- A TechNote on Wireless and Mobility
- Lisa Phifer, President
- Core Competence, Inc.
Home Hotspots: Risk or Opportunity?
Tweet Follow @webtorials
10 Comments
Under the "What could go wrong?" paragraph, will home owners be responsible for what is downloaded on that public SSID? Many news articles discuss lawsuits filed based only on the IP address that illegal content was sent to.
And what about bandwidth caps? Didn't Comcast cap the data usage at one time? Will this public SSID traffic be exempt from the the counters?
What about security.? And what happens if someone logs into a hotspot - unauthenticated ofcourse and sends plans for say a terror attack. The IP address will be that of the home router. How will this be traced? email ids are a dime a dozen - create an emai, or an anonymous emai and ....
To access the Internet through an xfinitywifi SSID, users must log in with a Comcast subscriber email address and password, or login/password issued by another cable company participating in the Cable Wi-Fi initiative. The hotspot login dialog is SSL-protected to deter login/password theft.
While this mandatory login doesn't eliminate possible misuses of the home hotspot by authenticated Comcast/CableCo subscribers, it does avoid the entirely anonymous misuse scenario which you describe and which apply to other free public hotspots without mandatory authentication.
Lisa,
Time and again, we end up ignoring wireless security threats that are real and consequences are very scary. Here is an advisory issued by Federal Trade Commission (FTC) two years ago. Do "Xfinity Wi-Fi" meet the FTC definition of secure Wi-Fi? No.
Coming back to your response to Mr. Srinivas on use of SSL for protecting credential and hence it avoids anonymous misuse scenario is not correct. SSL can definitely protect credential, but user's session in open wireless hotspot environment still remains vulnerable to session hijacking and it's know-how is freely available on the internet-curious mind can search about wireless leeching. What's about evil-twin ? Can Comcast detect use of evil twin AP and prevent genuine users from connecting to it.
On the data security side, home user's privacy and data are still protected from outside user. How would an outside Comcast user be ensured that home user is not turning hostile and not snooping into it's data (device is physically accessible and data can be tapped in-between).
-Sohail Ahmad
Hi Sohail, thanks very much for your comments.
I fully agree with you Xfinity WiFi in its current form is not a secure wireless network -- no wireless encryption is applied. But watch for Comcast and many other hotspot operators to roll out support for Passpoint in 2014/2015, which will auto-enable WPA2-Enterprise security on hotspot connections established by subscribers. For more on Passpoint, see More Secure, User-Friendly Hotspots On the Way.
However, I somewhat disagree with your assessment of SSL hijack risk. Properly implemented SSL sessions that include client-side validation of the server's certificate can deter SSL hijacking and evil twin attacks. Comcast customers who use Comcast's WiFi client app to find and log into Xfinity hotspots will have reasonable protection for their Comcast login credentials. But I agree that users who log in from browsers and do nothing to validate the server's cert are at risk.
You raise an interesting question about homeowners and the possibility of using their WiFi routers to snoop on external hotspot user's data. In today's home hotspots, it's of course easier to just sniff DATA right from the air. But could homeowners hack their own router's firmware to insert a man-in-the-middle attack on the router itself? Without knowing what Comcast is doing to authenticate the code running on the router or to isolate traffic on each interface, I can't give an informed opinion. But if it can be done, I bet we'll see alternative firmware emerge that does it! As you point out, physical access to the router gives a malicious homeowner a platform from which to perform that kind of tapping.
One thing that is not mentioned in the article is Usage. From what I understand, Comcast still has a cap on usage and will bill you extra if you go over that cap. I ( for one ) am not willing to pay extra for someone else to use my Internet Connection.
Tim, Kevin - thanks to both of you for commenting on this important point of cost.
It's my understanding that Comcast does not currently impose a bandwidth cap on residential broadband subscribers, so utilization of the "xfinitywifi" SSID poses no current risk of pushing subscribers over a limit. For example, see this forum post: Xfinity wifi usage?
Also, Comcast has visibility into broadband router parameters (after all, Comcast is provisioning SSIDs into the router), so they could split off per-SSID bandwidth consumption if needed for billing purposes in the future. However, it's not clear that subscribers have a way to see if and how much their router is being used by hotspot visitors. This could be contentious if bandwidth caps were ever (re)imposed without making hotspot usage visible to the subscriber.
Kevin's liability question feels more significant to me right now. As I recommended in this TN, if "potential risks - such as liability for traffic sent through your home broadband router - don't seem acceptable to you, just opt out."
Comcast might be doing something to keep hotspot traffic virtually segregated until it reaches the next-hop router - for example, assigning different public-facing IPs to xfinitywifi and subscriber SSIDs. But I haven't seen this discussed in Comcast FAQs or interviews.
In theory, xfinitywifi hotspot users consent to Terms of Service and liability for their own use when they log in. However, as a subscriber, I'd really like an explicit release from liability for any use of my router's Comcast-provisioned hotspot SSID - but I don't see anything like this in my residential broadband Terms of Service at the moment.
So I just called Comcast and asked the representative to opt-out of Home Hotspots now and in the future. He had no idea what I was talking about. Comcast has no phone menu items for opting out of anything. Is this something real or another Internet false positive scare? The support person said he asked all around and no one on duty knew about Home Hotspots.
It's real and announced. One of our goals at Webtorials is to keep you ahead of the news so that you will be ready for whatever comes next. :-)
It is not unusual for us to be ahead of what is actually announced and ready for full deployment. That's why we rely on experts like Lisa.
Hi Dave,
Comcast's Home Hotspot program is live and being gradually rolled out in more Comcast markets. Their official FAQ can be found here:
XFINITY WiFi Home Hotspot FAQs
As of June, reports indicate the service was available to about 100,000 customers in parts of Pennsylvania, New Jersey, Northern Virginia and Washington, D.C. Further info on Comcast's progress can be found here:
Cable Show 2013: Comcast Turns Wireless Gateways Into Neighborhood Wi-Fi Hotspots
Not terribly surprised that all customer service reps have not yet been informed; that awareness will grow as the service rollout does.