Business WiFi
Back to Top

Follow up on case # CR448320644 XfinityWiFi security issue

BitwiseLLC
New Member

Follow up on case # CR448320644 XfinityWiFi security issue

Greetings: This is in followup to a recent case, CR448320644, that I would like further comment on (and was very pleased so far with tier 2 tech involved): I understand and realize the ability to call and get the hotspot disabled, *BUT* please further consider the following scenario: I have a client that I am responsible for securing their Business LAN on a 50mb Comcast Business connection. They are an engineering/mfg firm with USB wireless routers connected to their development workstations on that LAN to debug, test & development of a product of theirs on that wireless USB device. Currently, I have only MAC address filtering in place to keep those devices from connecting to the existing, non-Comcast supported Guest Wireless LAN hardware, living on a separate subnet from the business LAN, to prevent an unauthorized and likely very dangerous alternate gateway from any of those domain member workstations that are on a subnet with extensive filtering and security restrictions. Because they are engineers, they have 2 logons to their domain, one *without* local admin rights for daily use, and one *with* local admin rights, to make necessary changes to their machines as part of their responsibilities, like MSDN software updates, etc. Thus, business need dictates that I cannot lock the workstations down by security means to prevent the scenario of unathorized access tot eh XfinityWiFi Hotspot, if available and enabled. *NOT * having local immediate control over an XfinityWiFi hotspot, or filtering/firewall/ACL control being available to prevent DC members from access to it or not is what I consider to be a serious security risk. I am trying to raise awareness that the control over that hotspot should be delegated to the local client side, not just the ISP. Additionally, contacting Comcast Customer Service to enable or disable the feature on demand causes a reload of the Comcast Edge Device and interuption of service during production hours. I consider it to be an accident waiting to happen. You know as well as I do that even though they are all “grownups”, there will be unauthorized access to the Xfinitywifi hotspot from a LAN PC with this scenario. And unfortunately, something like ransomware or cryptolocker from a drive by is highly plausible. However, on the flip side, it could be a great guest access/public hotspot, but additional security on it should be considered for dynamic control by the client side, either by providing enable/disable functionality by the client, or additional filtering options by the client. Any feedback for instituting security enhancing change to this feature is welcome. -rogerc Bitwise, LLC

Trusted Forum Contributor

Re: Follow up on case # CR448320644 XfinityWiFi security issue

Hello BitwiseLLC and welcome,

 

Thank you for your input on this issue that is shared by many Comcast business customers. Comcast recognizes this scenario and is in the process of upgrading the DPC3939B firmware to allow customers to disable the xfinitywifi hot spot.

 

Hope this helps you out.

 

 

BitwiseLLC
New Member

Re: Follow up on case # CR448320644 XfinityWiFi security issue

Thank you. Will Comcast actively notify end users when this firmware change is available, or will it possibly be deployed automatically by Comcast? Please advise of, "next steps" to insure receipt and use of this pending feature change.

 

Trusted Forum Contributor

Re: Follow up on case # CR448320644 XfinityWiFi security issue

Comcast typically does not advise customers of equipment firmware upgrades. However, you can log into the DPC now, go to software, record the current firmware version, and anytime after you can log in and monitor if and when the change has taken place.

 

 

 

BitwiseLLC
New Member

Re: Follow up on case # CR448320644 XfinityWiFi security issue

Please consider this to be my expectation that Comcast *should* perform a non-typical notification of this change when available, due to security related severity.

Thanks.