Have you been waiting for Comcast's evil-yet-genius exploit-home-routers business plan to blow up in the company's face? That wait may be over as a proof-of-concept "evil xfinitywifi" access point could potentially help attackers with widespread MITM attacks aimed squarely at Comcast customers.
After claiming that neither LogRhythm Labs nor author Greg Foss are liable for any illegal activities that might occur, readers of The Dialog are introduced to a Comcast nightmare called Xfinity Pineapple.
Comcast's evil genius Xfinity Wi-Fi plans
Last week in Houston, Comcast turned 50,000 residential Xfinity modems into public Wi-Fi hotspots, but it's coming to Denver, San Francisco and all over the US; Comcast's plan to use customers' routers to create a mesh of public Wi-Fi will result in about 8 million Wi-Fi hotspots in 19 of the largest U.S. cities. Comcast claims its routers broadcast two Wi-Fi signals. "By default, one is securely configured for the private use of the home subscriber. The second is a neighborhood 'xfinitywifi' network signal that can be shared" by visiting Xfinity Internet subscribers who sign in with their own usernames and passwords.
Comcast also claimed that less than 1% of its customers are opting out of having their Xfinity WiFi as a home hotspot, but there have been a plethora of concerns about leeched bandwidth causing slowed connection speeds and increasing security risks. If people need another "security-threat" reason to opt-out, such as "how hackers can leverage this vulnerability feature for evil" ... meet the evil Xfinity WiFi Pineapple access point.
About WiFi Pineapple and MITM attacks
A connectivity "feature" in wireless devices like laptops, smartphones and tablets can be tricked into thinking it is connecting with a familiar or "safe" wireless access point. When your device is looking to connect, it asks "Are you my router?" In this case, a WiFi Pineapple, and not the known familiar router, answers, "Yes I am!" Your device connects and you step into a trap with no idea anything is out of the ordinary. WiFi Pineapples can create hot-spot honeypots and are used by G-men, hackers and researchers for man-in-the-middle (MITM) attacks. A user has no clue their device connected to a WiFi Pineapple instead of a "trusted" access point, or that an attacker is secretly stealing passwords and other sensitive data.
Along with plenty of CYA warnings not to use the scripts to steal users' credentials, Foss posted the proof-of-concept "evil xfinitywifi" access point code on GitHub. "This is basically a modified version of the Comcast shared WiFi interface, transformed to steal user's Xfinity/Comcast account credentials."
There are plenty of Xfinity WiFi access points that can be found either via Comcast or by using Xfinity WiFi Android or Apple apps. Basically a user who was tricked into connecting to the Xfinity Pineapple would see what appears to be a legitimate Comcast Xfinity WiFi splash page that says to "please log in to continue" followed by a sign-in button. Doing so, however, would mean everything you're doing is going to the attacker. Put another way, if you enter your Comcast username and password, then everything you can do on Comcast with those credentials access email, billing, add services, order new TV channels or pay per view now an attacker can do that with your credentials too.
Foss gives the how-to details, but notes:
None of what we talked about here applies explicitly to Comcast, this can be done on any public access point, though stealing Comcast credentials does have the added advantage of providing attackers with credentials they can later use to mask their online activity. For this reason, users should take steps to protect themselves and be cautious when using these networks.
- First and foremost, Comcast customers can disable this feature if they are so inclined.
- If you have connected to an Xfinity access point in the past, you will pre-authenticate to any Xfinity access point going forward, this includes a masquerading Pineapple. This will not expose your credentials, but all your traffic will be passed through a potentially hostile access point.
- When not using WiFi on your phone / laptop / tablet, disable it, especially when in crowded areas such as an airport.
- When joining one of these access points, try to verify that one really does exist in this area using the Xfinity WiFi app on iOS/Android or by reviewing their Access Point Map.
- Real Xfinity access points will redirect you to https://wifilogin.comcast.net to authenticate, though this could also be fudged by an attacker using DNS Spoofing so it is not a dead giveaway. The real identifier here is that the legitimate landing page is using SSL and has a valid certificate. This can be spoofed as well, but is much harder.
- When connecting to any open Wireless network, use a VPN service to encrypt your traffic.
Be careful out there!