XFINITY Wifi mobile app forces connections to insecure wireless networks

Comcast provides the "XFINITY WiFi" app for Android and iOS mobile devices. In addition to providing maps to branded wifi access points, the app instructs iOS users to install a device profile. This profile configures mobile devices to connect to open, insecure networks without any warning to users. (Note: the iOS app is examined in this post, however it is likely that the Android app exposes users to the same risks.)

To be clear: The profile that the XFINITY WiFi app installs causes mobile devices to prefer open, unencrypted wireless networks, and connect to them silently as if the user had previously manually selected them. Anyone can set up an access point with an SSID of 'xfinitywifi' or 'CableWiFi' and immediately start stealing passwords from XFINITY WiFi app users.

The stunning thing is that the app claims to offer ADDITIONAL SECURITY via this profile:

The XFINITY WiFi app, available from the Apple iOS App Store, guides XFINITY subscribers to open access points via maps; and configures the mobile device it is installed on to connect to those access points. Installation happens in three steps.

1: The user downloads & installs the XFINITY WiFi app on their iOS device. On first boot, the app prompts for the user's XFINITY credentials. Upon successful login, the app then instructs the user to install a device profile. With confirmation, the iOS app opens an URL in Mobile Safari containing a long GET parameter named 'hash'.

2: The URL opened in Safari prompts the user to download a device profile, for "enhanced security".

3: iOS guides the user through installation of the profile, which contains configuration data instructing iOS to automatically connect to three different wifi SSIDs.

The Profile
The profile downloaded contains three wifi SSID configs, and certificates chained from a Comodo root to a Comcast leaf.

The first SSID configured, 'XFINITY', contains WPA Enterprise credentials. The username and password are the credentials used to sign into the XFINITY WiFi app. It is likely that this data is passed in the 'hash' parameter to the web application that generates the profile. The configuration also requires TLSTrustedServerNames of either '*' or '*'. Between the provided certificate chain, the included name constraints, and the required WPA encryption, this configuration does a great job of protecting subscriber data when using XFINITY WiFi service.

The second and third SSIDs
Also configured in the profile are the SSIDs 'xfinitywifi' and 'CableWiFi', with the 'EncryptionType' parameter set to 'None'. This means that an iOS device using the XFINITY WiFi app's profile will connect to ANY open wifi network with ssids of 'xfinitywifi' or 'CableWiFi'. Additionally, because of the profile, users will not even be asked to confirm before their devices connect to these open networks.

Users' mobile devices will prefer open, unencrypted wifi networks named 'xfinitywifi' and 'CableWiFi', connecting to them with no confirmation from the user. This leaves XFINITY WiFi users open to network-layer traffic manipulation including eavesdropping and more advanced MITM attacks.

There is no excuse for operating an open wifi network, much less configuring subscribers' equipment to prefer connecting to one. Comcast obviously is able to operate a secure, WPA-encrypted network with authenticated access. Comcast should immediately disable preferences for both open SSID names on users' mobile devices. App users should delete the connection profile and 'forget' wifi preferences for the SSIDs 'xfinitywifi' and 'CableWiFi'. Unfortunately it is not possible to retain only the WPA-protected, authenticated network config.

I've been in contact with Jason Livingood, VP of Internet Services at Comcast. In the Twitter thread discussing the XFINITY WiFi app, he has made several assertions downplaying the severity of the issue:

- The encrypted network is "preferred": this is verifiably false, there is no ranking or preference expressed in the profile that the app installs. The SSID with the strongest signal wins. In any case, even if the secure network was preferred, this would STILL leave Comcast users exposed in literally every place in the world where the 'XFINITY' SSID is not the strongest signal available. Suggesting a preference exists is at best misleading.

- There's no more exposure here than from any other open network: These are open, unencrypted networks that Comcast is configuring your device to silently PREFER as if users had manually chosen them. Their app claims this is "ENHANCED SECURITY". From the app's description in the iOS App Store, the first sentence says it "contains WiFi security features to improve your safety and privacy while using certain XFINITY WiFi hotspots around town." The opposite is true- this exposes users to the most simple of traffic eavesdropping and man-in-the-middle attacks.

As I've said on Twitter, I have enormous respect for Jason, and I hope that he's just mistaken about the details of the app. It is disturbing to see him minimizing the impact of this issue; especially when he makes claims that can be proven false with a quick look at the actual profile. Hopefully with the issue documented now, Comcast will push out an updated profile protecting their users from the additional risk they're now exposed to.

Nothing ever changes.

