Business WiFi
Back to Top

xfinitywifi hotspot significant security risk - plans to fix?

jcthorne
New Contributor

xfinitywifi hotspot significant security risk - plans to fix?

Since all xfinitywifi hotspots use the same SSID and same login credentials, that being the xfinity account log in.

 

The xfinitywifi SSID is being spoofed by non Comcast entities.  When a smartphone or tablet auto connects to the 'known' network SSID, the credentials are automaticly sent.  The spoof hotspot owner now has login credentials to the users xfinity account, business or home.

 

This problem is making a great deal of traffic around the net so its well known for some time now.

 

When does Comcast intend to close this significant security breach by seperating the login credentials and using secure device authentication at xfinitywifi hotspots?

Highlighted
Trusted Forum Contributor

Re: xfinitywifi hotspot significant security risk - plans to fix?

Hello jcthorne and welcome,

 

Your point about the xfinitywifi SSID does not allow any auto-login using either business comcast class user, comcast user (residential) , or non-comcast user. To the best of my current usage of all of these xfinitywifi logins, it is always necessary to manually enter the email address and password in order to login. If any  email user shares their password with anyone, then shame on that user for violating themself.

 

If you have some specific additional "spoof" security technical detail, please share it with us.  

 

Thanks for your concern.  

jcthorne
New Contributor

Re: xfinitywifi hotspot significant security risk - plans to fix?

The problem is that once the user logs in once, the device remembers the settings and auto logs in the next time it encounters the same SSID.  Standard feature of many smart phones now.  Works exactly this way on my HTC One and my tablet if I allow it.  

 

If the smartphone logs in to a 'spoofed' wifi service using the SSID xfinitywifi, the owner of that hotspot now has the login credentials for the comcast account.

 

The login email and password is the same as used for login to the comcast account system.

Trusted Forum Contributor

Re: xfinitywifi hotspot significant security risk - plans to fix?


@jcthorne wrote:

The login email and password is the same as used for login to the comcast account system.


in my opinion, this is the greater security risk; i could set up a fake access point and just name it "xfinitywifi"; using some not-very-advanced methods, i could create a web page that looks like the comcast xfinitywifi login page, and from there extract any passerby's actual, real Comcast credentials. from there, i could login to their account, and potentially wreck some havoc.

 

at the very least, the login credentials for getting onto an "xfinitywifi" hotspot should be different than the actual account management login credentials.

 

IMHO