Failures

by Mike Masnick


Filed Under:
ads, broadband, isps, packet injection, security, wifi, xfinity

Companies:
comcast



Comcast Using Packet Injection To Push Its Own Ads Via WiFi, Apparently Oblivious To Security Concerns

from the because-it's-comcast dept

David Kravets, over at Ars Technica, has a good post detailing how Comcast is doing questionable packet injection to put its own javascript ads onto websites if you're surfing via Comcast's public WiFi access points. The practice was spotted by Ryan Singel, who saw the following "XFINITY WIFI: Peppy" ad scoot across his screen:
Comcast, in typical Comcast fashion, appears to be totally and completely oblivious as to why this could possibly be seen as a problem:
A Comcast spokesman told Ars the program began months ago. One facet of it is designed to alert consumers that they are connected to Comcast's Xfinity service. Other ads remind Web surfers to download Xfinity apps, Comcast spokesman Charlie Douglas told Ars in telephone interviews.

The advertisements may appear about every seven minutes or so, he said, and they last for just seconds before trailing away. Douglas said the advertising campaign only applies to Xfinity's publicly available Wi-Fi hot spots that dot the landscape. Comcast customers connected to their own Xfinity Wi-Fi routers when they're at home are not affected, he said.

"We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast," Douglas said.
It's a courtesy to hijack the page a person asked for and insert something that no one asked for on it? I don't think so. There's a reason that packet injection is considered an attack and a security risk -- and it's got nothing to do with courtesy.

Certainly, the website that Singel was browsing when he spotted it, Mediagzer, was not pleased about having its own site hijacked and defaced:
"Indeed, they were not ours," Gabe Rivera, who runs Mediagazer and Techmeme, said in an e-mail. In another e-mail, he said, "someone else is inserting them in a sneaky way."
Kravets also talks to Robb Topolski, the guy who first provided the evidence to show that Comcast was throttling BitTorrent a while back, kicking off one of the first big net neutrality fights (which resulted in the FCC slapping Comcast's wrists). Topolski notes that what they're doing here is technically equivalent:
To Topolski, what Comcast is now doing is no different from before: Comcast is adding data into the broadband packet stream. In 2007, it was packets serving up disconnection commands. Today, Comcast is inserting JavaScript that is serving up advertisements, according to Topolski, who reviewed Singel's data.

"It's the duty of the service provider to pull packets without treating them or modifying them or injecting stuff or forging packets. None of that should be in the province of the service provider," he said. "Imagine every Web page with a Comcast bug in the lower righthand corner. It's the antithesis of what a service provider is supposed to do. We want Internet access, not another version of cable TV."
But, of course, to the big broadband players, the last few years have been all about them trying to make the internet much more like cable TV, where they get to act as the gatekeepers and have much more control. The ability to inject their own ads into various webpages is just another bonus.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 8 Sep 2014 @ 12:26pm

    Honestly, I have nothing left to respond to stories of shitty behavior by Comcast except to continually mutter to myself an invitation for that company to dine of a cornucopia of rotting dicks while playing a rousing game of "Hide-and-go-fuck-yourself."

    reply to this | link to this | view in chronology ]

    • icon
      art guerrilla (profile), 9 Sep 2014 @ 6:32am

      Re:

      (parasitizing off your post)

      here it is right here, PROOF POSITIVE that cable/media DO NOT give a shit about their PAYING CUSTOMERS: bugs on the screen...

      could someone PLEASE tell me what groundswell of consumer outcry has made it so The Bastards! take up MY TEE VEE SCREEN with their incessant 'bugs', popup ads, bullshit little animations, etc, etc, etc, that often take up a quarter of the bottom of the screen, WHILE THE SHOW IS GOING ON...

      oh, you mean there WASN'T a popular outcry to put MORE stupid fucking ad shit on MY SCREEN ? ? ? you mean they foist that shit on us because we don't have a fucking choice ? ? ?