"...the illusions of nationalism allowed the underlying population to believe that the common good was bound up with the business advantage of these captains of solvency into whose service the national establishment was gradually drawn ... Uncritical devotion to the national pretensions being a meritorious habit, it is also a useful article of camouflage, a shelter for gainful enterprises and transactions which might otherwise be open to doubt, a means of avoiding unfavorable notice and of procuring a profitable line of goodwill." - Thorstein Veblen

Internet Update

So just to keep a running history of this stuff really, I ditched Sonic a couple of months ago for Comcast "Business" internet service. I already get cable tv from them, four cablecards that have been miraculously trouble-free (knock on wood). So adding 12mbps internet service and voice turned out to be cheaper than the DSL from Sonic and POTS from AT&T. I keep the pots line because I am old and afraid of the end of the world, and also because I am nutty enough to run Nagios and Qpage at home. So by saving $20/mo I get to basically depend on Comcast for every communication channel not controlled by AT&T. Yay. Anyway, here is the magic numbers. I didn't even bother getting off wireless so its probably a bit low but at this point who cares?

Of course, at work, I just turned up a gigabit metro ethernet point to point; but running another one to the house would probably run a few kilobucks too much.

Cleaning up Redhat/Fedora

So I discovered that 'yum erase avahi' removes a stupendous list of complete garbage from a fresh install easily. There are a few packages that somehow are dependencies that are collateral damage that you'll probably want to reinstall immediately afterwards.

yum install redhat-lsb samba vlc-core vlc-devel ntop barry ImageMagick ImageMagick-devel
(if you want to make your life easier, the only one you really need is redhat-lsb.)

Of course yum drags along a ton of moronic dependencies (44 of them!) so at this point, if you care, its time to break out the sledgehammer. I took the output of listed dependencies and shoved it through sed, etc to come up with a list to pass to rpm erase --nodeps.

Removing the garbage netted me a gig, 1/8th of the install footprint.

Dear Apple iTunes people.

1. You made the laptop computer.
2. You made the OS running on the laptop computer.
3. You made the iTunes program running on the OS on the laptop computer.
4. You made the iPod.
5. You made the OS running on the iPod.
6. You even made the frigging dock cable plugging the iPod into the computer.

Thu Sep 10 22:51:05 ernie \[0x0-0x1d01d\][309] : Child process initialized.
Thu Sep 10 22:51:13 ernie AppleMobileBackup[326] : BackupAgent starting up...
Thu Sep 10 22:51:13 ernie \[0x0-0x1d01d\][309] : Child process initialized.
Thu Sep 10 22:51:13 ernie \[0x0-0x1d01d\][309] : 2009-09-10 22:51:13.395 AppleMobileBackup\[326:903\] BackupAgent starting up...
Thu Sep 10 23:00:15 ernie[131] ( : The following job tried to hijack the service "" from this job: \[0x0-0x20020\]
Thu Sep 10 23:00:18 ernie PreferenceSyncClient[338] : Error: Can't get session for client, bailing
Thu Sep 10 23:00:36 ernie SyncServer[342] : \[110ed0\] |SyncManager|Warning| removing client from plan because I couldn't send it a sync alert
Thu Sep 10 23:05:17 ernie \[0x0-0x1d01d\][309] : Child process initialized.

How the fuck could you ever pretend this crap is appropriate to ship to your paying customers? This shit is fucking ridiculous.


PS: I don't think that object instance has a string repr method or whatever you call it in your crazy Objective C.


[EDIT: As is often the case, the malfunction occurred much closer to home. Turns out (as I had sort of suspected) that I signed up for service on their site myself; so I could contribute to the EFF. Razoo are great people and tried very hard to help me figure out how my account was created.]

So a couple of days ago, I got an email from Razoo encouraging me to add information to my user profile there. It was sent to an email address that I only use for LiveJournal, and the username is my lj username. I sent their support address an email asking how this account was created, and they gladly sent back useless information: my username and email address (which I already knew), and also that the account was created in December of last year.

Anyone else gotten spam from these guys? I suspect that they are just scraping lj accounts and adding them as "users" on their site.

Speakeasy vs. Sonic DSL

So I recently made a change from Speakeasy over to It was a little sad for me, since Speakeasy overall had been very good to me for the last four years. Their network performed well, and their customer service was friendly, helpful, and generally very clueful.

The problem was that over the last 4 years, technology has made its inexorable march forward. Sonic is now offering ADSL2+ (plus!) where Speakeasy, the last time I checked, had no plans to offer it. The difference between my Speakeasy ADSL and Sonic's ADSL2+ was all about speed:

Speakeasy: 3mbps down, 768k up, three static IP addresses: $95.30/mo

Sonic: 10mbps down, 1mbps up, 8 static IP addresses: $90/mo

The observant may note that I am not getting the full 10mbps from Sonic. That's because I am about 9500 feet from my CO. I am surprised that I'm managing to get 6.7mbps, to be honest. They do have a 6/1 service tier for $70/mo, but I am far too greedy to leave 700kbps on the table. (edit: now that I think about it, a 30 percent premium for a 10 percent speed increase is sort of a bummer. Will have to think about that.)

Sucks to say goodbye to Speakeasy, but I did try to call and ask if they could offer a more competitive price before ordering Sonic- they had me on hold for 30 minutes before I gave up.