dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
91
raythompsontn
join:2001-01-11
Oliver Springs, TN

raythompsontn

Member

Comcast Hotspot

So all I have to do is name my guest WIFI XfinitityWifi, point it to a machine on my network, create a fake Comcast log on page, and I can then capture the credentials of anyone that tries to access their Comcast mail. I could go further and do some code to just pass the XfinityWifi data through my box and intercept anything the user of that hot spot sends or receives. Most users would never notice the lack of HTTPS on the log on page.

This whole thing seems like a large security risk for Comcast customers.
iansltx
join:2007-02-19
Austin, TX

iansltx

Member

Heck, go all the way and grab an SSL cert, since they're so cheap. Give 'em the green box. Then grab the creds and you've now uncapped yourself
rody_44
Premium Member
join:2004-02-20
Quakertown, PA

rody_44 to raythompsontn

Premium Member

to raythompsontn
You have no capability to see the wireless network on the wifi side. Its a totally different network that isnt accessable from the other. You can do it by actually logging into the wifi side. But thats a risk with any fee wifi and something you can do by parking outside starbucks or mcdonalds.
billburnett
Premium Member
join:2005-12-06
Oak Harbor, WA

1 recommendation

billburnett to raythompsontn

Premium Member

to raythompsontn
I have Comcast HSI, but I seriously dislike the idea of anyone else (i.e. strangers) using my router and modem to access the internet via an "open" or "public" gateway. Since I own my own router and modem (which is way cheaper than renting equipment from Comcast, anyway), it seems I would have zero incentive to switch over to using Comcast-provided hardware to provide this "service" to other folks, since I gain nothing from doing so, I would incur additional potential security risks on my end, and I would incur additional hardware costs for the "privilege" of providing such a hotspot.
raythompsontn
join:2001-01-11
Oliver Springs, TN

raythompsontn to rody_44

Member

to rody_44
said by rody_44:

You have no capability to see the wireless network on the wifi side.

I am quite aware of that. I can, however, name my guest WIFI network the same as Comcast as I am not running a Comcast router. People would now think that my network is the Comcast network. I can now do with that traffic what I please as I now have access to that WIFI network.

Any public WIFI is risky. There is nothing stopping any business with "free" WIFI to name their network the same as Comcast.

I would never use a public WIFI to access anything that requires any sort of credentials as those credentials may get exposed. I may read something on the WEB, check weather, etc. But nothing else.

telcodad
MVM
join:2011-09-16
Lincroft, NJ

telcodad to raythompsontn

MVM

to raythompsontn
said by raythompsontn:

:
This whole thing seems like a large security risk for Comcast customers.

See this article:

Comcast XFINITY WiFi: Just say no
By Michael Horowitz, Computerworld - June 27, 2014
»blogs.computerworld.com/ ··· t-say-no

Also, check out the xfinitywifi thread in the Comcast HSI forum: »[WiFi] xfinitywifi channel
rradina
join:2000-08-08
Chesterfield, MO

rradina to iansltx

Member

to iansltx
Price == cheap but if you are caught, it's going to be pretty hard to say someone bought a certificate with your name (and whatever ID you have to provide -- SSN, DLNO, bank account, etct.) and then hacked your router to put up a honeypot. "Honest detective, I didn't know anything about it!"
rradina

rradina to raythompsontn

Member

to raythompsontn
The smart deviant would deploy the subterfuge randomly and then only long enough to maintain a set of working credentials. By spreading extra usage across a dozen accounts, the theft is never detected. Of course this might be more trouble than it's worth and if caught, certainly very costly.

cork1958
Cork
Premium Member
join:2000-02-26

cork1958 to raythompsontn

Premium Member

to raythompsontn
said by raythompsontn:

This whole thing seems like a large security risk for Comcast customers.

Only a matter of time before somebody figures out how to break in!

I've already lost count of how many people I've e-mailed instructions on how to disable this crap to!
ITGeeks
join:2014-04-20
Cleveland, OH

ITGeeks to rradina

Member

to rradina
you only need a debit/credit card, those are free at local stores via prepaid systems.
ITGeeks

ITGeeks to billburnett

Member

to billburnett
It's not your modem nor router when it belongs to them. And it wouldn't be your Internet since the free wifi side rides on another network
ITGeeks

ITGeeks to cork1958

Member

to cork1958
But would it be okay for Google to do it?
rradina
join:2000-08-08
Chesterfield, MO

rradina to ITGeeks

Member

to ITGeeks
Are you sure you can buy a cert from a root authority that's part of all browsers with absolutely NO identification? If true, I have no idea why we even bother with HTTPS or updating our browsers to keep root certificates updated.

ieolus
Support The Clecs
join:2001-06-19
Danbury, CT
Netgear R6400

ieolus to ITGeeks

Member

to ITGeeks
said by ITGeeks:

And it wouldn't be your Internet since the free wifi side rides on another network

Another network... that happens to go through your house. Good luck with that argument.