      'cause -like most people- i WANT their idiotic distracting shit on MY SCREEN RUINING MY VIEWING EXPERIENCE...
      right ? ? ? grrrrrrr...

      why do i bet that when/if media execs ever go out in public, they NEVER identify themselves as such, or they would be strung up by irate customers for the stupid, greedy shit they subject us to all the time...

      oh, and to PROVE this has NOTHING to do with OUR benefit, WHEN would be the ONLY TIME these 'bugs' and shit would actually offer ANY benefit ? ? ? during commercials.. and when is the ONLY TIME you DON'T see bugs, etc ? during commercials...
      QE fucking D, bitchez...

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2014 @ 12:27pm

    Someone should sue them for copyright infringement, they are creating derivative works from websites. That is what they are trying to do to companies whose technologies remove adds from their TV programs.

    reply to this | link to this | view in chronology ]

  • identicon
    Michael, 8 Sep 2014 @ 12:28pm

    I don't use Comcast hotspots, but if their usage counts toward any data caps, I would think that injecting additional data could be a huge problem for them.

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 8 Sep 2014 @ 2:51pm

      Re:

      I don't use Comcast hotspots, but if their usage counts toward any data caps, I would think that injecting additional data could be a huge problem for them.

      How could use of a public hotspot count toward a data cap?

      reply to this | link to this | view in chronology ]

  • identicon
    SpaceLifeForm, 8 Sep 2014 @ 12:29pm

    SpaceLifeForm

    reply to this | link to this | view in chronology ]

    • identicon
      SpaceLifeForm, 8 Sep 2014 @ 12:33pm

      Response to: SpaceLifeForm on Sep 8th, 2014 @ 12:29pm

      Apologies for the
      mispost. Does this mean that Comcast is an official beta tester for the NSA?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2014 @ 12:36pm

    Hey that looks familiar...

    "We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast," Douglas said.

    It's the Microsoft defense: "It's not a bug. It's a feature."

    reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 8 Sep 2014 @ 12:38pm

    They have a real talent

    "We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast," Douglas said.


    So, once again they insult everyone by saying their unsavory practices are for the customer's benefit or even a "courtesy". These same people would probably, after punching you in the face, explain how it was a "courtesy" because it helps you to find out how quickly you can heal.

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, 8 Sep 2014 @ 12:42pm

      Re: They have a real talent

      Terms of Use Page 53 Sub-Section 12a:

      Should the fist used to strike your face be damaged, any medical bills will be included on your next bill.

      reply to this | link to this | view in chronology ]

  • identicon
    Michael, 8 Sep 2014 @ 12:40pm


    How to Connect
    Using your Wi-Fi-enabled device, connect to the XFINITY WiFi network (network name: xfinitywifi) and launch your browser.
    The browser will redirect you to the XFINITY WiFi sign-in page. If you don't see the sign-in page, enter a different URL, like http://xfinity.comcast.net/, in your browser to be redirected to our sign-in page.
    Sign in using your Comcast.net email address or Comcast ID and password, then start browsing the Web!


    People are really mistaking not having done that?

    reply to this | link to this | view in chronology ]

  • icon
    ltlw0lf (profile), 8 Sep 2014 @ 12:42pm

    CaptivePortal?

    Isn't this whole courtesy thing exactly what a CaptivePortal is supposed to provide? CaptivePortals are well understood by consumers in the free-wifi field, and most users understand that when they connect to a wifi access point, they may initially see a captive portal. Once they clear it, they know who they are connected to and there isn't any further need for courtesy (at least until they connect again.)

    So, like usual, the big-cable ISPs have no understanding of social conventions and the technology.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 8 Sep 2014 @ 1:09pm

      Re: CaptivePortal?

      The courtesy thing is a joke, of course, but the way they do their captive portal arguably makes it less obvious than others. Once you've signed in through the captive portal, you don't every have to do it again from that device, even if you use a different Comcast hotspot. If you've done this from your portable device, and you have the device configured to automatically connect to Comcast's hotspot, then you could travel across town (or to a different town) and be connected to Comcast without realizing it.

      reply to this | link to this | view in chronology ]

      • icon
        ltlw0lf (profile), 8 Sep 2014 @ 1:55pm

        Re: Re: CaptivePortal?

