Screw the heavy lifting, the most annoying part of moving in 2020 was the lack of Internet in my new place while waiting to get my service setup. This was compounded by the fact that the apartment is basically one gigantic LTE deadzone.
One available Wi-Fi network represented a siren call of connectivity: xfinitywifi. This is Comcast’s public network for its customers to use when out and about, broadcast from many of its customer’s modems. While this was a tempting choice, public Wi-Fi networks are always extremely risky. Plus, Comcast introduces its own customers to security risks when it uses their hardware to broadcast a public network.
The Problem with Public Wi-Fi
Public Wi-Fi networks are a security nightmare. Frankly, they should be avoided at all costs. Yes, even at the coffee shop.
First off, you have no way to tell if a public Wi-Fi access point is a legitimate service or if it’s a rogue hotspot purposefully set up by attackers to steal data. A wireless network turned on at O’Hare International Airport named “O’Hare Guest Wi-Fi” could attract hundreds of connections – including business travelers working on their laptops – even as a fake network created by the bad guys!
Further, many public Wi-Fi networks are unencrypted – this means the data you send or receive on the network is visible to anybody else who is connected and looking for it. Even if the network is legitimate, cyber criminals themselves can access the network and deploy hardware or software tools to intercept and read any and all data you send or receive on the network.
In a value-packed bundle for its customers, Comcast’s xfinitywifi networks are particularly susceptible to both of these flaws, while adding at least one other fairly serious vulnerability.
The Problems with Comcast’s xfinitywifi
Comcast uses its customers’ modems to broadcast a secondary access point it calls an Xfinity WiFi Home Hotspot. This is a public, unsecured network always called “xfinitywifi.” Because Comcast uses both business and residential customer modems to broadcast this network, you see it very frequently.
The fact that Comcast uses its own customer’s private hardware to broadcast the secondary public network is an issue in itself. While it can be turned off, the device’s default behavior is to turn it on. Comcast says that xfinitywifi signals are broadcast as entirely separate from private home networks, but the fact is that they come from the same device. Unless there is physical separation of the hardware within the device, there is a possibility that an attacker could bridge the gap.
No password is required to connect to xfinitywifi, but after connecting you will be brought to a secondary login page where you need to enter your Xfinity username and password to get Internet access. Once connected, Comcast records the device’s MAC Address to allow for automatic reconnection in the future – though they do need to login every time they connect to the network with a new device.
The default auto-connect feature is fairly dangerous, especially with a public network as widespread and as accessible as xfinitywifi is. When commuting on the T in Boston, you can pass in and out of dozens of xfinitywifi networks. You can usually connect to xfinitywifi access points in coffee shops too, and the convenience of auto-connecting encourages users to use that network. If you’re the type to check and send emails on your commute, or sit down and work in a cafe (in non-pandemic times) it’s very possible your emails and anything else you transfer on such networks can be read.
To give a specific example of how you could be hacked in one of these situations, we can take a look at a known vulnerability caused by the unsecured network and Comcast’s implementation of MAC Address authentication and automatic reconnection.
Vulnerability CVE-2017-9475 was publicly disclosed during the summer of 2017. It describes the manner in which a cyber criminal connected to xfinitywifi can launch a sniffing attack to collect the MAC Address of other users on the network. From there, attackers can spoof their MAC Addresses to look like other legitimate Comcast customers and make comcast attribute all of the criminals potentially illegal web activity to the victimized customer.
This is just one tiny example of data cyber criminals can collect and it can be used to make unwitting Comcast customers look like criminals themselves!
To make matters worse, it’s fairly easy for attackers to spoof xfinitywifi networks. Comcast doesn’t clearly communicate the auto-reconnect feature to customers, so it’s likely someone could find and connect to a fake xfinitywifi hotspot if no other options are available.
When connecting, such a user would be expecting to enter their login information. Clever attackers could even add Xfinity branding to their fake login page to sell the illusion.
Same same, but different: XFINITY Wi-Fi
Another wireless network broadcast from private residential modems is simply called XFINITY.
This network features the little lock icon and will ask for user credentials before you can even attempt to connect. Unlike xfinitywifi, XFINITY access points are encrypted.
In order to connect to XFINITY access points, users need to download and use their Comcast credentials to login into the Xfinity WiFi Hotspot app. No app? No secure Wi-Fi access.
The app has a map of non-residential access points and will help ensure users don’t accidentally connect to a rogue network.
Altogether these improvements do make XFINITY networks significantly more secure than xfinitywifi networks, but it’s still public Wi-Fi.
A determined hacker connected to the same hotspot can gather encrypted data and some encryption methods can be broken – it just takes more time and effort.
Plus, data sent over HTTP instead of HTTPS is not encrypted and could still be viewed by others connected to the network. Users can usually make sure they connect to websites via HTTPS or avoid ones that still use HTTP, there’s no way to control whether or not mobile messenger and productivity apps do so since there is no address bar to interact with.
So how can I use public Wi-Fi?
Ultimately, we recommend that you never, ever use public Wi-Fi.
There are simply too many variables that you can’t control. There’s never a guarantee that it’s entirely safe.
If you’re traveling or want to work in a coffee shop, the safest thing you can do is use a personal data access point. In a pinch, almost all modern smartphones can be used as on-demand Wi-Fi routers. This puts you in control, allowing for confidence that your connection is secure.
If you can’t use smartphone tethering and absolutely must connect to public Wi-Fi, we recommend that you at least use a VPN (Virtual Private Network). VPNs encrypt your data and make it very difficult for would-be attackers to intercept sensitive information.
How to turn off xfinitywifi?
Once I moved in, settled, and got my own Internet connection up and running, I made a point to disable the Xfinity Home Hotspot feature. Thankfully, Comcast makes it fairly easy to do so.
Login to your Xfinity account and go to customer.xfinity.com/#/settings/hotspot and flip the switch from “on” to “off.”
Better safe than sorry!
Want to get great cybersecurity content delivered to your inbox? Sign up for our monthly newsletter, Tales from the Click! https://fractionalciso.com/newsletter/