Xfinity WiFi: Free to be Hacked

Posted by Sam Churchill on

“Free” Wi-Fi from Xfinity and AT&T also frees you to be hacked, reports ArsTechnica in a joint experiment with NPR.

Sean Gallagher set up his laptop as a Wi-Fi hotspot broadcasting the network name (SSID) “attwifi”. After killing off the settings for his preferred networks on his iPhone, Gallagher turned on the Wi-Fi, and it connected to the fake “attwifi” hotspot without prompting.

When I killed the “attwifi” network after a few seconds, my iPhone promptly demonstrated the further risks of auto-connecting—it automatically reconnected with another network in the list of trusted networks on my phone: a hotspot called “xfinitywifi.”

I had used an Xfinity hotspot while waiting for an appointment a few days earlier, and suddenly I was logged into a hotspot running on my neighbor’s cable modem.

That means that if someone were to set up a malicious Wi-Fi access point called “xfinitywifi,” devices that have connected to Xfinity’s network before could automatically connect without alerting the user or asking for the password. Alternatively, using a “honeypot” tool such as PwnStar, an attacker could spoof both the “xfinitywifi” SSID and the Xfinity login page—stealing their Xfinity credentials in the process.

PwnStar includes the ability to redirect devices connecting to a Web page on the attacking system, record credentials, and then pass the victim on to Internet access as if nothing had happened—meanwhile launching man-in-the-middle attacks against the client (as I demonstrated for myself using an SSID called “notxfinity” to deter any of my neighbors from trying to connect to it).

Hotspot 2.0 is a new set of protocols to enable cellular-like roaming. A variety of partnerships are developing nationwide and world-wide, including:

Related Dailywireless articles include; Ad-Sponsored WiFi Initiatives from Gowex & Facebook, Comcast Creates Hotspot 2.0 National Network, WiFi & Hotspot 2.0 at MWC, Hotspot 2.0 Moves Out, NYC & Cable Provide Hotspot 2.0 Service, Cities of San Jose and Santa Clara Get Free WiFi, Free Google WiFi for NYC Chelsea Neighborhood, Cloud4Wi: Cloud-Managed, Geo-enabled Hotspots, Cloud-based WiFi: $100 a Pop , Meraki Cloud Managed Security, Cisco: 200 Mobile Providers Delivering Wi-Fi, Time Warner Cable to Double WiFi Hotspots in 2013, AT&T: 40,000 Small Cells, Microsoft Sponsors Free WiFi in NYC & SF, Chicago Announces Free WiFi in Parks, Hotspot 2.0, Cellular/WiFi Roaming Gets Real, Street light Provides Wi-Fi, Cell Coverage, Hotspot 2.0, Intel: Basestation in the Cloud, Clearwire: On the Hot Zone, Sprint to use LightRadio for Small Cells,

Posted by Sam Churchill on Monday, June 23rd, 2014 at 10:24 am .

Leave a Reply