        Once you've signed in through the captive portal, you don't every have to do it again from that device, even if you use a different Comcast hotspot.

        So, in other words, don't fix the problem by logging users off after a predefined period of time, but instead open the user up to security issues and difficulties instead.

        Of course, they probably have no encryption being used on their points either, so it seems that there really could be a case where an attacker might not know what network they are on, so Comcast is just being really helpful for the attackers out there that might not know what network their victims are connected to.

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 8 Sep 2014 @ 2:47pm

          Re: Re: Re: CaptivePortal?

          Yep. I can see why the design decision was made (convenience), but it took me by surprise when I discovered it. I was moving, and had a week of no internet service at all while the service was being transferred to my new place. In the meantime, I used the Comcast hotpots for my essential internet activities.

          Once I got service again it took a day before I noticed that my portable devices weren't connecting to my own WiFi, but to Comcast's (a neighbor apparently uses Comcast's WiFi boxes). I never saw that injection, though, probably because I disable Javascript everywhere.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2014 @ 12:45pm

    In telecommunications there is a word for this

    3rd party Intercepting and reconfiguring of communications would be called "wire fraud"

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 8 Sep 2014 @ 2:56pm

      Re: In telecommunications there is a word for this

      3rd party Intercepting and reconfiguring of communications would be called "wire fraud"

      Only if someone is being defrauded. Seems like a stretch here.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2014 @ 12:56pm

    I presume that access sites using only https would block this, right?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Sep 2014 @ 1:04pm

      Re:

      Not everything is encrypted on https sites. They could still stick a banner ad onto the page.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Sep 2014 @ 1:32pm

        Re: Re:

        That doesn't matter. In order for a JavaScript function to be executed it or a link to it would have to be inserted into the page code which would require the page to be decoded first. Second, if non-encrypted http content appears on a page that was initially requested via https, those are separate requests that are executed from the initial code from the https request. Third when http requests for content appear on a page initially requested via https most browsers will display a browser warning that alerts the user that the some information is not secure.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Sep 2014 @ 1:37pm

        Re: Re:

        The only way that could possibly happen on https pages is if the data was diverted, decrypted, altered, then re-encrypted before being passed back on to the user. This is essentially a Man in the Middle attack.

        http://en.wikipedia.org/wiki/Man-in-the-middle_attack

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 8 Sep 2014 @ 1:58pm

          Re: Re: Re:

          That's what I was thinking. So the only way they could do that is if you had to accept Comcast as a CA before using xfinity then they could generate certs on the fly.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Sep 2014 @ 8:58am

        Re: Re:

        If you see that little lock on your (presumably uncompromised and hopefully well behaved) browser then that means everything on the site is encrypted and the keys being used are, according to a 'trusted' third party, valid (well, different browsers may have different ways of indicating this and hopefully your browser isn't ambiguous about what it's telling you) and the information is from the signed sources. Now this isn't to say that just because something is from a signed source means it's necessarily safe and free of nefarious intent. A website can have all sorts of signed content from different locations (ie: some content from the target website and some ads from a third party website). Just that, at least, to some degree, you can track back who sent the information and a 'trusted' third party hopefully at least did some preliminary work to be able to identify the signer before just granting them keys.

        I've downloaded spyware before written by malware companies that were signed whose signature was verified by windows before I ran it. So just because you identified who sent you something doesn't necessarily mean the entity sending it is trustworthy.

        reply to this | link to this | view in chronology ]

  • identicon
    Eric, 8 Sep 2014 @ 1:02pm

    Hopefully they include on their phone service soon

    I hope they start doing something similar on their phone service to ensure consumers are aware they are using a comcast provided phone service in their home. Every 7 minutes: "You are currently using a comcast connected phone"

    reply to this | link to this | view in chronology ]

    • icon
      Jeremy Lyman (profile), 9 Sep 2014 @ 4:59am

      Re: Hopefully they include on their phone service soon

      And the message is spoken in the voice of the loved one you're conversing with. For convenience.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2014 @ 1:09pm

    since when has Comcast (or any other major business!) given a shit about anything other than their own agenda?

    reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 8 Sep 2014 @ 1:19pm

    Peppy....?

