Revisiting Comcast's Xfinity public hotspot strategy

Following a conversation with Comcast's Corporate Communications group, I have some corrections to make and concerns to add

Last week I wrote about Comcast's plan to build the nation's biggest Wi-Fi service by co-opting their customers' Xfinity gateways and, following a detailed conversation with a representative from Comcast's Corporate Communications group, I have some corrections to make and quite a few additional concerns to add.

What about bandwidth?

First, the question of bandwidth use over which I stand corrected. It turns out that there is considerable headroom available on Xfinity service which is divided into four 36Mbps channels for a total maximum of 144Mbps. The top service tier for Xfinity is 105Mbps, which leaves plenty of room to squeeze in up to a theoretical 35Mbps for the public access Wi-Fi users. Color me wrong.

Wi-Fi signal strength

Comcast's representative also explained that the public signal was typically only accessible within about 50 feet of the access point. Given that most APs will be in private dwellings where attenuation from walls and equipment will likely reduce the range even further, it would seem that the vast majority of use will be by visitors to the premises housing the AP making the utilization of the public Wi-Fi most probably extremely low. At the same time the public AP will always be live unless the AP's owner has disabled the service (something that less than 1% of the current 3 million public service enabled Xfinity router owners have done). The result is more radio "noise" and bandwidth use in the customer's environment for little benefit to anyone.

Legal liability

What about the legal liability issue? While the IP address of the public service will be different from that of the hosting customer, the physical address of both will be the same. No matter how much people might like to think that law enforcement would never make a mistake and raid the wrong person's house or that charges of downloading pirated material would be pressed, let me remind you that these kinds of issues have happened before (the disturbing tales of a man falsely accused of downloading child pornography in Buffalo in 2011, a woman falsely accused of copyright infringement in Finland in 2012, and a family a SWAT team raided by mistake also in 2012 are just a few of many examples of what can go wrong when law enforcement gets involved with digital communications).

Problematic freebies

Another concern should be that in an attempt to grow Comcast's customer base, the public service will allow two free one-hour sessions per MAC address per month to non-subscribers. This strikes me as a weak way to manage non-customer access as changing the MAC address of most computer devices is ridiculously easy and therefore provides hackers with yet another means of Internet access without any real risk of detection.

But Wait! There's more!

Want more potential problems? How about the opportunity for hackers to mount "Man In The Middle" attacks? This was covered nicely by my esteemed and mysterious colleague, Ms. Smith, in her article Evil Xfinity Wi-Fi access point proof-of-concept for fun, profit and Comcast chaos.

Comcast's representative was at pains to promote the idea that customer security and service integrity is of paramount concern, but given that the Xfinity routers still allow for Wi-Fi Protected Setup (WPS), a feature that has been well-known for a long time to be one of the least secure methods of authentication, combined with all of the other ways that Xfinity public access could be insecure, I'd say the entire plan is flawed.

Be all of that as it may, the Comcast representative told me the company expects to have 8 million customers with the public access feature enabled by year end. You might accuse me of being too cautious and therefore overly critical of this strategy, but one of the things we've all seen time and time again is that when it comes to digital communications the chances of unintended consequences messing everything up is directly related to scale, and with 8 million customers involved, the odds of serious problems emerging are very, very high.

Join the CSO newsletter!

Error: Please check your email address.

Tags secuitysecurityXfinitycomcast

More about BuffaloBuffaloComcast Cable

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Gibbs

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place