SAN FRANCISCO (KPIX 5) – Most web surfers know that public Wi-Fi is much more vulnerable to hackers than your average private home network, but KPIX 5 ConsumerWatch reporter Julie Watts warns that Xfinity public Wi-Fi may automatically connect you to its public network without your knowledge, even at home.
She also discovered that once you log in to Xfinity public Wi-Fi, there is there is no way to “log out” from your phone. Even if you perform a factory reset on your phone, your device remains connected to the Xfinity network.
Comcast’s New Routers:
Last year, Comcast quietly began using home internet routers as Xfinity public Wi-Fi hot spots. It now boasts 8 million public hotspots in the nation’s 19 largest cities.
Many of those hotspots are actually Xfinity customer home routers.
By default, the Comcast home routers now power customers’ own password-protected private networks, and a separate open public Wi-Fi network that anyone within range can connect to.
“I thought, well gee, aren’t I being generous” recalled Loraine Burke, a Comcast customer.
She was initially frustrated that Comcast was using her private router for its public network without her explicit consent. However, once she learned about the public Wi-Fi network, she began to enjoy the perks.
Xfinity customers like Lorraine can log in to the nationwide public Wi-Fi network for free, using their existing customer account information. Non-Comcast customers can also log in by entering a credit card number and paying a small fee.
While the company has been praised by many for creating the nation’s largest public Wi-Fi network, it is facing at least one lawsuit from customers who claim that Comcast is using their router and electricity without their permission.
The lawsuit also claims that hackers may be able to use the public network to gain access to their private network on the same router.
Comcast insists that the two networks are completely separate and the company denies that there is any risk.
However, KPIX 5 ConsumerWatch reporter Julie Watts has uncovered an entirely different security flaw.
The Unexpected Security Flaw:
The Xfinity Wi-Fi log-in page does not disclose that once you connect to their public network for the first time, your device may automatically connect to the public network every time one of the 8 million hot spots is in range, even at home where you may assume you are on your own secure private Wi-Fi network.
People like Burke are automatically connecting to the public network at home instead of their own private password protected network.
“I found out the hard way,” explained Burke. “I noticed the speed was a little slow and I checked. Sure enough, I was paying my bills on a public network.”
Now that Comcast is quietly putting those hot spots in your home, and in your neighbor’s homes, your phone or computer may be automatically default to the public network instead of your own.
Watts reached out to the Electronic Frontier Foundation and commissioned a test of her own Xfinity Wi-Fi.
In just minutes, the EFF’s Seth Schone hacked into both her phone and lap top computer because her devices had automatically connected to the Xfinity WI-Fi signal instead of her own password protected Wi-Fi.
“I was able to see all data you were sending or receiving,” Schone told Watts.
He explained that he would not have been able to get that same information if she had automatically connected to her own password protected Wi-Fi.
However, Schone points out that public WiFi isn’t bad, as long as you know that you are on it and you only use secure websites.
Automatic Sign in
Comcast says “Automatic Sign In was the #1 most requested feature before it was added, and since it was added has been the highest rated feature for XFINITY Wi-Fi. People love it.”
However, people like Burke and Watts weren’t aware that their devices were automatically connecting to Xfinity public Wi-Fi instead of their own private networks at home or at work. This left their communications vulnerable to hackers.
Schone says if a device is automatically connecting to Xfinty public Wi-Fi, hackers could create a fake Xfinity Wi-Fi signal anywhere, and trick that device into automatically connecting to that malicious network.
He points out that automatically connecting to the last known network is not an issue that is exclusive to Comcast.
For instance, if you’ve ever logged in to public Wi-Fi at Starbucks or at the airport, you might also automatically connect to those public Wi-Fi networks the next time you return.
However, most Wi-Fi users would not assume that they were on a secure network if they automatically re-connected to public Wi-Fi at a coffee shop or the airport.
Because Xfinity public Wi-Fi is now in your own home, for the first time consumers run the risk of automatically re-connecting to public Wi-Fi at home, where they assume they are on a secure private network.
Even non-Xfintiy customers may connect to their neighbors’ routers.
You Can’t Log Out of Xfinity
Once you log in to the Xfinity public network, you cannot log out. You’re actually registering your device to the network.
What does that mean?
Even if you perform a factory reset on your phone, the device will remain connected to your Comcast account.
Theoretically, if you sell your phone, the new owner would continue to automatically connect to any of the 8 million Xfinity Wi-Fi hot spots for free through your account.
What You Can Do
There are several ways Xfinity Wi-Fi users can protect themselves from inadvertently connecting to the public network.
However, users like Lorraine point out they were not aware they had to take steps to protect themselves because Comcast never told them.
Android users can download the Comcast App to help prioritize which networks the device connects to first.
“The Xfinity WiFi app for Android devices enables users to connect to known private networks first before connecting to XFINITY WiFi, however Comcast does not have the ability to control how Apple devices connect to WiFi hotspots. Customers can find additional information on how to prioritize their networks at http://wifi.comcast.com/connect-home.php” reads a Comcast statement.
For Apple iOS users, currently there is no way to ensure your devices will automatically connect to your private Wi-Fi network instead of Xfinity public Wi-Fi.
Apple declined to comment on why iPhones don’t always allow you to forget the Xfinity network or why there is no way to prioritize private networks over the public network.
Apple users can try to “Forget the Network” in their device’s Wi-Fi settings, however some phones continue to automatically connect to the public network.
To prevent your phone from automatically connecting to any Wi-Fi network, you can keep your Wi-Fi turned off in your device’s settings until you need to use it.
After turning your Wi-FI back on, confirm that you are connected to your private network and not Xfinity.
Xfinity customers can also log into to their Comcast customer accounts and unregister (or remove) their device from the network by completing the 6-step process below.
If you’ve ever logged in to the Xfinity public network, you should perform the following steps before selling your phone.
Login to Xfinity.com
-Click “My Account”
-Sign in (you must have billing privileges to do this)
-Click “My Services” tab
-Click on “Xfinity Internet” on the subtab under “My Services & Equipment.”
-Select the “Manage devices for hotspot access” option
-Manage or remove the devices from your account by clicking “remove” next to each one you want to disconnect.
What Comcast Is Doing
In response to this story Comcast said, “customers should always use caution when sharing any personal data on any public WiFi network. (We) “expect to launch by Summer 2015 a browser notification that would alert users that they are connecting to XFINITY WiFi.”
However, Comcast confirms that the proposed notification would only appear to people using an internet browser. Users would not be notified that they were automatically connecting to a public network while using apps or email.
ConsumerWatch asked Xfinity to add the following warnings to the Xfinity public log-in page.
Once you log in to Xfinity Public WI-FI:
- You may automatically reconnect to public WiFi instead of your own private networks.
- Your device will remain connected to your Comcast account even after a factory reset.
- You will need to log in to your home Comcast internet account to “remove” you device before selling it.
In response, Comcast said “we are re-designing the Sign In page in our next release to indicate that the user is ‘registering” their device, not just signing in.'”
However, representatives said customers will continue to have to read fine print on the Xfinity microsite for details.
The 19 Xfinity Markets Include: Atlanta, Baltimore, Boston, Chicago, Cleveland, Denver, Detroit, Houston, Indianapolis, Memphis, Miami, Minneapolis-St. Paul, Nashville, Philadelphia, Pittsburgh, Sacramento, San Francisco, Seattle, Washington D.C.