Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CableTap/doc/advisories/bastille-17.public-wifi-theft-impersonation.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
49 lines (20 sloc)
1.75 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Bastille Tracking Number 17 | |
| CVE-2017-9475 | |
| Overview | |
| A vulnerability has been discovered that enables an attacker to impersonate a Comcast customer connected to an "xfinitywifi" hotspot. This allows the attacker to access the Internet for free, and attribute any malicious activity to the Comcast customer they are impersonating. | |
| Affected Platforms | |
| XFINITY Wi-Fi Home Hotspot | |
| Proof-of-Concept | |
| When a Comcast customer connects to an "xfinitywifi" hotspot on a previously unregistered device, they are prompted to login to their Comcast account in order to access the Internet. The Wi-Fi MAC address of customer's device is then associated with their Comcast account. | |
| The next time the customer connects their device to an "xfinitywifi" hotspot, it is authenticated using the Wi-Fi MAC address, and the device is immediately granted Internet access. | |
| An attacker can impersonate a Comcast customer by wirelessly sniffing the MAC addresses of a device connected to an "xfinitywifi" hotspot, and then configuring their device to use the same MAC address. | |
| This enables an attacker to access the Internet for free, and attribute any malicious activity to the customer they are impersonating. | |
| Test Environment | |
| The impersonation / theft of service attack was tested using a TP-LINK TL-WDN3200 Wi-Fi adapter connected to an Ubuntu 16.04 laptop. | |
| Mitigation | |
| Comcast customers can prevent an impersonation attack by not connecting to any "xfinitywifi" hotspots. | |
| Recommended Remediation | |
| Comcast offers certificate authenticated "XFINITY" Wi-Fi hotspots in some locations. Updating all "xfinitywifi" MAC-address-authenticated hotspots to certificate-authenticated hotspots would remedy this vulnerability. | |
| Credits | |
| Marc Newlin and Logan Lamb, Bastille | |
| Chris Grayson, Web Sight.IO |