Xfinity WiFi Hotspots Free, But Potential Security Problem

Xfinity WiFi is a great service that you’ve probably never heard of. Xfinity (or is it Comcast?) has an identity problem, but they also don’t communicate well, even to existing customers. Xfinity WiFi is part of Comcast’s plan to compete with cell phone companies by providing widespread, free access to high speed Wi-Fi (at least free to Comcast customers). They started testing this few years ago around Philadelphia and New York City, but recently expanded to a few cities in northern California. (Current map below.)

Here’s how it works. If you order new Business Class Internet service from Comcast the technician will install a second cable modem and a Wi-Fi router. In my case neither the sales person on the phone nor the installation tech mentioned this would be installed in my office; it was just nailed to the wall when I looked. That’s a pretty stealthy way of rolling out a new service, but it avoids all those pesky questions and approval steps so they can get more hotspots set up faster. I wonder how many companies are hosting a public Wi-Fi hotspot without even realizing it. In my case I was surprised and actually happy to get it because my office overlooks an outdoor courtyard with seating. So it’s a nice public service I can offer to the shoppers, restaurant and other tenants in my building.

I applaud Comcast (or is it Xfinity?) for taking steps to make ubiquitous Wi-Fi available and free for me. The only problem with the service is the way they implement their “Automatic Sign In” feature. When you first find one of these hotspots you have to sign in with your Comcast user name and password. That’s a one-time thing, which is really convenient. Whenever you come across another Xfinity WiFi hotspot you are automatically connected. It works perfectly. HOWEVER, THERE IS NO WAY TO DISCONNECT YOUR DEVICE from this Automatic Sign In feature.

Normally, on an iPad for example, you can go into Settings->Wi-Fi->Choose a network and click the “Forget this Network” button and you will have to log in again to use the network. Not so with Xfinity WiFi. Once Xfinity sees a valid log in your device is permanently connected – and I do mean PERMANENTLY – NOT EVEN WIPING/RESTORING THE DEVICE TO FACTORY SETTINGS WILL DISCONNECT IT.

I tested this by “Restoring” my own iPad to factory settings, which should be the best, safest way to prepare it for sale. But, surprisingly it connected to Xfinity WiFi without ever asking for a password again.

The problem here isn’t that someone will get access to your personal information. But if you sell your iPad, computer, or phone it will remain connected to your Comcast account as long as you have that account. What if the new owner sends inappropriate emails to a four-star general, or CIA agent? The FBI will be knocking on your door because Comcast will tell them the device is yours. The new owner may not even be a Comcast customer, yet they would have free use of this service.

The only explanation about this is found in the Xfinity WiFi FAQs:

“Automatic Sign In is a feature that identifies devices that have successfully signed in to the XFINITY WiFi service previously, and allows these devices to connect to the network in the future without the need to sign in, as long as the account remains active and in good standing.”

It feels very wrong to have strangers potentially connected to my Comcast account. Am I just being paranoid? At a minimum, it seems like my Comcast account management page should include a listing of devices that are “attached” to Xfinity WiFi and give me the opportunity to detach one or all devices.

Have you talked to Comcast support about this issue? Let us know what you heard.

Stay safe out there.

if you change xfinity email password, seems that should prevent if from logging in??

No, the password isn’t stored on the device and it isn’t used to log in except for the first time. As I described in the original post, I actually wiped the device (restored it to factory settings) so the account name and password couldn’t have been there anymore, yet I got connected to Xfinity WiFi immediately.

Nobody at Xfinity would confirm this, but my guess is that the network MAC address is associated with your account the first time you log in. (The MAC address is hard-wired into each device like a serial number and never changes.) After that the device is permanently attached to your account. Any future owner of the device therefore is able to use the device with Xfinity WiFi under your account.

Is the device actually signed in to your Comcast account such that the buyer of your ipad could check your bills, etc? Or is the MAC address of the device simply stored for automatic access to the xfinity wifi but without access to any of your personal account info?

A bigger security concern for me is that anybody out there could create a wifi network named xfinity wifi and put up a sign in page and capture tons of Comcast account logins!

The reason I found this page is I was hecking my iPhone while at work, where I typiclly do not have wifi, and “xfinity wifi” popped up. There was no lock icon and I only realized after I pressed “okay” & signed on that I was not prompted for my Comcast password. It made me wonder whether it was really Comcast or someone pretending tone Comcast in order to steal unsuspecting users’ info. I was relieved to find this page and to not see any pages talking about scammers impersonating the real Comcast wifi. That doesn’t mean that someone isn’t or will never set up such scam hotspots.

Wow. Thanks for pointing out this potential security issue. I did some more digging and found this article
http://corporate.comcast.com/comcast-voices/xfinity-wifi-updates-easier-to-use-and-more-locations
It states that customers are required to log in again after 30 days. That would make sense but I’m too nervous to test it to be sure.

I understand the security concern, but do not underestimate the convenience. I wish it worked this smoothly on my Android phone. We have this Xfinity wifi in my office and I have to go through their login page every time I connect which is usually one in the morning and again after lunch. It only takes a minute each time, but it takes a few steps and it gets old fast.

xfinity uses your media access controller address to recognize your devices. this also leaves them vulnerable to users claiming infinite free trials simply by changing their devices MAC address. what will they do when iphone6 implements a random MAC address each time the device broadcasts wifi signals? bye bye free trials!