    "Peppy" is a weasel-word from the automotive industry used to gloss over a lack of speed. Any cheap little subcompact car - with a tiny subcompact engine - inevitably has its engine or performance described as "peppy."

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2014 @ 1:28pm

    Imagine every Web page with a Comcast bug in the lower righthand corner.

    That symbol? *shrug* It just indicates that you're connected to the net. I wouldn't worry about it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2014 @ 1:38pm

    Wonder if they'll roll that delightful courtesy out to all their regular internet customers after they're done testing it on a small subset? Maybe they're aiming to have it ready to go by the time the Time Warner merger is done, so all the current Roadrunner customers can get their lovely packet injections as well.

    reply to this | link to this | view in chronology ]

  • icon
    Falindraun (profile), 8 Sep 2014 @ 1:52pm

    i havnt seen an ad in years and years. i use adblock. there is also another ad-on that helps you hide the ads that make it past that.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Sep 2014 @ 2:49pm

      Re:

      The issue really isn't about whether you see ads or not so much as what they are doing to display the adds. They are essentially changing the content requested, inserting executable code to display an add on content requested from third party sites.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2014 @ 2:04pm

    It is not just hijacking a page, it's defacing other's property. Websites are not beholden to Comcast. Comcast has no right to display any kind of advertisement over a website that they do not own.

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 8 Sep 2014 @ 2:59pm

      Re:

      It is not just hijacking a page, it's defacing other's property.

      Let's not further the myth that creative output is property. The web site in question is just fine, and hasn't been altered at all. You can verify this by going there and observing that there isn't a Comcast ad on it.

      reply to this | link to this | view in chronology ]

      • icon
        Roger Strong (profile), 8 Sep 2014 @ 3:09pm

        Re: Re:

        In the same sense when a tagger spray-paints something on the wall of your building, your wall hasn't been altered at all. You can verify this by sandblasting off his paint and observing that your original paint - and wall - are still there.

        Personally I still call it defacement.

        reply to this | link to this | view in chronology ]

        • icon
          nasch (profile), 8 Sep 2014 @ 3:35pm

          Re: Re: Re:

          In the same sense when a tagger spray-paints something on the wall of your building, your wall hasn't been altered at all.

          No, it really isn't like that. I don't think there's any real need to bring in physical world analogies. It's better to just understand what is actually happening in this case. Comcast's actions were terrible; we don't need to pretend they broke into someone's web site and changed it to make it seem bad.

          reply to this | link to this | view in chronology ]

          • identicon
            jarfil, 8 Sep 2014 @ 5:02pm

            Re: Re: Re: Re:

            Defacement means changing the look of a website. Whether you do it by breaking into a server, or altering the packets it sends its users, is irrelevant.

            This reminds me why we needed all that anti-framing legalese from the portal era, but in a more twisted way.

            reply to this | link to this | view in chronology ]

            • icon
              nasch (profile), 8 Sep 2014 @ 8:06pm

              Re: Re: Re: Re: Re:

              Defacement means changing the look of a website. Whether you do it by breaking into a server, or altering the packets it sends its users, is irrelevant.

              Well first, I disagree, I think it is relevant. But more importantly, my real point is that Comcast didn't do anything to anybody's property. They interfered with someone's service. There's a difference.

              reply to this | link to this | view in chronology ]

              • icon
                MrTroy (profile), 8 Sep 2014 @ 11:55pm

                Re: Re: Re: Re: Re: Re:

                Better physical analogy?

                Comcast is spraypainting the car window of the person looking at the building. People in other cars are fine, the building is fine, it's just the poor sap with a spray-painted car that's unhappy.

