Comcast Using Packet Injection To Push Its Own Ads Via WiFi, Apparently Oblivious To Security Concerns
from the because-it's-comcast dept
David Kravets, over at Ars Technica, has a good post detailing how Comcast is doing questionable packet injection to put its own javascript ads onto websites if you're surfing via Comcast's public WiFi access points. The practice was spotted by Ryan Singel, who saw the following "XFINITY WIFI: Peppy" ad scoot across his screen:A Comcast spokesman told Ars the program began months ago. One facet of it is designed to alert consumers that they are connected to Comcast's Xfinity service. Other ads remind Web surfers to download Xfinity apps, Comcast spokesman Charlie Douglas told Ars in telephone interviews.It's a courtesy to hijack the page a person asked for and insert something that no one asked for on it? I don't think so. There's a reason that packet injection is considered an attack and a security risk -- and it's got nothing to do with courtesy.
The advertisements may appear about every seven minutes or so, he said, and they last for just seconds before trailing away. Douglas said the advertising campaign only applies to Xfinity's publicly available Wi-Fi hot spots that dot the landscape. Comcast customers connected to their own Xfinity Wi-Fi routers when they're at home are not affected, he said.
"We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast," Douglas said.
Certainly, the website that Singel was browsing when he spotted it, Mediagzer, was not pleased about having its own site hijacked and defaced:
"Indeed, they were not ours," Gabe Rivera, who runs Mediagazer and Techmeme, said in an e-mail. In another e-mail, he said, "someone else is inserting them in a sneaky way."Kravets also talks to Robb Topolski, the guy who first provided the evidence to show that Comcast was throttling BitTorrent a while back, kicking off one of the first big net neutrality fights (which resulted in the FCC slapping Comcast's wrists). Topolski notes that what they're doing here is technically equivalent:
To Topolski, what Comcast is now doing is no different from before: Comcast is adding data into the broadband packet stream. In 2007, it was packets serving up disconnection commands. Today, Comcast is inserting JavaScript that is serving up advertisements, according to Topolski, who reviewed Singel's data.But, of course, to the big broadband players, the last few years have been all about them trying to make the internet much more like cable TV, where they get to act as the gatekeepers and have much more control. The ability to inject their own ads into various webpages is just another bonus.
"It's the duty of the service provider to pull packets without treating them or modifying them or injecting stuff or forging packets. None of that should be in the province of the service provider," he said. "Imagine every Web page with a Comcast bug in the lower righthand corner. It's the antithesis of what a service provider is supposed to do. We want Internet access, not another version of cable TV."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: ads, broadband, isps, packet injection, security, wifi, xfinity
Companies: comcast
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
here it is right here, PROOF POSITIVE that cable/media DO NOT give a shit about their PAYING CUSTOMERS: bugs on the screen...
could someone PLEASE tell me what groundswell of consumer outcry has made it so The Bastards! take up MY TEE VEE SCREEN with their incessant 'bugs', popup ads, bullshit little animations, etc, etc, etc, that often take up a quarter of the bottom of the screen, WHILE THE SHOW IS GOING ON...
oh, you mean there WASN'T a popular outcry to put MORE stupid fucking ad shit on MY SCREEN ? ? ? you mean they foist that shit on us because we don't have a fucking choice ? ? ?
'cause -like most people- i WANT their idiotic distracting shit on MY SCREEN RUINING MY VIEWING EXPERIENCE...
right ? ? ? grrrrrrr...
why do i bet that when/if media execs ever go out in public, they NEVER identify themselves as such, or they would be strung up by irate customers for the stupid, greedy shit they subject us to all the time...
oh, and to PROVE this has NOTHING to do with OUR benefit, WHEN would be the ONLY TIME these 'bugs' and shit would actually offer ANY benefit ? ? ? during commercials.. and when is the ONLY TIME you DON'T see bugs, etc ? during commercials...
QE fucking D, bitchez...
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
How could use of a public hotspot count toward a data cap?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Response to: SpaceLifeForm on Sep 8th, 2014 @ 12:29pm
mispost. Does this mean that Comcast is an official beta tester for the NSA?
[ link to this | view in chronology ]
Hey that looks familiar...
It's the Microsoft defense: "It's not a bug. It's a feature."
[ link to this | view in chronology ]
Re: Hey that looks familiar...
Hit Comcast in their wallets, and whoever thought this was a good idea in jail for reckless endangerment.
[ link to this | view in chronology ]
Re: Hey that looks familiar...
