Just in case you missed it… Comcast recently launched the first of its planned public WiFi hotspots, which leverage equipment being used in the homes of millions of its current customers to extend service availability. At first glance, this bold move by Comcast seems like a brilliant way to use the existing hardware in millions of homes to extend internet access for customers on the go.
The way it works is this: XFINITY customers using the Comcast hardware (Arris 852 or 862 wireless routers) in certain markets are automagically finding that they have the 'xfinitywifi' SSID transmitted from their access point. Customers wishing to opt-out must do so through their online account management portal. This leads me to believe that Comcast is centrally managing configuration updates, where the service will automatically de-provision the public WiFi network from the hardware at the customer’s home.
Central configuration and patching for home routers and access points is a great thing. In fact (from an outside perspective) such centralized control capabilities were key to the success of Meraki, which was acquired by Cisco in 2012. This kind of management activity will aid ISPs in detecting, containing, and remediating attacks against endpoint hardware (which we’ve seen time and again, for example in Brazil and the UK).
In the FAQ for this initiative, Comcast describes its commitment to providing a service that is as “fast, fun and safe as possible.” Comcast elaborates saying:
"Whenever you sign in, we help protect your privacy and the safety of your Comcast Email or username and password by providing 128-bit encryption on the sign in page. This is the same standard used by thousands of online banking and financial services sites around the world to protect your critical transactions."
This language is pivotal and I believe the two sentences above may be deceptive, unfair, and dangerous. I would like to see Comcast clarify the meaning.
I read that statement to mean that the authentication page for this service will be using SSL encryption. I am concerned that the "security" of this service is tied to the minimum level of recommended SSL encryption (128-bit). Unfortunately, I do not believe this statement is speaking to any form of wireless encryption, very specifically WPA or WPA2.
Assuming my interpretation of the FAQ is correct, I am floored that Comcast would extend an unencrypted wireless network to the general public and position that decision as if it were both a good idea and a secure approach. Wireless encryption technologies like WEP, WPA and WP2 date back 15 years. The choice not to use them represents a very scary step backward in consumer safety.
While some commenters might point out that there are a variety of other free WiFi services that also forgo providing encrypted networks, I agree – that’s a problem and I look forward to seeing the airports offering free WiFi adding encryption, just as many coffee shops have. But one key difference here is that I haven't seen any misleading language from unencrypted networks claiming safety that they do not actually offer.
Users of unencrypted networks need a thoughtful reminder that they are using a service that is outside their home or office network. Offering Comcast users VPN service to tunnel their traffic would be a solid mitigation for vulnerabilities associated with unencrypted WiFi.
Creating opportunities for criminals?
Unfortunately, I anticipate that many people who read this announcement will see the potential for creating fake access points named ‘xfinitywifi’ to steal users’ credentials.
This could lead to all kinds of bad things for the individuals impacted, including intruders gaining access to personal email, favorite online goods and service providers, as well as banking and financial information.
Encouraging the general public to use unencrypted WiFi (and positioning the service as secure) is reckless. Research on the dangers of unencrypted WiFi goes back more than fifteen years. The tools below are a starting place to demonstrate and educate people on the dangers of using unencrypted WiFi.
- Session hijacking (http://en.wikipedia.org/wiki/Firesheep)
- Stealing actual login credentials via MitM (Man in the Middle) attacks:
I would love to hear from the community, some of you have access to this service in San Francisco, Chicago, Boston, Washington, D.C. or western Washington state. Is the SSID encrypted? Are they doing something more advanced? Drop me a line on twitter, @treyford or reply in the comments section below.