Comcast Using Packet Injection To Push Its Own Ads Via WiFi, Apparently Oblivious To Security Concerns
from the because-it's-comcast dept
David Kravets, over at Ars Technica, has a good post detailing how Comcast is doing questionable packet injection to put its own javascript ads onto websites if you’re surfing via Comcast’s public WiFi access points. The practice was spotted by Ryan Singel, who saw the following “XFINITY WIFI: Peppy” ad scoot across his screen:
A Comcast spokesman told Ars the program began months ago. One facet of it is designed to alert consumers that they are connected to Comcast’s Xfinity service. Other ads remind Web surfers to download Xfinity apps, Comcast spokesman Charlie Douglas told Ars in telephone interviews.
The advertisements may appear about every seven minutes or so, he said, and they last for just seconds before trailing away. Douglas said the advertising campaign only applies to Xfinity’s publicly available Wi-Fi hot spots that dot the landscape. Comcast customers connected to their own Xfinity Wi-Fi routers when they’re at home are not affected, he said.
“We think it’s a courtesy, and it helps address some concerns that people might not be absolutely sure they’re on a hotspot from Comcast,” Douglas said.
It’s a courtesy to hijack the page a person asked for and insert something that no one asked for on it? I don’t think so. There’s a reason that packet injection is considered an attack and a security risk — and it’s got nothing to do with courtesy.
Certainly, the website that Singel was browsing when he spotted it, Mediagzer, was not pleased about having its own site hijacked and defaced:
“Indeed, they were not ours,” Gabe Rivera, who runs Mediagazer and Techmeme, said in an e-mail. In another e-mail, he said, “someone else is inserting them in a sneaky way.”
Kravets also talks to Robb Topolski, the guy who first provided the evidence to show that Comcast was throttling BitTorrent a while back, kicking off one of the first big net neutrality fights (which resulted in the FCC slapping Comcast’s wrists). Topolski notes that what they’re doing here is technically equivalent:
To Topolski, what Comcast is now doing is no different from before: Comcast is adding data into the broadband packet stream. In 2007, it was packets serving up disconnection commands. Today, Comcast is inserting JavaScript that is serving up advertisements, according to Topolski, who reviewed Singel’s data.
“It’s the duty of the service provider to pull packets without treating them or modifying them or injecting stuff or forging packets. None of that should be in the province of the service provider,” he said. “Imagine every Web page with a Comcast bug in the lower righthand corner. It’s the antithesis of what a service provider is supposed to do. We want Internet access, not another version of cable TV.”
But, of course, to the big broadband players, the last few years have been all about them trying to make the internet much more like cable TV, where they get to act as the gatekeepers and have much more control. The ability to inject their own ads into various webpages is just another bonus.
Filed Under: ads, broadband, isps, packet injection, security, wifi, xfinity
Companies: comcast
Comments on “Comcast Using Packet Injection To Push Its Own Ads Via WiFi, Apparently Oblivious To Security Concerns”
Honestly, I have nothing left to respond to stories of shitty behavior by Comcast except to continually mutter to myself an invitation for that company to dine of a cornucopia of rotting dicks while playing a rousing game of “Hide-and-go-fuck-yourself.”
Re: Re:
(parasitizing off your post)
here it is right here, PROOF POSITIVE that cable/media DO NOT give a shit about their PAYING CUSTOMERS: bugs on the screen…
could someone PLEASE tell me what groundswell of consumer outcry has made it so The Bastards! take up MY TEE VEE SCREEN with their incessant ‘bugs’, popup ads, bullshit little animations, etc, etc, etc, that often take up a quarter of the bottom of the screen, WHILE THE SHOW IS GOING ON…
oh, you mean there WASN’T a popular outcry to put MORE stupid fucking ad shit on MY SCREEN ? ? ? you mean they foist that shit on us because we don’t have a fucking choice ? ? ?
’cause -like most people- i WANT their idiotic distracting shit on MY SCREEN RUINING MY VIEWING EXPERIENCE…
right ? ? ? grrrrrrr…
why do i bet that when/if media execs ever go out in public, they NEVER identify themselves as such, or they would be strung up by irate customers for the stupid, greedy shit they subject us to all the time…
oh, and to PROVE this has NOTHING to do with OUR benefit, WHEN would be the ONLY TIME these ‘bugs’ and shit would actually offer ANY benefit ? ? ? during commercials.. and when is the ONLY TIME you DON’T see bugs, etc ? during commercials…
QE fucking D, bitchez…
Re: Re: Re:
(Late to party) Not to mention sucking up a tenth or so of my Internet bandwidth, and slowing down my web-browser by a quarter (at least).
