Comcast Using Packet Injection To Push Its Own Ads Via WiFi, Apparently Oblivious To Security Concerns

from the because-it's-comcast dept

David Kravets, over at Ars Technica, has a good post detailing how Comcast is doing questionable packet injection to put its own javascript ads onto websites if you’re surfing via Comcast’s public WiFi access points. The practice was spotted by Ryan Singel, who saw the following “XFINITY WIFI: Peppy” ad scoot across his screen:

Comcast, in typical Comcast fashion, appears to be totally and completely oblivious as to why this could possibly be seen as a problem:

A Comcast spokesman told Ars the program began months ago. One facet of it is designed to alert consumers that they are connected to Comcast’s Xfinity service. Other ads remind Web surfers to download Xfinity apps, Comcast spokesman Charlie Douglas told Ars in telephone interviews.

The advertisements may appear about every seven minutes or so, he said, and they last for just seconds before trailing away. Douglas said the advertising campaign only applies to Xfinity’s publicly available Wi-Fi hot spots that dot the landscape. Comcast customers connected to their own Xfinity Wi-Fi routers when they’re at home are not affected, he said.

“We think it’s a courtesy, and it helps address some concerns that people might not be absolutely sure they’re on a hotspot from Comcast,” Douglas said.

It’s a courtesy to hijack the page a person asked for and insert something that no one asked for on it? I don’t think so. There’s a reason that packet injection is considered an attack and a security risk — and it’s got nothing to do with courtesy.

Certainly, the website that Singel was browsing when he spotted it, Mediagzer, was not pleased about having its own site hijacked and defaced:

“Indeed, they were not ours,” Gabe Rivera, who runs Mediagazer and Techmeme, said in an e-mail. In another e-mail, he said, “someone else is inserting them in a sneaky way.”

Kravets also talks to Robb Topolski, the guy who first provided the evidence to show that Comcast was throttling BitTorrent a while back, kicking off one of the first big net neutrality fights (which resulted in the FCC slapping Comcast’s wrists). Topolski notes that what they’re doing here is technically equivalent:

To Topolski, what Comcast is now doing is no different from before: Comcast is adding data into the broadband packet stream. In 2007, it was packets serving up disconnection commands. Today, Comcast is inserting JavaScript that is serving up advertisements, according to Topolski, who reviewed Singel’s data.

“It’s the duty of the service provider to pull packets without treating them or modifying them or injecting stuff or forging packets. None of that should be in the province of the service provider,” he said. “Imagine every Web page with a Comcast bug in the lower righthand corner. It’s the antithesis of what a service provider is supposed to do. We want Internet access, not another version of cable TV.”

But, of course, to the big broadband players, the last few years have been all about them trying to make the internet much more like cable TV, where they get to act as the gatekeepers and have much more control. The ability to inject their own ads into various webpages is just another bonus.

Filed Under: , , , , , ,
Companies: comcast

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Comcast Using Packet Injection To Push Its Own Ads Via WiFi, Apparently Oblivious To Security Concerns”

Subscribe: RSS Leave a comment
art guerrilla (profile) says:

Re: Re:

(parasitizing off your post)

here it is right here, PROOF POSITIVE that cable/media DO NOT give a shit about their PAYING CUSTOMERS: bugs on the screen…

could someone PLEASE tell me what groundswell of consumer outcry has made it so The Bastards! take up MY TEE VEE SCREEN with their incessant ‘bugs’, popup ads, bullshit little animations, etc, etc, etc, that often take up a quarter of the bottom of the screen, WHILE THE SHOW IS GOING ON…

oh, you mean there WASN’T a popular outcry to put MORE stupid fucking ad shit on MY SCREEN ? ? ? you mean they foist that shit on us because we don’t have a fucking choice ? ? ?

’cause -like most people- i WANT their idiotic distracting shit on MY SCREEN RUINING MY VIEWING EXPERIENCE…
right ? ? ? grrrrrrr…

why do i bet that when/if media execs ever go out in public, they NEVER identify themselves as such, or they would be strung up by irate customers for the stupid, greedy shit they subject us to all the time…

oh, and to PROVE this has NOTHING to do with OUR benefit, WHEN would be the ONLY TIME these ‘bugs’ and shit would actually offer ANY benefit ? ? ? during commercials.. and when is the ONLY TIME you DON’T see bugs, etc ? during commercials…
QE fucking D, bitchez…

John Fenderson (profile) says:

They have a real talent

“We think it’s a courtesy, and it helps address some concerns that people might not be absolutely sure they’re on a hotspot from Comcast,” Douglas said.

So, once again they insult everyone by saying their unsavory practices are for the customer’s benefit or even a “courtesy”. These same people would probably, after punching you in the face, explain how it was a “courtesy” because it helps you to find out how quickly you can heal.

Michael (profile) says:

How to Connect
Using your Wi-Fi-enabled device, connect to the XFINITY WiFi network (network name: xfinitywifi) and launch your browser.
The browser will redirect you to the XFINITY WiFi sign-in page. If you don’t see the sign-in page, enter a different URL, like, in your browser to be redirected to our sign-in page.
Sign in using your email address or Comcast ID and password, then start browsing the Web!

People are really mistaking not having done that?

ltlw0lf (profile) says:


Isn’t this whole courtesy thing exactly what a CaptivePortal is supposed to provide? CaptivePortals are well understood by consumers in the free-wifi field, and most users understand that when they connect to a wifi access point, they may initially see a captive portal. Once they clear it, they know who they are connected to and there isn’t any further need for courtesy (at least until they connect again.)

So, like usual, the big-cable ISPs have no understanding of social conventions and the technology.

