Potential Security Concerns in Comcast Hotspot Class-Action

A class-action suit has been filed against Comcast for using customer routers as public Wi-Fi hotspots. Can attackers exploit router bugs to jump from public to private networks?

Cable and Internet service conglomerate Comcast is facing a class-action lawsuit stemming from its use of customer routers as personal home Wi-Fi networks as well as public-facing wireless hotspots available for other Comcast-Xfinity customers.

Toyer Grear and Jocelyn Harris, themselves and on behalf of the rest of the class, allege that Comcast is violating the Computer Fraud and Abuse Act, California’s Comprehensive Computer Data Access and Fraud Act, and the Business Professions code. The Class action was filed in a San Francisco court on Dec. 4.

In order to offer services similar to those of its competitors – namely companies such as AT&T and Verizon with cellular infrastructure that enabled them deploy public facing Wi-Fi hotspots – Comcast decided that it could use its network of millions of customer routers to build a similar network of Wi-Fi hotspots without needing cell towers. So in recent years, Comcast began leasing dual-band routers capable of broadcasting separate wireless networks to its customers: one for home networks and a second, public-facing network available for anyone with Comcast-Xfinity login credentials. According to the suit, Comcast aims to have 8 million such hotspots available by the end of 2014.

In fact, you live in an area dominated by Comcast and you look at the wireless networks in range of your computer’s receiver, you will almost certainly notice a wireless network named “xfinitywifi.”

Comcast Xfinity Wi-Fi Hotspot

Comcast Xfinity Wi-Fi Hotspot

Problematically, the class alleges that Comcast does not obtain proper prior consent before deploying customer equipment for public use, though Comcast contends that it informed affected customers well in advance via emails and letters.

“Indeed, without obtaining its customers’ authorization for this additional use of their equipment and resources, over which the customer has no control, Comcast has externalized the costs of its national Wi-Fi network onto its customers,” the complaint alleges. “The new wireless routers the company issues consume vastly more electricity in order to broadcast the second, public Xfinity Wi-Fi hotspot, which cost is born by the residential customer.”

Through this practice, Comcast is also accused of degrading home Internet performance and subjecting its customers to potential security risks.

Comcast has a list of compatible routers on its website. That list makes note of the default router access credentials for each model, though it wouldn’t take much guess-work considering that the usernames are either blank or “admin” and the passwords are all either “password” or “admin.” Users have the capacity to change these passwords, but most do not. Some routers come with install wizards that automatically change the router admin access password to the customer’s chosen wireless network password, but it’s unclear if the Comcast routers contain these drivers or if customers use them.

There’s an authentication bypass vulnerability affecting the Netgear WNR1000 router that Comcast issues to customers. The second router listed by Comcast is Netgear’s WNR3500, which got hacked at the DEFCON router hacking contest in August. Secunia last year reported on a cross-site forgery bug in Linksys WRT310N, which is also on Comcast’s list. More than a cursory search through Google would very likely turn up any number of other issues.

Users can update the firmware for their routers assuming the manufacturer has provided a security updates, but most routers are low-memory devices, so updating them requires that the user find the proper firmware installation and upload it manually to the router. Such updates are not announced to users in any meaningful way, nor are instructions on where to download the updated firmware and how to install it. In reality, users simply do not install router updates.

There is also the question of whether a particular vulnerability in one of these routers could be exploited on the public-facing Wi-Fi hotspot in order to gain access — without authentication — to the personal, home network. In November, Threatpost covered a bug in a Belkin router through which an attacker, after accessing the router’s guest network, could leap-frog onto the associated private network without authentication.

For it’s part, Comcast is defending its decision.

“We disagree with the allegations in this lawsuit and believe our Xfinity WiFi home hotspot program provides real benefits to our customers,” Comcast said in a statement. “We provide information to our customers about the service and how they can easily turn off the public WiFi hotspot if they wish http://wifi.comcast.com/faqs.html.”

Comcast is also downplaying claims that the partitioning routers for public and private use would affect personal Internet speeds.

“For your in-home WiFi network, we have provisioned the XFINITY WiFi feature to support robust usage, and therefore anticipate minimal impact to the in-home WiFi network,” the company claims. “As with any shared medium, there can be some impact as more devices share the network. For data usage, the activities of visiting users are associated with the visitors’ accounts and therefore do not impact the homeowner.”

The company also attempted to push back security concerns by explaining that the log in process is totally encrypted. However, in all the ISP’s talking points, they never address the impact of new and existing routers on this new practice.

Suggested articles