dslreports logo
Users Should be Wary When Using AT&T, Comcast Hotspots

Ars Technica points out that users of AT&T and Comcast's growing number of public Wi-Fi hotspots are leaving themselves exposed to surreptitious hacking of their Internet traffic and the disclosure of personal information.

While this is not particularly surprising -- any SSID can be spoofed and most coffee shop patrons or airport visitors can be easily misidrected -- the problem is that the credentials the users use to log into the public hotspots are the same ones used to access subscriber information via ISP portals:

quote:
Comcast’s Xfinity wireless hotspots present a Web page for login that requests a customer’s account ID and password, and each time you connect to a new hotspot it re-authenticates you. But if you’ve connected once during the day, the hotspot remembers your device and reconnects you without prompting.

That means that if someone were to set up a malicious Wi-Fi access point called “xfinitywifi,” devices that have connected to Xfinity’s network before could automatically connect without alerting the user or asking for the password. Alternatively, using a “honeypot” tool such as PwnStar, an attacker could spoof both the “xfinitywifi” SSID and the Xfinity login page—stealing their Xfinity credentials in the process.
As Ars notes, it's not hat AT&T and Comcast's hotspots are insecure in and of themselves, but the use of auto-authentication and the sheer volume of users connecting to them make them a tasty target smart users will want to take precautions against.
view:
topics flat nest 

Darknessfall
Premium Member
join:2012-08-17
Motorola MG8725
Asus RT-N66

Darknessfall

Premium Member

Hotspot 2.0

We need hotspot 2.0 implemented on these hotspots. I don't really care much about AT&T hotspots as I rarely see them.

I usually just check the networks to be linked to BelAir or look for the matching HOME-XXXX SSID to see if it's real. I guess the wireless MAC could be spoofed too so it would seem like a BelAir or Arris device.

tshirt
Premium Member
join:2004-07-11
Snohomish, WA

tshirt

Premium Member

Re: Hotspot 2.0

said by Darknessfall:

We need hotspot 2.0 implemented on these hotspots.

Cable labs was part of the hotspot 2 working group along with ruckuss and Wireless Broadband Alliance.
So you'd think it might be in the works, but if on the radar it should be important enough to do FIRST, before accounts get hijacked

bmccoy
join:2013-03-18
Port Orchard, WA

bmccoy

Member

Comcast will get what they deserve.

Sooner or later, somebody will start spoofing xfinitywifi hotspots and use them for free HBO Go.

IPPlanMan
Holy Cable Modem Batman
join:2000-09-20
Washington, DC

IPPlanMan

Member

Poor signal

The signal for these hotspots is terrible in DC.

If I am able to connect, it's slow as hell. What kind of backhaul is running to these? T-1's?

Darknessfall
Premium Member
join:2012-08-17
Motorola MG8725
Asus RT-N66

Darknessfall

Premium Member

Re: Poor signal

said by IPPlanMan:

The signal for these hotspots is terrible in DC.

If I am able to connect, it's slow as hell. What kind of backhaul is running to these? T-1's?

Some are gateways(TG852/TG862).

atcotr
@65.60.144.x

atcotr to IPPlanMan

Anon

to IPPlanMan
You're probably too far away, thus the link quality and speed is terrible.

VPNUsers
@23.19.88.x

VPNUsers

Anon

I have 3 letters

V
P
N
BosstonesOwn
join:2002-12-15
Wakefield, MA

7 recommendations

BosstonesOwn

Member

Re: I have 3 letters

You still need to
A
U
T
H
E
N
T
I
C
A
T
E

Before you can connect via VPN.

BlueandGold
join:2005-11-26
Go Bears!

2 recommendations

BlueandGold

Member

Re: I have 3 letters

^ This

E
X
A
C
T
L
Y
Expand your moderator at work
Aprel
join:2013-09-14

Aprel

Member

SSL?

Isn't this problem mitigated if the hotspots used HTTPS for the authentication? You would check the first time you connect that the certificate is genuine, and then the mobile device should auto-authenticate iff the cert passed is the same. I say should because probably most mobile devices won't care about the cert and just move ahead with auth regardless. Guess I answered my own question...but if the cert-matching behavior is strict, this wouldn't be an issue, right?

Selenia
Gentoo Convert
Premium Member
join:2006-09-22
Fort Smith, AR

Selenia

Premium Member

Re: SSL?