                Obviously pedestrians are unable to see the building, but that's their own fault for walking through an imperfect analogy!

                reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2014 @ 2:15pm

    It's a courtesy to hijack the page a person asked for and insert something that no one asked for on it?
    The courtesy is in letting people know that they're vulnerable to surveillance and packet injection (but apparently only after they've sent their Comcast password over the connection).

    reply to this | link to this | view in chronology ]

  • identicon
    HMTKSteve, 8 Sep 2014 @ 2:17pm

    Money

    Think how much money they could make if they just used this technique to change the ad code on web pages to their ad code? Google AdSense? With the amount of traffic Comcast users generate an unscrupulous technician could replace the AdSense ID with their own via this hack and make millions an hour.

    reply to this | link to this | view in chronology ]

  • identicon
    Mark, 8 Sep 2014 @ 3:27pm

    "sneaky" advertising

    Comcast is pretty good at "sneaky". They are some of the sneakiest mother f*ckers I have ever seen.

    reply to this | link to this | view in chronology ]

  • identicon
    DB, 8 Sep 2014 @ 3:36pm

    I'm not certain why this isn't considered copyright infringement.

    If you took the Washington Post and substituted your own ads, you would be quickly sued into oblivion. This situation is no different, just adding "on the internet".

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2014 @ 4:41pm

    This can break things

    Not all HTTP is "the web".

    Just yesterday I used a program which self-updates over HTTP (it checks a signature on the downloaded files, so it's safe). If an ad injector had modified the HTTP response, the updater would have gotten terminally confused.

    And even for the web, this can break things. Javascript uses a global namespace (the "window" object). Depending on how the page's own Javascript is coded, it can conflict with the injected ad. And there's also the page structure; the only way the ad can show is by adding elements to the DOM, and if the page's normal Javascript did not expect that element (for instance, a normally empty page which is completely populated via Javascript), it could break.

    When will people learn? The Internet is end-to-end; middleboxes have NO business modifying anything!

    reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 9 Sep 2014 @ 12:44am

    Shades of Rodgers Cable, oh how thou haunt us.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2014 @ 12:52am

    I have never seen those ads on Comcast WiFi. It could be because I am using AdBlock.

    If you want to stop those ads, put adblock on your computer.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2014 @ 12:55am

    You could also connect to VPN. I connect to my own private VPN, when using Comcast, or any other Wifi, so my activity cannot be monitored.

    That could also explain why I have not seen those ads. Logging on to my VPN encrypts the connection, so Comcast cannot see the web pages I go to.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2014 @ 4:52am

    "We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast," Douglas said.

    While everyone else thinks it is majorly fucked up and didn't give a shit about whose hotspot they connect to - until now.

    reply to this | link to this | view in chronology ]

  • identicon
    Whatever, 9 Sep 2014 @ 8:36am

    (parody

    This is a good thing. Comcast gets to make money to recoup their expensive costs of providing service. Think about broadcast T.V. The commercials are there to fund all the programs as well as the cost of distribution to the broadcaster. The networks that the commercials fund must pay the broadcasters for those costs. Well, here the commercials are there to fund access. In cable T.V. you have to pay for the high cost of access but, on top of that, the commercials are necessary to fund all that expensive programming as well. At one time it may have been possible to provide cable T.V. without commercials but once everyone discovered they can make even more money by charging to watch commercials and there wasn't anything customers can do about it because they have a monopoly they started doing that. and it worked and that's a good thing because it's all about capitalism. What, you don't support capitalism?

    This spells more money for Comcast turning their service more into cable and broadcast T.V. which is a good thing. Everyone knows those are the business models I like to push for because it's more profitable. Competition is bad because then the poor access providers can't make a living. Just like with the taxi cab companies. Imagine if there was capitalism then the taxi cab companies would all be poor. So the government must ban competition to make sure that those who work hard can make a profit. Capitalism at work.

    reply to this | link to this | view in chronology ]

  • identicon
    Mark Wing, 9 Sep 2014 @ 10:14am

    CFAA Violation?

    Wasn't this the kind of thing the CFAA was meant to address?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.