|
Comcast HotspotSo all I have to do is name my guest WIFI XfinitityWifi, point it to a machine on my network, create a fake Comcast log on page, and I can then capture the credentials of anyone that tries to access their Comcast mail. I could go further and do some code to just pass the XfinityWifi data through my box and intercept anything the user of that hot spot sends or receives. Most users would never notice the lack of HTTPS on the log on page.
This whole thing seems like a large security risk for Comcast customers. |
|
|
Heck, go all the way and grab an SSL cert, since they're so cheap. Give 'em the green box. Then grab the creds and you've now uncapped yourself |
|
|
rody_44 Premium Member join:2004-02-20 Quakertown, PA |
to raythompsontn
You have no capability to see the wireless network on the wifi side. Its a totally different network that isnt accessable from the other. You can do it by actually logging into the wifi side. But thats a risk with any fee wifi and something you can do by parking outside starbucks or mcdonalds. |
|
1 recommendation |
to raythompsontn
I have Comcast HSI, but I seriously dislike the idea of anyone else (i.e. strangers) using my router and modem to access the internet via an "open" or "public" gateway. Since I own my own router and modem (which is way cheaper than renting equipment from Comcast, anyway), it seems I would have zero incentive to switch over to using Comcast-provided hardware to provide this "service" to other folks, since I gain nothing from doing so, I would incur additional potential security risks on my end, and I would incur additional hardware costs for the "privilege" of providing such a hotspot. |
|
|
to rody_44
said by rody_44: You have no capability to see the wireless network on the wifi side. I am quite aware of that. I can, however, name my guest WIFI network the same as Comcast as I am not running a Comcast router. People would now think that my network is the Comcast network. I can now do with that traffic what I please as I now have access to that WIFI network. Any public WIFI is risky. There is nothing stopping any business with "free" WIFI to name their network the same as Comcast. I would never use a public WIFI to access anything that requires any sort of credentials as those credentials may get exposed. I may read something on the WEB, check weather, etc. But nothing else. |
|
|
to raythompsontn
said by raythompsontn:: This whole thing seems like a large security risk for Comcast customers. See this article: Comcast XFINITY WiFi: Just say noBy Michael Horowitz, Computerworld - June 27, 2014 » blogs.computerworld.com/ ··· t-say-noAlso, check out the xfinitywifi thread in the Comcast HSI forum: » [WiFi] xfinitywifi channel |
|
rradina join:2000-08-08 Chesterfield, MO |
to iansltx
Price == cheap but if you are caught, it's going to be pretty hard to say someone bought a certificate with your name (and whatever ID you have to provide -- SSN, DLNO, bank account, etct.) and then hacked your router to put up a honeypot. "Honest detective, I didn't know anything about it!" |
|
rradina |
to raythompsontn
The smart deviant would deploy the subterfuge randomly and then only long enough to maintain a set of working credentials. By spreading extra usage across a dozen accounts, the theft is never detected. Of course this might be more trouble than it's worth and if caught, certainly very costly. |
|
cork1958Cork Premium Member join:2000-02-26 |
to raythompsontn
said by raythompsontn: This whole thing seems like a large security risk for Comcast customers. Only a matter of time before somebody figures out how to break in! I've already lost count of how many people I've e-mailed instructions on how to disable this crap to! |
|
ITGeeks join:2014-04-20 Cleveland, OH |
to rradina
you only need a debit/credit card, those are free at local stores via prepaid systems. |
|
ITGeeks |
to billburnett
It's not your modem nor router when it belongs to them. And it wouldn't be your Internet since the free wifi side rides on another network |
|
ITGeeks |
to cork1958
But would it be okay for Google to do it? |
|
rradina join:2000-08-08 Chesterfield, MO |
to ITGeeks
Are you sure you can buy a cert from a root authority that's part of all browsers with absolutely NO identification? If true, I have no idea why we even bother with HTTPS or updating our browsers to keep root certificates updated. |
|
ieolusSupport The Clecs join:2001-06-19 Danbury, CT Netgear R6400
|
to ITGeeks
said by ITGeeks: And it wouldn't be your Internet since the free wifi side rides on another network Another network... that happens to go through your house. Good luck with that argument. |
|