Firefox mobile is pretty good about flagging certificates. Probably because Mozilla cares about users, as well as it being part of the Open Wifi Movement. On open WiFi, certificates become even more important because of man in the middle attacks. I am sure Mozilla does not want people exploited by rogue hotspots as they help push this if they can help it, and they can with their browser. Since I use Firefox anyways, I guess I am good.
AmericanMan
Premium Member
join:2013-12-28
united state

AmericanMan

Premium Member

Two Factor Authentication Would Help

Actually...this is the sort of problem that two-factor authentication would help with IMMENSELY.

Step 1: Disable the auto re-authentication (and time it out after say 2 hours), that way every time you connect to one of these AT&T/Comcast hotspots you get the login page.
Step 2: Have customers call AT&T and Comcast (or go online) and set up their secret "codeword" (not a password, doesn't have to be secure, can be something like your favorite food or whatever, as long as it's not part of your billing information, like first name, street, city, state, etc.), as well as a cell phone number which you can be reached at for texts or voice calls.
Step 3: Whenever you connect to the hotspot, the login page pops up and says "enter your AT&T/Comcast UserId and we will text/phone you your secret codeword as well as a 10 digit number, make sure that the secret codeword matches the one that you set up with us , and that the 10 digit number matches the one on the next screen, and then login with your password. If the codeword and number don't match, then disconnect from the hotspot and call the AT&T/Comcast number on your bill as soon as possible to report a possible forgery."

Done!

fiosultimate
join:2014-06-09
San Antonio, TX

fiosultimate

Member

Re: Two Factor Authentication Would Help

Once again this is a service morons use, so u have to dumb it down to their level, this people think WiFi is the same as 3g

Yucca Servic
join:2012-11-27
Rio Rancho, NM

Yucca Servic

Member

Interesting

I wonder if there anything ATT or Comcast could do about this SSID naming issue. Just a common Wireless secured or unsecured Access Point could be named as one of the devices someone wants to connect to and leave no internet on it.
Someone could setup one to just disrupt connectivity. Just naming your hotspot could cause issues.
Wow what a dilemma!

RARPSL
join:1999-12-08
Suffern, NY

RARPSL

Member

What Logon Screen?

I am in the Cablevision Area and aside from Cablevision's WiFi SSID, I get those of TWC, Comcast, and CableWiFi. Connecting to each of the 4 WiFi SSIDs gets me a different network so I assume I am actually connecting to that network. The point is that I automatically connect without any logon screen even if I select XfinityWiFi.

CableWiFi is an agreement to allow users of on ISP to use the WiFi network of the others.

cableties
Premium Member
join:2005-01-27

cableties

Premium Member

In some boardroom,...

some marketing pseudo-genius declared "Hey, how about we make the customer's AP public, thus having more "coverage" for data!"

"That boy's a genius! Let's do it! Make it so!"

"And even better, sir, is that it won't cost us anything! Any piracy and we blame the modem owner. And any hacks, again we blame the owner because they didn't opt-out! We'll even setup a convoluted walled OPt-out so they won't know what wifi they have! Brilliant!"

IowaCowboy
Lost in the Supermarket
Premium Member
join:2010-10-16
Springfield, MA

IowaCowboy

Premium Member

I use my own hotspot

I use my own hotspot, it's called a mobile hotspot from Verizon Wireless. I never use public hotspots unless cell reception is spotty and I'm desperate for an internet fix and then I don't use sites that require authentication like my bank or other secure sites.

Mass Eye and Ear (have to take grandma there) has spotty reception in the building. Their domain on Wi-Fi is Harvard.edu.
GraysonPeddi
Grayson Peddie
join:2010-06-28
Tallahassee, FL

GraysonPeddi

Member

Auto Authentication for attwifi

How would I disable auto authentication in Android 4.4 the next time I connect to attwifi?

Sammael1069
join:2011-06-20
united state

Sammael1069

Member

AP

It's even gone as far as this.

»arstechnica.com/informat ··· pectrum/
FrontirCynic
join:2006-10-25
Long Beach, CA

FrontirCynic

Member

wifi

I dont use public wifi any more on the phone. Every time I tired to use ATT hotspots at starbucks it was messed up. I was better off on slow tmobile. (some LTE). Speaking of Wifi how is the open wifi movement going and how is googles takeover of starbucks wifi? Per my conversation with Starbucks employes its not going well. Oh well free starbucks college comes before customer wifi. Hey google ever hear of "follow thru" ....on anything? They just seem to like to start stuff do a press release then drop it as some key emp leaves and cashes out his/her stock