Someone should sue them for copyright infringement, they are creating derivative works from websites. That is what they are trying to do to companies whose technologies remove adds from their TV programs.
I don’t use Comcast hotspots, but if their usage counts toward any data caps, I would think that injecting additional data could be a huge problem for them.
Re: Re:
I don’t use Comcast hotspots, but if their usage counts toward any data caps, I would think that injecting additional data could be a huge problem for them.
How could use of a public hotspot count toward a data cap?
Re: Re: Re:
Never mind, I misunderstood the program. Looks like it’s not public, but a hotspot for Comcast customers only.
Re: Re: Re: Re:
You can use them (for free) even if you don’t have a Comcast account, but you’re limited in the total amount of time — I think it’s a couple of hours a week.
SpaceLifeForm
Re: Response to: SpaceLifeForm on Sep 8th, 2014 @ 12:29pm
Apologies for the
mispost. Does this mean that Comcast is an official beta tester for the NSA?
Hey that looks familiar...
“We think it’s a courtesy, and it helps address some concerns that people might not be absolutely sure they’re on a hotspot from Comcast,” Douglas said.
It’s the Microsoft defense: “It’s not a bug. It’s a feature.”
Re: Hey that looks familiar...
So sure. Let them do this, then organise a class-action lawsuit for ‘potential loss of property.’ Or something.
Hit Comcast in their wallets, and whoever thought this was a good idea in jail for reckless endangerment.
Re: Hey that looks familiar...
Not only that, Belkin was caught doing that through their router.
This reminded me that this occurred over ten years ago. Also of note is that this incident is currently under the “Criticism” section of their Wikipedia entry.
They have a real talent
So, once again they insult everyone by saying their unsavory practices are for the customer’s benefit or even a “courtesy”. These same people would probably, after punching you in the face, explain how it was a “courtesy” because it helps you to find out how quickly you can heal.
Re: They have a real talent
Terms of Use Page 53 Sub-Section 12a:
Should the fist used to strike your face be damaged, any medical bills will be included on your next bill.
How to Connect
Using your Wi-Fi-enabled device, connect to the XFINITY WiFi network (network name: xfinitywifi) and launch your browser.
The browser will redirect you to the XFINITY WiFi sign-in page. If you don’t see the sign-in page, enter a different URL, like http://xfinity.comcast.net/, in your browser to be redirected to our sign-in page.
Sign in using your Comcast.net email address or Comcast ID and password, then start browsing the Web!
People are really mistaking not having done that?
CaptivePortal?
Isn’t this whole courtesy thing exactly what a CaptivePortal is supposed to provide? CaptivePortals are well understood by consumers in the free-wifi field, and most users understand that when they connect to a wifi access point, they may initially see a captive portal. Once they clear it, they know who they are connected to and there isn’t any further need for courtesy (at least until they connect again.)
So, like usual, the big-cable ISPs have no understanding of social conventions and the technology.
Re: CaptivePortal?
The courtesy thing is a joke, of course, but the way they do their captive portal arguably makes it less obvious than others. Once you’ve signed in through the captive portal, you don’t every have to do it again from that device, even if you use a different Comcast hotspot. If you’ve done this from your portable device, and you have the device configured to automatically connect to Comcast’s hotspot, then you could travel across town (or to a different town) and be connected to Comcast without realizing it.
Re: Re: CaptivePortal?
Once you’ve signed in through the captive portal, you don’t every have to do it again from that device, even if you use a different Comcast hotspot.
So, in other words, don’t fix the problem by logging users off after a predefined period of time, but instead open the user up to security issues and difficulties instead.
Of course, they probably have no encryption being used on their points either, so it seems that there really could be a case where an attacker might not know what network they are on, so Comcast is just being really helpful for the attackers out there that might not know what network their victims are connected to.
Re: Re: Re: CaptivePortal?
Yep. I can see why the design decision was made (convenience), but it took me by surprise when I discovered it. I was moving, and had a week of no internet service at all while the service was being transferred to my new place. In the meantime, I used the Comcast hotpots for my essential internet activities.
Once I got service again it took a day before I noticed that my portable devices weren’t connecting to my own WiFi, but to Comcast’s (a neighbor apparently uses Comcast’s WiFi boxes). I never saw that injection, though, probably because I disable Javascript everywhere.
