Have you been waiting for Comcast\u2019s evil-yet-genius exploit-home-routers business plan to blow up in the company\u2019s face? That wait may be over as a proof-of-concept \u201cevil xfinitywifi\u201d access point could potentially help attackers with widespread MITM attacks aimed squarely at Comcast customers.After claiming that neither LogRhythm Labs nor author Greg Foss are liable for any illegal activities that might occur, readers of The Dialog are introduced to a Comcast nightmare called Xfinity Pineapple.Comcast\u2019s evil genius Xfinity Wi-Fi plansLast week in Houston, Comcast turned 50,000 residential Xfinity modems into public Wi-Fi hotspots, but it\u2019s coming to Denver, San Francisco and all over the US; Comcast's plan to use customers\u2019 routers to create a mesh of public Wi-Fi will result in about 8 million Wi-Fi hotspots in 19 of the largest U.S. cities. Comcast claims its routers broadcast two Wi-Fi signals. \u201cBy default, one is securely configured for the private use of the home subscriber. The second is a neighborhood 'xfinitywifi' network signal that can be shared\u201d by visiting Xfinity Internet subscribers who sign in with their own usernames and passwords.Comcast also claimed that less than 1% of its customers are opting out of having their Xfinity WiFi as a home hotspot, but there have been a plethora of concerns about leeched bandwidth causing slowed connection speeds and increasing security risks. If people need another \u201csecurity-threat\u201d reason to opt-out, such as \u201chow hackers can leverage this vulnerability feature for evil\u201d \u2026 meet the evil Xfinity WiFi Pineapple access point.About WiFi Pineapple and MITM attacksA connectivity \u201cfeature\u201d in wireless devices like laptops, smartphones and tablets can be tricked into thinking it is connecting with a familiar or \u201csafe\u201d wireless access point. When your device is looking to connect, it asks \u201cAre you my router?\u201d In this case, a WiFi Pineapple, and not the known familiar router, answers, \u201cYes I am!\u201d Your device connects and you step into a trap with no idea anything is out of the ordinary. WiFi Pineapples can create hot-spot honeypots and are used by G-men, hackers and researchers for man-in-the-middle (MITM) attacks. A user has no clue their device connected to a WiFi Pineapple instead of a \u201ctrusted\u201d access point, or that an attacker is secretly stealing passwords and other sensitive data.Xfinity PineappleAlong with plenty of CYA warnings not to use the scripts to steal users\u2019 credentials, Foss posted the proof-of-concept \u201cevil xfinitywifi\u201d access point code on GitHub. \u201cThis is basically a modified version of the Comcast shared WiFi interface, transformed to steal user's Xfinity\/Comcast account credentials.\u201dThere are plenty of Xfinity WiFi access points that can be found either via Comcast or by using Xfinity WiFi Android or Apple apps. Basically a user who was tricked into connecting to the Xfinity Pineapple would see what appears to be a legitimate Comcast Xfinity WiFi splash page that says to \u201cplease log in to continue\u201d followed by a sign-in button. Doing so, however, would mean everything you\u2019re doing is going to the attacker. Put another way, if you enter your Comcast username and password, then everything you can do on Comcast with those credentials \u2013 access email, billing, add services, order new TV channels or pay per view \u2013 now an attacker can do that with your credentials too.Foss gives the how-to details, but notes:None of what we talked about here applies explicitly to Comcast, this can be done on any public access point, though stealing Comcast credentials does have the added advantage of providing attackers with credentials they can later use to mask their online activity. For this reason, users should take steps to protect themselves and be cautious when using these networks.First and foremost, Comcast customers can disable this feature if they are so inclined.If you have connected to an Xfinity access point in the past, you will pre-authenticate to any Xfinity access point going forward, this includes a masquerading Pineapple. This will not expose your credentials, but all your traffic will be passed through a potentially hostile access point.When not using WiFi on your phone \/ laptop \/ tablet, disable it, especially when in crowded areas such as an airport.When joining one of these access points, try to verify that one really does exist in this area using the Xfinity WiFi app on iOS\/Android\u00a0or by reviewing their Access Point Map.Real Xfinity access points will redirect you to https:\/\/wifilogin.comcast.net\u00a0to authenticate, though this could also be fudged by an attacker using DNS Spoofing so it is not a dead giveaway. The real identifier here is that the legitimate landing page is using SSL and has a valid certificate. This can be spoofed as well, but is much harder.When connecting to any open Wireless network, use a VPN service\u00a0to encrypt your traffic.Be careful out there!