The Xfinity Wi-Fi service from Comcast is disclosing the full name and home address of residential customers, which is something the company says isn’t supposed to happen.
The disclosure of such information increases an already exposed attack surface, by allowing anyone with malicious intent to selectively target their marks.
It has been just over two years since Comcast launched the Xfinity Wi-Fi service, which created a separate wireless network in homes and businesses for existing customers and the general public.
This network, often identified with an SSID of “xfinitywifi” is supposed widen the availability of Wi-Fi access for customers, and it is sometimes pitched as a security measure, since customers with Xfinity Wi-Fi enabled can let visitors use the guest network, thus keeping the primary Wi-Fi password a secret.
There were two issues that immediately cropped up when this service was initiated, physical security and accountability.
The physical security concern existed because customers didn’t want their names and home addresses to appear in the public Xfinity Wi-Fi search results. Comcast addressed that fear in the media and public FAQs informing customers that only business information would be shared – customer names and home addresses would not appear on the map.
But the problem is, names and addresses were listed, and they're still being displayed in the search results when someone searches for an Xfinity Wi-Fi hotspot.
The following composite image shows residential customers with Xfinity Wi-Fi enabled. They are all in the same town, in the same state, and according to a public records search – none of them have ever been registered as a business. Please note: This image has been redacted by Salted Hash to remove the customer's last name, address, and the map markers which might identify their location.
Clearly this is an error on Comcast’s part, and when Salted Hash last spoke to Comcast about these customers, the representative said they would look in to it.
“I can confirm that our policy is to only include addresses of small business Wi-Fi hotspot locations and of outdoor/public/shopping district hotspot locations,” a Comcast spokesperson explained via email when asked about the information disclosure.
Again, as this article was being written, the customer information was still available via the Xfinity Wi-Fi website as well as the mobile app provided by Comcast.
Having a name and address exposed might not seem like a big deal to some, as its public information. However, this is data that Comcast isn’t supposed to be sharing, and as mentioned, it’s also something the company stated rather clearly that they wouldn’t share.
A criminal, armed with little more than the Comcast Xfinity application and a laptop, can pull enough public information to selectively target a person within minutes.
A person’s full name and address, along with the city and state, can be used to pull mortgage documents, which in turn often reveal banking details. With those records combined, a criminal could develop a targeted Phishing campaign aimed at financial gain. Or worse, they could use the information to develop a new ID and attempt to get loans in their victim’s name.
What Comcast’s mistake has done is open the door to a level of exposure that most people don’t consider. Again, a person’s name and address are public record, but no one expects their Internet provider to provide it to the masses complete with a link to “get directions to this location.”
Another level of exposure centers on accountability.
Comcast customers, when the Xfinity Wi-Fi service came online, worried that criminals would use their shared wireless access to commit crimes, leaving the customer taking the fall.
Comcast, in a statement to Salted Hash, said that each user must sign-in with an email address and the device’s MAC address is also logged. Moreover, there are two IP addresses in use on the Xfinity Wi-Fi service, one for the homeowner and one for the hotspot (guest account). Thus, it’s possible for Comcast to tell who was doing what, which should make residential customers feel at ease - since a criminal can't use the service for illegal activities while leaving them on the hook.
Only, that isn’t exactly true.
Comcast says that all usage is tied to the account holder and the MAC address of their device. For non-customers, or those that use the guess access offered by the Xfinity Wi-Fi service, their usage is tied to their email account and the MAC address of the registered device.
Ken Smith, senior security architect with K Logix in Brookline, Ma., discovered that Comcast is relying on the device’s MAC address as a key component of authentication. He made this discovery while doing a bit of digging on his system for research unrelated to this story.
Smith says that Wireshark captures and wireless logs makes it appear that Comcast stores the user’s MAC address in a database the first time a device is connected (where the user is presented with a request to provide Comcast login).
Once that initial login and registration is done, the next time the user is near an ‘xfinitywifi’ hotspot, they’ll auto-associate with access point with a password of “password” and a check to confirm that the MAC address on the device matches the one previously stored in the database. If that happens, access is granted. Comcast’s documentation supports Smith’s findings.
Auto-association is generally a bad way to deal with Wi-Fi access, but it’s also the most common form of access used. This issue isn’t new either, security experts have warned against trusting auto-associated hotspots for years.
In 2014, Greg Foss at LogRhythm discussed the issue of Xfinity Wi-Fi auto-association, and how a criminal could imitate the “xfinitywifi” SSID to trick Comcast customers into handing over their usernames and passwords.
A criminal that’s armed with legitimate Comcast usernames and passwords could exploit verification process the Xfinity Wi-Fi hotspot, because if the MAC address doesn’t match, they can authenticate and register a new one using the stolen credentials.
Foss developed some scripts to mimic a Comcast login page that could be used with a WiFi Pineapple from Hak5. Those scripts were later removed from their official hosting point, but they’re still freely available for anyone who wanted to look for them.
Another way to exploit the verification process would be to scan the wireless traffic near an Xfinity Wi-Fi hotspot and make note of the MAC addresses that are using the network. From there, the criminal could spoof the MAC address on their device and connect automatically using one of the previously authenticated ones.
In some cases, the criminal could connect as the customer by spoofing the homeowner's MAC address, which would leave them on the hook for any additional acts taken on the compromised account.
Comcast has taken some steps to secure the Xfinity Wi-Fi service recently, but their efforts have actually created a new problem.
Apple and Android users can download a new security application for Xfinity Wi-Fi (it isn’t available for Windows users) that will create a secure profile and protect their wireless sessions.
However, researcher Ken Smith discovered that the process of developing the secure profile on the device downloads a file (XFINITY.mobileconfig) containing the Xfinity Wi-Fi login name (often firstname.lastname@example.org) and password in clear text.
Comcast discourages customers from disabling the Xfinity Wi-Fi hotspot service. Their support page explains why:
“We encourage you to keep your XFINITY WiFi Home Hotspot feature enabled as it allows more people to enjoy the benefits of XFINITY WiFi and you will no longer need to provide your private XFINITY WiFi home network password to guests.”
Again, they drop hints that this service has security benefits. It doesn’t, and for some customers the service created additional risk by exposing their names and home addresses, as well as relying on technical controls that can be defeated with a bit of time and a small amount of effort.
Instructions on how to disable Xfinity Wi-Fi are online.