In telecommunications there is a word for this
3rd party Intercepting and reconfiguring of communications would be called “wire fraud”
Re: In telecommunications there is a word for this
3rd party Intercepting and reconfiguring of communications would be called “wire fraud”
Only if someone is being defrauded. Seems like a stretch here.
I presume that access sites using only https would block this, right?
Re: Re:
Not everything is encrypted on https sites. They could still stick a banner ad onto the page.
Re: Re: Re:
That doesn’t matter. In order for a JavaScript function to be executed it or a link to it would have to be inserted into the page code which would require the page to be decoded first. Second, if non-encrypted http content appears on a page that was initially requested via https, those are separate requests that are executed from the initial code from the https request. Third when http requests for content appear on a page initially requested via https most browsers will display a browser warning that alerts the user that the some information is not secure.
Re: Re: Re:
The only way that could possibly happen on https pages is if the data was diverted, decrypted, altered, then re-encrypted before being passed back on to the user. This is essentially a Man in the Middle attack.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
Re: Re: Re: Re:
That’s what I was thinking. So the only way they could do that is if you had to accept Comcast as a CA before using xfinity then they could generate certs on the fly.
Re: Re: Re:
If you see that little lock on your (presumably uncompromised and hopefully well behaved) browser then that means everything on the site is encrypted and the keys being used are, according to a ‘trusted’ third party, valid (well, different browsers may have different ways of indicating this and hopefully your browser isn’t ambiguous about what it’s telling you) and the information is from the signed sources. Now this isn’t to say that just because something is from a signed source means it’s necessarily safe and free of nefarious intent. A website can have all sorts of signed content from different locations (ie: some content from the target website and some ads from a third party website). Just that, at least, to some degree, you can track back who sent the information and a ‘trusted’ third party hopefully at least did some preliminary work to be able to identify the signer before just granting them keys.
I’ve downloaded spyware before written by malware companies that were signed whose signature was verified by windows before I ran it. So just because you identified who sent you something doesn’t necessarily mean the entity sending it is trustworthy.
Hopefully they include on their phone service soon
I hope they start doing something similar on their phone service to ensure consumers are aware they are using a comcast provided phone service in their home. Every 7 minutes: “You are currently using a comcast connected phone”
Re: Hopefully they include on their phone service soon
And the message is spoken in the voice of the loved one you’re conversing with. For convenience.
since when has Comcast (or any other major business!) given a shit about anything other than their own agenda?
Peppy....?
“Peppy” is a weasel-word from the automotive industry used to gloss over a lack of speed. Any cheap little subcompact car – with a tiny subcompact engine – inevitably has its engine or performance described as “peppy.”
Imagine every Web page with a Comcast bug in the lower righthand corner.
That symbol? *shrug* It just indicates that you’re connected to the net. I wouldn’t worry about it.
Wonder if they’ll roll that delightful courtesy out to all their regular internet customers after they’re done testing it on a small subset? Maybe they’re aiming to have it ready to go by the time the Time Warner merger is done, so all the current Roadrunner customers can get their lovely packet injections as well.
i havnt seen an ad in years and years. i use adblock. there is also another ad-on that helps you hide the ads that make it past that.
Re: Re:
The issue really isn’t about whether you see ads or not so much as what they are doing to display the adds. They are essentially changing the content requested, inserting executable code to display an add on content requested from third party sites.
It is not just hijacking a page, it’s defacing other’s property. Websites are not beholden to Comcast. Comcast has no right to display any kind of advertisement over a website that they do not own.
Re: Re:
It is not just hijacking a page, it’s defacing other’s property.
Let’s not further the myth that creative output is property. The web site in question is just fine, and hasn’t been altered at all. You can verify this by going there and observing that there isn’t a Comcast ad on it.
Re: Re: Re:
In the same sense when a tagger spray-paints something on the wall of your building, your wall hasn’t been altered at all. You can verify this by sandblasting off his paint and observing that your original paint – and wall – are still there.
Personally I still call it defacement.
Re: Re: Re: Re:
In the same sense when a tagger spray-paints something on the wall of your building, your wall hasn’t been altered at all.
No, it really isn’t like that. I don’t think there’s any real need to bring in physical world analogies. It’s better to just understand what is actually happening in this case. Comcast’s actions were terrible; we don’t need to pretend they broke into someone’s web site and changed it to make it seem bad.
