Follow up on case # CR448320644 XfinityWiFi security issue

Greetings: This is in followup to a recent case, CR448320644, that I would like further comment on (and was very pleased so far with tier 2 tech involved): I understand and realize the ability to call and get the hotspot disabled, *BUT* please further consider the following scenario: I have a client that I am responsible for securing their Business LAN on a 50mb Comcast Business connection. They are an engineering/mfg firm with USB wireless routers connected to their development workstations on that LAN to debug, test & development of a product of theirs on that wireless USB device. Currently, I have only MAC address filtering in place to keep those devices from connecting to the existing, non-Comcast supported Guest Wireless LAN hardware, living on a separate subnet from the business LAN, to prevent an unauthorized and likely very dangerous alternate gateway from any of those domain member workstations that are on a subnet with extensive filtering and security restrictions. Because they are engineers, they have 2 logons to their domain, one *without* local admin rights for daily use, and one *with* local admin rights, to make necessary changes to their machines as part of their responsibilities, like MSDN software updates, etc. Thus, business need dictates that I cannot lock the workstations down by security means to prevent the scenario of unathorized access tot eh XfinityWiFi Hotspot, if available and enabled. *NOT * having local immediate control over an XfinityWiFi hotspot, or filtering/firewall/ACL control being available to prevent DC members from access to it or not is what I consider to be a serious security risk. I am trying to raise awareness that the control over that hotspot should be delegated to the local client side, not just the ISP. Additionally, contacting Comcast Customer Service to enable or disable the feature on demand causes a reload of the Comcast Edge Device and interuption of service during production hours. I consider it to be an accident waiting to happen. You know as well as I do that even though they are all “grownups”, there will be unauthorized access to the Xfinitywifi hotspot from a LAN PC with this scenario. And unfortunately, something like ransomware or cryptolocker from a drive by is highly plausible. However, on the flip side, it could be a great guest access/public hotspot, but additional security on it should be considered for dynamic control by the client side, either by providing enable/disable functionality by the client, or additional filtering options by the client. Any feedback for instituting security enhancing change to this feature is welcome. -rogerc Bitwise, LLC