To be clear: The profile that the XFINITY WiFi app installs causes mobile devices to prefer open, unencrypted wireless networks, and connect to them silently as if the user had previously manually selected them. Anyone can set up an access point with an SSID of 'xfinitywifi' or 'CableWiFi' and immediately start stealing passwords from XFINITY WiFi app users.
The stunning thing is that the app claims to offer ADDITIONAL SECURITY via this profile:
The XFINITY WiFi app, available from the Apple iOS App Store, guides XFINITY subscribers to open access points via maps; and configures the mobile device it is installed on to connect to those access points. Installation happens in three steps.
1: The user downloads & installs the XFINITY WiFi app on their iOS device. On first boot, the app prompts for the user's XFINITY credentials. Upon successful login, the app then instructs the user to install a device profile. With confirmation, the iOS app opens an URL in Mobile Safari containing a long GET parameter named 'hash'.
2: The URL opened in Safari prompts the user to download a device profile, for "enhanced security".
3: iOS guides the user through installation of the profile, which contains configuration data instructing iOS to automatically connect to three different wifi SSIDs.
The profile downloaded contains three wifi SSID configs, and certificates chained from a Comodo root to a Comcast leaf.
The first SSID configured, 'XFINITY', contains WPA Enterprise credentials. The username and password are the credentials used to sign into the XFINITY WiFi app. It is likely that this data is passed in the 'hash' parameter to the web application that generates the profile. The configuration also requires TLSTrustedServerNames of either '*.aaa.wifi.comcast.com' or '*.aaa.wifi.xfinity.com'. Between the provided certificate chain, the included name constraints, and the required WPA encryption, this configuration does a great job of protecting subscriber data when using XFINITY WiFi service.
The second and third SSIDs
Also configured in the profile are the SSIDs 'xfinitywifi' and 'CableWiFi', with the 'EncryptionType' parameter set to 'None'. This means that an iOS device using the XFINITY WiFi app's profile will connect to ANY open wifi network with ssids of 'xfinitywifi' or 'CableWiFi'. Additionally, because of the profile, users will not even be asked to confirm before their devices connect to these open networks.
Users' mobile devices will prefer open, unencrypted wifi networks named 'xfinitywifi' and 'CableWiFi', connecting to them with no confirmation from the user. This leaves XFINITY WiFi users open to network-layer traffic manipulation including eavesdropping and more advanced MITM attacks.
There is no excuse for operating an open wifi network, much less configuring subscribers' equipment to prefer connecting to one. Comcast obviously is able to operate a secure, WPA-encrypted network with authenticated access. Comcast should immediately disable preferences for both open SSID names on users' mobile devices. App users should delete the connection profile and 'forget' wifi preferences for the SSIDs 'xfinitywifi' and 'CableWiFi'. Unfortunately it is not possible to retain only the WPA-protected, authenticated network config.
I've been in contact with Jason Livingood, VP of Internet Services at Comcast. In the Twitter thread discussing the XFINITY WiFi app, he has made several assertions downplaying the severity of the issue:
- The encrypted network is "preferred": this is verifiably false, there is no ranking or preference expressed in the profile that the app installs. The SSID with the strongest signal wins. In any case, even if the secure network was preferred, this would STILL leave Comcast users exposed in literally every place in the world where the 'XFINITY' SSID is not the strongest signal available. Suggesting a preference exists is at best misleading.
- There's no more exposure here than from any other open network: These are open, unencrypted networks that Comcast is configuring your device to silently PREFER as if users had manually chosen them. Their app claims this is "ENHANCED SECURITY". From the app's description in the iOS App Store, the first sentence says it "contains WiFi security features to improve your safety and privacy while using certain XFINITY WiFi hotspots around town." The opposite is true- this exposes users to the most simple of traffic eavesdropping and man-in-the-middle attacks.
As I've said on Twitter, I have enormous respect for Jason, and I hope that he's just mistaken about the details of the app. It is disturbing to see him minimizing the impact of this issue; especially when he makes claims that can be proven false with a quick look at the actual profile. Hopefully with the issue documented now, Comcast will push out an updated profile protecting their users from the additional risk they're now exposed to.