Comcast Ad Tinkering Could Muck Up WiFi Security

Comcast has begun using JavaScript injection to serve ads for its services to devices connected to its publicly accessible Xfinity WiFi hotspots across the United States.

The ads are fleeting, but they can appear roughly every seven minutes, according to Ars Technica, which first reported the practice.

One example, which read “XFINITY WiFi Peppy,” scrolled across the bottom of the Web page currently on the Xfinity hotspot user’s browser, Ars said.

“We’re using a very small notification to let our customers know that they’re on Xfinity WiFi,” company spokesperson Charlie Douglas told TechNewsWorld. “We’re rolling that feature out across the country.”

The program reportedly began months ago. Comcast claims some 3.5 million WiFi hotspots nationwide.

“This watermarking feature just gives customers the confidence to know that they are truly connected to an Xfinity WiFi hotspot,” Douglas said. “We think this is a convenient and helpful notification — it gives them the peace of mind to know that they truly are on the Xfinity WiFi network.”

Privacy Risk

Others have expressed consternation over the potential implications for security, privacy and Net neutrality.

“This practice is definitely concerning for multiple reasons,” Jeremy Gillula, staff technologist with the Electronic Frontier Foundation, told TechNewsWorld.

“For one thing, it’s very difficult to predict how Comcast’s injected JavaScript might interact with JavaScript already on the page a customer is viewing, which means the injection could break a Web page — not to mention, it could also introduce unforeseen security vulnerabilities,” he explained.

“Of course, that means peoples’ privacy could be at risk, depending on what they’re browsing,” Gillula pointed out.

Consider Tor

Also troublesome is the “slippery slope” this technology poses, Gillula said.

“For now, Comcast is just injecting JavaScript to alert people they’re using Xfinity WiFi — but there’s nothing to stop Comcast from using the same technology to inject other ads in the future,” he pointed out.

“I would say the best defense against this is for people to use a VPN — or even Tor — when connecting to an Xfinity WiFi hotspot,” Gillula recommended. “That way, Comcast won’t be able to interfere with your Web browsing.”

Marginal Risk

It’s true that “whenever you start playing with JavaScript, there is the potential for security penetrations,” said Michael Jude, a program manager with Stratecast, a division of Frost&Sullivan.

“JavaScript is an executable — it can tell your machine to execute almost anything,” he acknowledged. “What you’re doing is trusting Comcast to have very secure browser insertions.”

That said, “most Web pages use some kind of JavaScript. Comcast could reasonably say you’re in jeopardy anyway,” Jude argued.

Bottom line: “Is there a potential for information or device compromise? Yes there is,” he said. “Is it a major consideration? Well, if you’re doing a lot of online commerce then you’re probably already exposing yourself as much as anything Comcast would do. Does it raise the threat level? Marginally.”

‘Kind of a Stretch’

As for Net neutrality, “third parties might argue that Comcast is taking advantage of a connection to provide a different level of service than it’s providing to other service providers,” Jude noted.

Still, “that’s kind of a stretch, especially if it doesn’t prevent the third parties from doing the same thing,” he said.

“I’d say the whole thing comes under the rubric, is there a basis for concern? Possibly,” said Jude. “Is it a major concern? Probably not, given everything else that’s going on out there.”

Up to Users

The problem in part is that “this is brand-new territory, and there are no laws or even rules in this new game,” wireless industry analyst Jeff Kagan told TechNewsWorld. “Companies providing this service can do almost whatever they want.”

Customers typically don’t like this kind of advertising, Kagan added. “Then again, if Comcast is providing this service for free, it’s up to users to decide whether they want to use it or not.”

Katherine Noyes has been reporting on business and technology for decades. You can find her on Twitter and Google+.

1 Comment

  • Let’s be clear. This is NOT a free service. You have to have a Comcast account to be able to use it. Cablevision and Time Warner have this as well and Cablevision (at least) has been injecting messages into the bottom of web pages for years.


    "Then again, if Comcast is providing this service for free, it’s up to users to decide whether they want to use it or not."

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Katherine Noyes
More in Cybersecurity

Technewsworld Channels