Sunday, November 22, 2015

Comcast Xfinity Wi-Fi discloses your name and home address

It also helpfully offers a map to your house for potential Internet stalkers:
The Xfinity Wi-Fi service from Comcast is disclosing the full name and home address of residential customers, which is something the company says isn’t supposed to happen. 
The disclosure of such information increases an already exposed attack surface, by allowing anyone with malicious intent to selectively target their marks. 
The following composite image shows residential customers with Xfinity Wi-Fi enabled. They are all in the same town, in the same state, and according to a public records search – none of them have ever been registered as a business. Please note: This image has been redacted by Salted Hash to remove the customer's last name, address, and the map markers which might identify their location.
Click through to see how this all shows up when you search for Comcast Wi-Fi hot spots.

I recommend that anyone with Comcast Xfinity disagree their Wi-Fi IMMEDIATELY.  Instructions are here.  Run, don't walk to do this NOW.

You will need to buy your own wifi router (probably $39 at your local big box store like Wally World).  Run an ethernet cable from your router's "WAN" port into an ethernet port on the Comcast box.  Configure your own wifi, and you will be clean from Comcast stalkers.

The reason that I am so adamant that you need to do this is that the article has enough details to convince me that someone could use this to locate you, spoof your computer's network address, and then do something to incriminate you (say, launch an attack on homeland or download child pornography).  I am convinced that the spoofing would fool whatever logging that Comcast is doing, so their lousy logging would implicate you.

And the punch line is that they just don't care.  The researchers reported this to them and Comcast hasn't done bupkis to change this.


kotetu said...

As far as I can tell, this is the XFinity Wifi HOTSPOT service - where the router sets up (by default) a public hotspot. This can be disabled on both residential and business customer's accounts.

EMS Artifact said...

Thank you, kotetu. I was able to disable my public WiFi and keep my private WiFi with Password.

Borepatch, I found that public WiFi disconcerting, to say the least, skeevy to say the most. I'm glad I read this article. Thanks.