Re: Re: Re:2 Re:
Defacement means changing the look of a website. Whether you do it by breaking into a server, or altering the packets it sends its users, is irrelevant.
This reminds me why we needed all that anti-framing legalese from the portal era, but in a more twisted way.
Re: Re: Re:3 Re:
Defacement means changing the look of a website. Whether you do it by breaking into a server, or altering the packets it sends its users, is irrelevant.
Well first, I disagree, I think it is relevant. But more importantly, my real point is that Comcast didn’t do anything to anybody’s property. They interfered with someone’s service. There’s a difference.
Re: Re: Re:4 Re:
Better physical analogy?
Comcast is spraypainting the car window of the person looking at the building. People in other cars are fine, the building is fine, it’s just the poor sap with a spray-painted car that’s unhappy.
Obviously pedestrians are unable to see the building, but that’s their own fault for walking through an imperfect analogy!
The courtesy is in letting people know that they’re vulnerable to surveillance and packet injection (but apparently only after they’ve sent their Comcast password over the connection).
Money
Think how much money they could make if they just used this technique to change the ad code on web pages to their ad code? Google AdSense? With the amount of traffic Comcast users generate an unscrupulous technician could replace the AdSense ID with their own via this hack and make millions an hour.
"sneaky" advertising
Comcast is pretty good at “sneaky”. They are some of the sneakiest mother f*ckers I have ever seen.
Re: "sneaky" advertising
They are some of the sneakiest mother fckers I have ever seen.
Yeah, but the very sneakiest motherfckers are the ones you never see at all.
http://www.theonion.com/video/ninja-parade-slips-through-town-unnoticed-once-aga,14181/
I’m not certain why this isn’t considered copyright infringement.
If you took the Washington Post and substituted your own ads, you would be quickly sued into oblivion. This situation is no different, just adding “on the internet”.
Re: Re:
I’m not sure how it could be considered copyright infringement. Whose copyright was infringed? Where is the unauthorized copy?
This can break things
Not all HTTP is “the web”.
Just yesterday I used a program which self-updates over HTTP (it checks a signature on the downloaded files, so it’s safe). If an ad injector had modified the HTTP response, the updater would have gotten terminally confused.
And even for the web, this can break things. Javascript uses a global namespace (the “window” object). Depending on how the page’s own Javascript is coded, it can conflict with the injected ad. And there’s also the page structure; the only way the ad can show is by adding elements to the DOM, and if the page’s normal Javascript did not expect that element (for instance, a normally empty page which is completely populated via Javascript), it could break.
When will people learn? The Internet is end-to-end; middleboxes have NO business modifying anything!
Shades of Rodgers Cable, oh how thou haunt us.
I have never seen those ads on Comcast WiFi. It could be because I am using AdBlock.
If you want to stop those ads, put adblock on your computer.
You could also connect to VPN. I connect to my own private VPN, when using Comcast, or any other Wifi, so my activity cannot be monitored.
That could also explain why I have not seen those ads. Logging on to my VPN encrypts the connection, so Comcast cannot see the web pages I go to.
“We think it’s a courtesy, and it helps address some concerns that people might not be absolutely sure they’re on a hotspot from Comcast,” Douglas said.
While everyone else thinks it is majorly fucked up and didn’t give a shit about whose hotspot they connect to – until now.
(parody
This is a good thing. Comcast gets to make money to recoup their expensive costs of providing service. Think about broadcast T.V. The commercials are there to fund all the programs as well as the cost of distribution to the broadcaster. The networks that the commercials fund must pay the broadcasters for those costs. Well, here the commercials are there to fund access. In cable T.V. you have to pay for the high cost of access but, on top of that, the commercials are necessary to fund all that expensive programming as well. At one time it may have been possible to provide cable T.V. without commercials but once everyone discovered they can make even more money by charging to watch commercials and there wasn’t anything customers can do about it because they have a monopoly they started doing that. and it worked and that’s a good thing because it’s all about capitalism. What, you don’t support capitalism?
This spells more money for Comcast turning their service more into cable and broadcast T.V. which is a good thing. Everyone knows those are the business models I like to push for because it’s more profitable. Competition is bad because then the poor access providers can’t make a living. Just like with the taxi cab companies. Imagine if there was capitalism then the taxi cab companies would all be poor. So the government must ban competition to make sure that those who work hard can make a profit. Capitalism at work.
CFAA Violation?
Wasn’t this the kind of thing the CFAA was meant to address?