Wednesday, May 13, 2015

Is your home router spying on you?

Home wireless routers leased from Comcast broadcast a public wireless signal in addition to the private home network. Be sure your device is on the right network before doing online banking.
In mid-2013, Internet provider Comcast announced plans to build a massive network of public WiFi hotspots across the United States, so its subscribers could connect to the Internet from just about anywhere. This network would be built on the wireless routers Comcast leases to its home subscribers: most home users don't use the full capacity of their broadband connection 24/7, so the Internet provider would make unused bandwidth available for a public hotspot. The company says that the public wireless signal is completely separate from the private wireless signal used by your private home network, keeping your home network secure (though I am not aware of a definitive study that proves this).

For Comcast, this is great: it lets them boast of having the largest network of public wireless hotspots in the United Stated. For its customers traveling around the country it is likewise great: they pay for service at home, and get free access to the Internet on the road without having to eat up their cellular data plans. There is an unintended side effect though.

When you connect to a wireless network, you typically create a "wireless profile" so your device will remember that network in the future. This means you only have to enter the network password one time, and your device will remember it for future use. Android and iOS devices automatically remember networks that you have joined; Windows will do this by default, but you can optionally uncheck the "Connect automatically" checkbox when initially joining the network. Whenever your device encounters a network that it has a saved profile for, it will automatically join that network. So what happens when your home router is broadcasting a signal for both your private network, and the xfinitiwifi public network?

Windows lets you select whether to remember a network for future use.Devices have different methods of choosing what network to join, but the most common is whichever network the device most recently used. This is true of most mobile devices, and as of Windows 8, Windows laptops as well (Microsoft provides some guidance on how Windows selects the network to join, but for Windows 8 it's essentially "prefer most recent.". Therein lies the unintended side effect: if you are a Comcast customer whose home router broadcasts the Comcast / Xfinity public hotspot, and you connected to another Xfinity hotspot away from home, guess which network your device will prefer when you return home?

Think about the activities you do at home that you (hopefully) might not do on a public network - in particular online banking and private email. AARP surveyed residents of Washington state, finding that a quarter of adults connect to public WiFi at least once a week, and of those a quarter admit to doing personal banking from public networks. I would hazard a guess that many others didn't realize they were doing their banking from home, but on the public WiFi provided by their Comcast router.

What to do? Widely available public Internet is convenient. Silly lawsuits aside, what Comcast has done provides a legitimate benefit to their subscribers, as well as to non-customers that are willing to pay for temporary access. It does mean though that customers of that Internet provider need to pay attention to the network their mobile devices join at home, and if a device has joined the public hotspot from home, manually select the appropriate private network.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.