August 28, 2013

Home Hotspots: Risk or Opportunity?

U.S. cable companies are rapidly expanding wireless footprints, hoping that by blanketing entire cities they can keep mobile devices connected via Wi-Fi instead of cellular. To this end, Comcast recently announced an initiative that could easily grow its wireless footprint an order of magnitude: turning all of it subscriber's wireline broadband routers into Wi-Fi hotspots.

U.S. cable companies have already deployed over 150,000 Wi-Fi hotspots as part of the Cable Wi-Fi initiative, and are on track to offer over 250,000 new Wi-Fi hotspots by mid-2014. Access to these hot spots is free to all subscribers of participating cable companies.  In contrast, Comcast could create over a million XFINITY WiFi Home Hotspots this year alone, for use by its own subscribers. While doing so might deliver pervasive coverage, it also raises questions for subscribers who may soon find themselves sharing their broadband router's capacity and competing with strangers for airtime inside their own homes.

How Home Hotspot works

According to Comcast's website, subscriber's home broadband routers are being automatically upgraded to add a new "xfinitywifi" service set identifier (SSID). Thereafter, any XFINITY subscriber's mobile device within range of those routers can use them to sign in and access Comcast's network. In effect, Comcast is proactively encouraging its subscribers - up to 5 at a time - to automatically share each other's cable Internet access.

Comcast argues that Home Hotspot is good for everyone needing Internet access, from trusted visitors to nearby strangers. The company claims that, since the "xfinitywifi" SSID is isolated from the subscriber's home Wi-Fi SSID, it poses no new risk to home networks. Security is even enhanced, they say, because subscribers no longer need to give out their home SSID's password to visitors.

Regarding competition for capacity, Comcast's website states: "The broadband connection to your home will be unaffected by the XFINITY WiFi feature. Your in-home WiFi network, as well as XFINITY WiFi, use shared spectrum, and as with any shared medium there can be some impact as more devices share WiFi. We have provisioned the XFINITY WiFi feature to support robust usage, and therefore, we anticipate minimal to no impact to the in-home WiFi network."

What could go wrong?

These published statements ring a bit hollow to me. First, XFINITY WiFi is being launched as an opt-out service; subscribers who don't notice the router update may be unaware that they've started sharing their router and cable Internet. Sure, that exterior cable network belongs to Comcast, but the airspace immediately surrounding and inside residences arguably belongs to those homeowners. If a utility installed a public path on its easement through my yard without first asking my permission, I would consider that just as intrusive.

Furthermore, those strangers aren't just using the Internet - they're also competing for broadband router resources. From cranky Wi-Fi clients to high-volume video streaming, I can envision many potential performance and stability impacts on these relatively small residential routers. Problems that do occur will be transient and hard to diagnose, since they result from connections formed without the home owner's knowledge.

Finally, Wi-Fi roaming could bring unintended consequences. Comcast recommends using "your own private WiFi network when you are at home and using XFINITY WiFi when you are visiting a friend or traveling around town." But many devices that have used XFINITY WiFi will continually search for and try to reconnect to that SSID. Unintended connections to these hotspots seem likely to occur inside subscriber homes, increasing the odds that confused subscribers will send private data over these public hotspots by mistake.

Balancing opportunity and risk

Many cable subscribers will no doubt welcome this Home Hotspot initiative and the vastly increased coverage and convenience that it promises. However, subscribers who would rather retain dedicated private use of their home broadband routers must call Comcast to opt out and remove the "xfinitywifi" SSID.

Any subscriber using the "xfinitywifi" SSID - whether inside or outside their own home - should protect themselves by disabling file/printer sharing, enabling personal firewall rules, and encrypting their own traffic with SSL or VPN. This advice also applies to employers worried about risk to corporate-issued or bring-your-own devices that connect to this rapidly-growing collection of home hotspots. In fact, employers should take this opportunity to review any assumptions made about the relative safety and privacy of home networks or the SSID choices made by Wi-Fi enabled devices used inside employee homes.

For subscribers who are on the fence about this initiative, keep an eye on your own router to know if/when this new SSID is added. It's not clear that subscribers will have any visibility into hotspot usage, but watch for changes in your home network's behavior or performance changes after this SSID appears. If those perceived impacts or other potential risks - such as liability for traffic sent through your home broadband router - don't seem acceptable to you, just opt out.

Although employers rarely have direct control over Comcast-issued home routers or how they're configured, they may want to make workers aware of this change and remind users that hotspot safety recommendations apply everywhere. Employers that remotely manage small/remote office firewalls for home-based workers should consider how unplanned in-home RF competition from external hotspot users could affect those devices. 

Finally, employers may wish to leverage the "free to subscribers" connectivity delivered by Comcast's XFINITY Home Hotspot and the Cable Wi-Fi consortium. For example, the consortium plans to eventually provide Internet access to over 80% of U.S. locations where subscribers live, work, or play. While that access is not transparent - today, subscribers must log into each visited hotspot - Wi-Fi CERTIFIED Passpoint could make roaming more seamless. At that point, employers might even cut back on 4G data plan costs by encouraging workers to stay connected via these increasingly-ubiquitous cable Wi-Fi hotspots.  


One thing that is not mentioned in the article is Usage. From what I understand, Comcast still has a cap on usage and will bill you extra if you go over that cap. I ( for one ) am not willing to pay extra for someone else to use my Internet Connection.

Tim, Kevin - thanks to both of you for commenting on this important point of cost.

It's my understanding that Comcast does not currently impose a bandwidth cap on residential broadband subscribers, so utilization of the "xfinitywifi" SSID poses no current risk of pushing subscribers over a limit. For example, see this forum post: Xfinity wifi usage?

