let their customers create a new userid and password, one that is only valid for XFINITY Wi-Fi. Better yet, there should be a Wi-Fi only userid/password for each member of the family. A single userid/password being used for everything is too tempting a target.
MAC ADDRESS SPOOFING
Perhaps the biggest security issue with XFINITY WiFi involves the "Automatic Sign In".
According to Comcast anyone using XFINITY WiFi when away from home only has to logon with their Comcast userid/password once from any given wireless device. Afterwards, the system recognizes the device automatically.
... once you have successfully signed in using a Wi-Fi enabled device, your device will be registered for Automatic Sign In and you will not be required to provide your Comcast ID and password to connect to the XFINITY WiFi network using the same device ... You can register up to 20 of your Wi-Fi-enabled devices with our automatic sign-in feature.
After the previous point, this may sound like a good thing, since the Comcast userid/password is not being sent over the air. I suspect, however, that it is a big security flaw.
How does this work? Needless to say at this point, I could find no relevant documentation.
How might it work?
If Comcast required their software on wireless devices, then their software could generate some type of unique identifier that was only known to Comcast. But their software is not required. Any wireless enabled device can logon to XFINITY WiFi. So, how might Comcast uniquely identify a particular device?
By MAC address (MAC, all upper case, is a network identifier; Mac, with the ac in lower case, is a computer from Apple).
All wired and wireless network hardware has a unique 48 bit identifier called a MAC address. From the start, MAC addresses were designed to be globally unique. The first 24 bits identify the company that made the hardware, the last 24 bits function as a serial number for the device.
A router has at least three MAC addresses, one for its WAN connection to the Internet, one for its LAN connection and one for its Wi-Fi radio. A dual band router will have a MAC address for each wireless band. You can usually find the MAC addresses of a router on a sticker on the bottom.
If you have ever dealt with configuring a router, you may have run across a security feature called MAC address filtering. This lets you tell the router the MAC addresses of known trusted Wi-Fi devices. These devices are allowed in, all others get blocked. You can see a demo of configuring MAC address filtering for an Asus router here.
Sound like a great security feature? No one uses it.
In reality, it offers hardly any security, at least for wireless.
MAC addresses are always broadcast unencrypted over the air. The underlying communication protocol requires this. So, anyone who found themselves blocked by a router using MAC address filtering, could just listen for a valid MAC addresses communicating with the target network and then pretend to be that device. The pretending (called spoofing) is not all that hard.
Getting back to XFINITY Wifi, we can now understand what I see as its biggest security problem. Rather than use a free one hour session, a bad guy can park near an xfinitywifi network and make a note of the MAC addresses of the devices using the network. Then all they need to do is fake their MAC address, get automatically signed in, do something illegal, and an innocent Comcast customer is in for all kinds of hell.
There is no defense here either.
The best security for public Wi-Fi networks, a VPN, does not protect prevent a bad guy from seeing the MAC address of your wireless device. The VPN will encrypt stuff, but that stuff gets sent to the router in a clump of bits ("packet" is the official term) that includes the unencrypted MAC address.
That said, Comcast has been rolling out XFINITY WiFi for an entire year. At the least, they have over a million hotspots. It's hard to believe that I am the first person to publicly raise this issue.
So I did some searching, and found a six month old reddit posting where someone claimed that spoofing their MAC address to aa:bb:cc:dd:ee:ff (all valid hexadecimal digits) got them on a "CableWiFi" network without having to provide credentials. If true, it would not be a surprise. It would also mean (if it was true) that the CableWiFi system keyed off MAC addresses. And if they do, it is likely that XFINITY WiFi does too.
EVIL TWIN NETWORKS
Then too, there is the classic Wi-Fi issue - evil twin networks.
Last June, when Comcast was offering free access to their XFINITY WiFi system for the July 4th holiday, I warned about evil twin networks. My main point was that assuming a wireless network called "xfinitywifi" actually belonged to Comcast was a leap of faith.
That anyone can name their network anything, is probably the biggest skeleton in the closet for Wi-Fi.