John Fenderson (profile) says:

Re: CaptivePortal?

The courtesy thing is a joke, of course, but the way they do their captive portal arguably makes it less obvious than others. Once you’ve signed in through the captive portal, you don’t every have to do it again from that device, even if you use a different Comcast hotspot. If you’ve done this from your portable device, and you have the device configured to automatically connect to Comcast’s hotspot, then you could travel across town (or to a different town) and be connected to Comcast without realizing it.

ltlw0lf (profile) says:

Re: Re: CaptivePortal?

Once you’ve signed in through the captive portal, you don’t every have to do it again from that device, even if you use a different Comcast hotspot.

So, in other words, don’t fix the problem by logging users off after a predefined period of time, but instead open the user up to security issues and difficulties instead.

Of course, they probably have no encryption being used on their points either, so it seems that there really could be a case where an attacker might not know what network they are on, so Comcast is just being really helpful for the attackers out there that might not know what network their victims are connected to.

John Fenderson (profile) says:

Re: Re: Re: CaptivePortal?

Yep. I can see why the design decision was made (convenience), but it took me by surprise when I discovered it. I was moving, and had a week of no internet service at all while the service was being transferred to my new place. In the meantime, I used the Comcast hotpots for my essential internet activities.

Once I got service again it took a day before I noticed that my portable devices weren’t connecting to my own WiFi, but to Comcast’s (a neighbor apparently uses Comcast’s WiFi boxes). I never saw that injection, though, probably because I disable Javascript everywhere.

Anonymous Coward says:

Re: Re: Re:

That doesn’t matter. In order for a JavaScript function to be executed it or a link to it would have to be inserted into the page code which would require the page to be decoded first. Second, if non-encrypted http content appears on a page that was initially requested via https, those are separate requests that are executed from the initial code from the https request. Third when http requests for content appear on a page initially requested via https most browsers will display a browser warning that alerts the user that the some information is not secure.

Anonymous Coward says:

Re: Re: Re:

If you see that little lock on your (presumably uncompromised and hopefully well behaved) browser then that means everything on the site is encrypted and the keys being used are, according to a ‘trusted’ third party, valid (well, different browsers may have different ways of indicating this and hopefully your browser isn’t ambiguous about what it’s telling you) and the information is from the signed sources. Now this isn’t to say that just because something is from a signed source means it’s necessarily safe and free of nefarious intent. A website can have all sorts of signed content from different locations (ie: some content from the target website and some ads from a third party website). Just that, at least, to some degree, you can track back who sent the information and a ‘trusted’ third party hopefully at least did some preliminary work to be able to identify the signer before just granting them keys.

I’ve downloaded spyware before written by malware companies that were signed whose signature was verified by windows before I ran it. So just because you identified who sent you something doesn’t necessarily mean the entity sending it is trustworthy.

nasch (profile) says:

Re: Re: Re: Re:

In the same sense when a tagger spray-paints something on the wall of your building, your wall hasn’t been altered at all.

No, it really isn’t like that. I don’t think there’s any real need to bring in physical world analogies. It’s better to just understand what is actually happening in this case. Comcast’s actions were terrible; we don’t need to pretend they broke into someone’s web site and changed it to make it seem bad.

nasch (profile) says:

Re: Re: Re:3 Re:

Defacement means changing the look of a website. Whether you do it by breaking into a server, or altering the packets it sends its users, is irrelevant.

Well first, I disagree, I think it is relevant. But more importantly, my real point is that Comcast didn’t do anything to anybody’s property. They interfered with someone’s service. There’s a difference.

MrTroy (profile) says:

Re: Re: Re:4 Re:

Better physical analogy?

Comcast is spraypainting the car window of the person looking at the building. People in other cars are fine, the building is fine, it’s just the poor sap with a spray-painted car that’s unhappy.

Obviously pedestrians are unable to see the building, but that’s their own fault for walking through an imperfect analogy!

Anonymous Coward says:

This can break things

Not all HTTP is “the web”.

Just yesterday I used a program which self-updates over HTTP (it checks a signature on the downloaded files, so it’s safe). If an ad injector had modified the HTTP response, the updater would have gotten terminally confused.

And even for the web, this can break things. Javascript uses a global namespace (the “window” object). Depending on how the page’s own Javascript is coded, it can conflict with the injected ad. And there’s also the page structure; the only way the ad can show is by adding elements to the DOM, and if the page’s normal Javascript did not expect that element (for instance, a normally empty page which is completely populated via Javascript), it could break.

When will people learn? The Internet is end-to-end; middleboxes have NO business modifying anything!

Whatever says:


This is a good thing. Comcast gets to make money to recoup their expensive costs of providing service. Think about broadcast T.V. The commercials are there to fund all the programs as well as the cost of distribution to the broadcaster. The networks that the commercials fund must pay the broadcasters for those costs. Well, here the commercials are there to fund access. In cable T.V. you have to pay for the high cost of access but, on top of that, the commercials are necessary to fund all that expensive programming as well. At one time it may have been possible to provide cable T.V. without commercials but once everyone discovered they can make even more money by charging to watch commercials and there wasn’t anything customers can do about it because they have a monopoly they started doing that. and it worked and that’s a good thing because it’s all about capitalism. What, you don’t support capitalism?

This spells more money for Comcast turning their service more into cable and broadcast T.V. which is a good thing. Everyone knows those are the business models I like to push for because it’s more profitable. Competition is bad because then the poor access providers can’t make a living. Just like with the taxi cab companies. Imagine if there was capitalism then the taxi cab companies would all be poor. So the government must ban competition to make sure that those who work hard can make a profit. Capitalism at work.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...