Also, Comcast has visibility into broadband router parameters (after all, Comcast is provisioning SSIDs into the router), so they could split off per-SSID bandwidth consumption if needed for billing purposes in the future. However, it's not clear that subscribers have a way to see if and how much their router is being used by hotspot visitors. This could be contentious if bandwidth caps were ever (re)imposed without making hotspot usage visible to the subscriber.

Kevin's liability question feels more significant to me right now. As I recommended in this TN, if "potential risks - such as liability for traffic sent through your home broadband router - don't seem acceptable to you, just opt out."

Comcast might be doing something to keep hotspot traffic virtually segregated until it reaches the next-hop router - for example, assigning different public-facing IPs to xfinitywifi and subscriber SSIDs. But I haven't seen this discussed in Comcast FAQs or interviews.

In theory, xfinitywifi hotspot users consent to Terms of Service and liability for their own use when they log in. However, as a subscriber, I'd really like an explicit release from liability for any use of my router's Comcast-provisioned hotspot SSID - but I don't see anything like this in my residential broadband Terms of Service at the moment.

So I just called Comcast and asked the representative to opt-out of Home Hotspots now and in the future. He had no idea what I was talking about. Comcast has no phone menu items for opting out of anything. Is this something real or another Internet false positive scare? The support person said he asked all around and no one on duty knew about Home Hotspots.

It's real and announced. One of our goals at Webtorials is to keep you ahead of the news so that you will be ready for whatever comes next. :-)

It is not unusual for us to be ahead of what is actually announced and ready for full deployment. That's why we rely on experts like Lisa.

Hi Dave,

Comcast's Home Hotspot program is live and being gradually rolled out in more Comcast markets. Their official FAQ can be found here:

XFINITY WiFi Home Hotspot FAQs

As of June, reports indicate the service was available to about 100,000 customers in parts of Pennsylvania, New Jersey, Northern Virginia and Washington, D.C. Further info on Comcast's progress can be found here:

Cable Show 2013: Comcast Turns Wireless Gateways Into Neighborhood Wi-Fi Hotspots

Not terribly surprised that all customer service reps have not yet been informed; that awareness will grow as the service rollout does.

Under the "What could go wrong?" paragraph, will home owners be responsible for what is downloaded on that public SSID? Many news articles discuss lawsuits filed based only on the IP address that illegal content was sent to.

And what about bandwidth caps? Didn't Comcast cap the data usage at one time? Will this public SSID traffic be exempt from the the counters?

What about security.? And what happens if someone logs into a hotspot - unauthenticated ofcourse and sends plans for say a terror attack. The IP address will be that of the home router. How will this be traced? email ids are a dime a dozen - create an emai, or an anonymous emai and ....

To access the Internet through an xfinitywifi SSID, users must log in with a Comcast subscriber email address and password, or login/password issued by another cable company participating in the Cable Wi-Fi initiative. The hotspot login dialog is SSL-protected to deter login/password theft.

While this mandatory login doesn't eliminate possible misuses of the home hotspot by authenticated Comcast/CableCo subscribers, it does avoid the entirely anonymous misuse scenario which you describe and which apply to other free public hotspots without mandatory authentication.


Time and again, we end up ignoring wireless security threats that are real and consequences are very scary. Here is an advisory issued by Federal Trade Commission (FTC) two years ago. Do "Xfinity Wi-Fi" meet the FTC definition of secure Wi-Fi? No.

Coming back to your response to Mr. Srinivas on use of SSL for protecting credential and hence it avoids anonymous misuse scenario is not correct. SSL can definitely protect credential, but user's session in open wireless hotspot environment still remains vulnerable to session hijacking and it's know-how is freely available on the internet-curious mind can search about wireless leeching. What's about evil-twin ? Can Comcast detect use of evil twin AP and prevent genuine users from connecting to it.

On the data security side, home user's privacy and data are still protected from outside user. How would an outside Comcast user be ensured that home user is not turning hostile and not snooping into it's data (device is physically accessible and data can be tapped in-between).

-Sohail Ahmad

Hi Sohail, thanks very much for your comments.

I fully agree with you Xfinity WiFi in its current form is not a secure wireless network -- no wireless encryption is applied. But watch for Comcast and many other hotspot operators to roll out support for Passpoint in 2014/2015, which will auto-enable WPA2-Enterprise security on hotspot connections established by subscribers. For more on Passpoint, see More Secure, User-Friendly Hotspots On the Way.

However, I somewhat disagree with your assessment of SSL hijack risk. Properly implemented SSL sessions that include client-side validation of the server's certificate can deter SSL hijacking and evil twin attacks. Comcast customers who use Comcast's WiFi client app to find and log into Xfinity hotspots will have reasonable protection for their Comcast login credentials. But I agree that users who log in from browsers and do nothing to validate the server's cert are at risk.

You raise an interesting question about homeowners and the possibility of using their WiFi routers to snoop on external hotspot user's data. In today's home hotspots, it's of course easier to just sniff DATA right from the air. But could homeowners hack their own router's firmware to insert a man-in-the-middle attack on the router itself? Without knowing what Comcast is doing to authenticate the code running on the router or to isolate traffic on each interface, I can't give an informed opinion. But if it can be done, I bet we'll see alternative firmware emerge that does it! As you point out, physical access to the router gives a malicious homeowner a platform from which to perform that kind of tapping.

Get E-News and Notices via Email




I accept Webtorials' Terms and Conditions.

Trending Discussions

Featured Sponsor Microsites

Recent Tweets



Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2015, Distributed Networking Associates, Inc.