Users Should be Wary When Using AT&T, Comcast Hotspots Monday Jun 23 2014 17:50 EDT Tipped by newview Ars Technica points out that users of AT&T and Comcast's growing number of public Wi-Fi hotspots are leaving themselves exposed to surreptitious hacking of their Internet traffic and the disclosure of personal information. While this is not particularly surprising -- any SSID can be spoofed and most coffee shop patrons or airport visitors can be easily misidrected -- the problem is that the credentials the users use to log into the public hotspots are the same ones used to access subscriber information via ISP portals: quote: Comcast’s Xfinity wireless hotspots present a Web page for login that requests a customer’s account ID and password, and each time you connect to a new hotspot it re-authenticates you. But if you’ve connected once during the day, the hotspot remembers your device and reconnects you without prompting.That means that if someone were to set up a malicious Wi-Fi access point called “xfinitywifi,” devices that have connected to Xfinity’s network before could automatically connect without alerting the user or asking for the password. Alternatively, using a “honeypot” tool such as PwnStar, an attacker could spoof both the “xfinitywifi” SSID and the Xfinity login page—stealing their Xfinity credentials in the process.
As Ars notes, it's not hat AT&T and Comcast's hotspots are insecure in and of themselves, but the use of auto-authentication and the sheer volume of users connecting to them make them a tasty target smart users will want to take precautions against. |
Motorola MG8725 Asus RT-N66
|
Hotspot 2.0We need hotspot 2.0 implemented on these hotspots. I don't really care much about AT&T hotspots as I rarely see them.
I usually just check the networks to be linked to BelAir or look for the matching HOME-XXXX SSID to see if it's real. I guess the wireless MAC could be spoofed too so it would seem like a BelAir or Arris device. | |
| | tshirt Premium Member join:2004-07-11 Snohomish, WA |
tshirt
Premium Member
2014-Jun-23 8:03 pm
Re: Hotspot 2.0said by Darknessfall:We need hotspot 2.0 implemented on these hotspots. Cable labs was part of the hotspot 2 working group along with ruckuss and Wireless Broadband Alliance. So you'd think it might be in the works, but if on the radar it should be important enough to do FIRST, before accounts get hijacked | |
|
bmccoy join:2013-03-18 Port Orchard, WA |
bmccoy
Member
2014-Jun-23 5:58 pm
Comcast will get what they deserve.Sooner or later, somebody will start spoofing xfinitywifi hotspots and use them for free HBO Go. | |
| IPPlanManHoly Cable Modem Batman join:2000-09-20 Washington, DC |
Poor signalThe signal for these hotspots is terrible in DC.
If I am able to connect, it's slow as hell. What kind of backhaul is running to these? T-1's? | |
| | Motorola MG8725 Asus RT-N66
|
Re: Poor signalsaid by IPPlanMan:The signal for these hotspots is terrible in DC.
If I am able to connect, it's slow as hell. What kind of backhaul is running to these? T-1's? Some are gateways(TG852/TG862). | |
| | |
to IPPlanMan
You're probably too far away, thus the link quality and speed is terrible. | |
|
|
VPNUsers
Anon
2014-Jun-23 7:32 pm
I have 3 lettersV P N | |
| |
7 recommendations |
Re: I have 3 lettersYou still need to A U T H E N T I C A T E
Before you can connect via VPN. | |
| | |
2 recommendations |
Re: I have 3 letters^ This
E X A C T L Y | |
| | | | |
|
Aprel
Member
2014-Jun-23 9:23 pm
SSL?Isn't this problem mitigated if the hotspots used HTTPS for the authentication? You would check the first time you connect that the certificate is genuine, and then the mobile device should auto-authenticate iff the cert passed is the same. I say should because probably most mobile devices won't care about the cert and just move ahead with auth regardless. Guess I answered my own question...but if the cert-matching behavior is strict, this wouldn't be an issue, right? | |
| | SeleniaGentoo Convert Premium Member join:2006-09-22 Fort Smith, AR |
Selenia
Premium Member
2014-Jun-23 10:35 pm
Re: SSL?Firefox mobile is pretty good about flagging certificates. Probably because Mozilla cares about users, as well as it being part of the Open Wifi Movement. On open WiFi, certificates become even more important because of man in the middle attacks. I am sure Mozilla does not want people exploited by rogue hotspots as they help push this if they can help it, and they can with their browser. Since I use Firefox anyways, I guess I am good. | |
|
|
Two Factor Authentication Would HelpActually...this is the sort of problem that two-factor authentication would help with IMMENSELY.
