Archive for November, 2012

Nov 15th, 2012 7 Comments

Xfinity WiFi Hotspots Free, But Potential Security Problem

Xfinity WiFi is a great service that you’ve probably never heard of. Xfinity (or is it Comcast?) has an identity problem, but they also don’t communicate well, even to existing customers. Xfinity WiFi is part of Comcast’s plan to compete with cell phone companies by providing widespread, free access to high speed Wi-Fi (at least free to Comcast customers). They started testing this few years ago around Philadelphia and New York City, but recently expanded to a few cities in northern California. (Current map below.)

Here’s how it works. If you order new Business Class Internet service from Comcast the technician will install a second cable modem and a Wi-Fi router. In my case neither the sales person on the phone nor the installation tech mentioned this would be installed in my office; it was just nailed to the wall when I looked. That’s a pretty stealthy way of rolling out a new service, but it avoids all those pesky questions and approval steps so they can get more hotspots set up faster. I wonder how many companies are hosting a public Wi-Fi hotspot without even realizing it. In my case I was surprised and actually happy to get it because my office overlooks an outdoor courtyard with seating. So it’s a nice public service I can offer to the shoppers, restaurant and other tenants in my building.

I applaud Comcast (or is it Xfinity?) for taking steps to make ubiquitous Wi-Fi available and free for me. The only problem with the service is the way they implement their “Automatic Sign In” feature. When you first find one of these hotspots you have to sign in with your Comcast user name and password. That’s a one-time thing, which is really convenient. Whenever you come across another Xfinity WiFi hotspot you are automatically connected. It works perfectly. HOWEVER, THERE IS NO WAY TO DISCONNECT YOUR DEVICE from this Automatic Sign In feature.

Normally, on an iPad for example, you can go into Settings->Wi-Fi->Choose a network and click the “Forget this Network” button and you will have to log in again to use the network. Not so with Xfinity WiFi. Once Xfinity sees a valid log in your device is permanently connected – and I do mean PERMANENTLY – NOT EVEN WIPING/RESTORING THE DEVICE TO FACTORY SETTINGS WILL DISCONNECT IT.

I tested this by “Restoring” my own iPad to factory settings, which should be the best, safest way to prepare it for sale. But, surprisingly it connected to Xfinity WiFi without ever asking for a password again.

The problem here isn’t that someone will get access to your personal information. But if you sell your iPad, computer, or phone it will remain connected to your Comcast account as long as you have that account. What if the new owner sends inappropriate emails to a four-star general, or CIA agent? The FBI will be knocking on your door because Comcast will tell them the device is yours. The new owner may not even be a Comcast customer, yet they would have free use of this service.

The only explanation about this is found in the Xfinity WiFi FAQs:

“Automatic Sign In is a feature that identifies devices that have successfully signed in to the XFINITY WiFi service previously, and allows these devices to connect to the network in the future without the need to sign in, as long as the account remains active and in good standing.”

It feels very wrong to have strangers potentially connected to my Comcast account. Am I just being paranoid? At a minimum, it seems like my Comcast account management page should include a listing of devices that are “attached” to Xfinity WiFi and give me the opportunity to detach one or all devices.

Have you talked to Comcast support about this issue? Let us know what you heard.

Stay safe out there.

Xfinity WiFi Distribution – November 2012

Xfinity WiFi map Nov 2012