Step 1: Disable the auto re-authentication (and time it out after say 2 hours), that way every time you connect to one of these AT&T/Comcast hotspots you get the login page. Step 2: Have customers call AT&T and Comcast (or go online) and set up their secret "codeword" (not a password, doesn't have to be secure, can be something like your favorite food or whatever, as long as it's not part of your billing information, like first name, street, city, state, etc.), as well as a cell phone number which you can be reached at for texts or voice calls. Step 3: Whenever you connect to the hotspot, the login page pops up and says "enter your AT&T/Comcast UserId and we will text/phone you your secret codeword as well as a 10 digit number, make sure that the secret codeword matches the one that you set up with us , and that the 10 digit number matches the one on the next screen, and then login with your password. If the codeword and number don't match, then disconnect from the hotspot and call the AT&T/Comcast number on your bill as soon as possible to report a possible forgery."
Done! | |
| | |
Re: Two Factor Authentication Would HelpOnce again this is a service morons use, so u have to dumb it down to their level, this people think WiFi is the same as 3g | |
|
|
InterestingI wonder if there anything ATT or Comcast could do about this SSID naming issue. Just a common Wireless secured or unsecured Access Point could be named as one of the devices someone wants to connect to and leave no internet on it. Someone could setup one to just disrupt connectivity. Just naming your hotspot could cause issues. Wow what a dilemma! | |
| RARPSL join:1999-12-08 Suffern, NY |
RARPSL
Member
2014-Jun-24 12:10 am
What Logon Screen?I am in the Cablevision Area and aside from Cablevision's WiFi SSID, I get those of TWC, Comcast, and CableWiFi. Connecting to each of the 4 WiFi SSIDs gets me a different network so I assume I am actually connecting to that network. The point is that I automatically connect without any logon screen even if I select XfinityWiFi.
CableWiFi is an agreement to allow users of on ISP to use the WiFi network of the others. | |
| |
In some boardroom,...some marketing pseudo-genius declared "Hey, how about we make the customer's AP public, thus having more "coverage" for data!"
"That boy's a genius! Let's do it! Make it so!"
"And even better, sir, is that it won't cost us anything! Any piracy and we blame the modem owner. And any hacks, again we blame the owner because they didn't opt-out! We'll even setup a convoluted walled OPt-out so they won't know what wifi they have! Brilliant!" | |
| IowaCowboyLost in the Supermarket Premium Member join:2010-10-16 Springfield, MA |
I use my own hotspotI use my own hotspot, it's called a mobile hotspot from Verizon Wireless. I never use public hotspots unless cell reception is spotty and I'm desperate for an internet fix and then I don't use sites that require authentication like my bank or other secure sites.
Mass Eye and Ear (have to take grandma there) has spotty reception in the building. Their domain on Wi-Fi is Harvard.edu. | |
| |
Auto Authentication for attwifiHow would I disable auto authentication in Android 4.4 the next time I connect to attwifi? | |
| | |
wifiI dont use public wifi any more on the phone. Every time I tired to use ATT hotspots at starbucks it was messed up. I was better off on slow tmobile. (some LTE). Speaking of Wifi how is the open wifi movement going and how is googles takeover of starbucks wifi? Per my conversation with Starbucks employes its not going well. Oh well free starbucks college comes before customer wifi. Hey google ever hear of "follow thru" ....on anything? They just seem to like to start stuff do a press release then drop it as some key emp leaves and cashes out his/her stock | |
|
| |
|
|