This reminded me that this occurred over ten years ago. Also of note is that this incident is currently under the "Criticism" section of their Wikipedia entry.
[ link to this | view in chronology ]
They have a real talent
So, once again they insult everyone by saying their unsavory practices are for the customer's benefit or even a "courtesy". These same people would probably, after punching you in the face, explain how it was a "courtesy" because it helps you to find out how quickly you can heal.
[ link to this | view in chronology ]
Re: They have a real talent
Should the fist used to strike your face be damaged, any medical bills will be included on your next bill.
[ link to this | view in chronology ]
How to Connect
Using your Wi-Fi-enabled device, connect to the XFINITY WiFi network (network name: xfinitywifi) and launch your browser.
The browser will redirect you to the XFINITY WiFi sign-in page. If you don't see the sign-in page, enter a different URL, like http://xfinity.comcast.net/, in your browser to be redirected to our sign-in page.
Sign in using your Comcast.net email address or Comcast ID and password, then start browsing the Web!
People are really mistaking not having done that?
[ link to this | view in chronology ]
CaptivePortal?
So, like usual, the big-cable ISPs have no understanding of social conventions and the technology.
[ link to this | view in chronology ]
Re: CaptivePortal?
[ link to this | view in chronology ]
Re: Re: CaptivePortal?
So, in other words, don't fix the problem by logging users off after a predefined period of time, but instead open the user up to security issues and difficulties instead.
Of course, they probably have no encryption being used on their points either, so it seems that there really could be a case where an attacker might not know what network they are on, so Comcast is just being really helpful for the attackers out there that might not know what network their victims are connected to.
[ link to this | view in chronology ]
Re: Re: Re: CaptivePortal?
Once I got service again it took a day before I noticed that my portable devices weren't connecting to my own WiFi, but to Comcast's (a neighbor apparently uses Comcast's WiFi boxes). I never saw that injection, though, probably because I disable Javascript everywhere.
[ link to this | view in chronology ]
In telecommunications there is a word for this
[ link to this | view in chronology ]
Re: In telecommunications there is a word for this
Only if someone is being defrauded. Seems like a stretch here.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
I've downloaded spyware before written by malware companies that were signed whose signature was verified by windows before I ran it. So just because you identified who sent you something doesn't necessarily mean the entity sending it is trustworthy.
[ link to this | view in chronology ]
Hopefully they include on their phone service soon
[ link to this | view in chronology ]
Re: Hopefully they include on their phone service soon
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Peppy....?
[ link to this | view in chronology ]
That symbol? *shrug* It just indicates that you're connected to the net. I wouldn't worry about it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Let's not further the myth that creative output is property. The web site in question is just fine, and hasn't been altered at all. You can verify this by going there and observing that there isn't a Comcast ad on it.
[ link to this | view in chronology ]
Re: Re:
Personally I still call it defacement.
[ link to this | view in chronology ]
Re: Re: Re:
No, it really isn't like that. I don't think there's any real need to bring in physical world analogies. It's better to just understand what is actually happening in this case. Comcast's actions were terrible; we don't need to pretend they broke into someone's web site and changed it to make it seem bad.
[ link to this | view in chronology ]
Re: Re: Re: Re:
This reminds me why we needed all that anti-framing legalese from the portal era, but in a more twisted way.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Well first, I disagree, I think it is relevant. But more importantly, my real point is that Comcast didn't do anything to anybody's property. They interfered with someone's service. There's a difference.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Comcast is spraypainting the car window of the person looking at the building. People in other cars are fine, the building is fine, it's just the poor sap with a spray-painted car that's unhappy.
Obviously pedestrians are unable to see the building, but that's their own fault for walking through an imperfect analogy!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Money
[ link to this | view in chronology ]
"sneaky" advertising
[ link to this | view in chronology ]
Re: "sneaky" advertising
Yeah, but the very sneakiest motherf*ckers are the ones you never see at all.
http://www.theonion.com/video/ninja-parade-slips-through-town-unnoticed-once-aga,14181/
[ link to this | view in chronology ]
If you took the Washington Post and substituted your own ads, you would be quickly sued into oblivion. This situation is no different, just adding "on the internet".
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
This can break things
Just yesterday I used a program which self-updates over HTTP (it checks a signature on the downloaded files, so it's safe). If an ad injector had modified the HTTP response, the updater would have gotten terminally confused.
And even for the web, this can break things. Javascript uses a global namespace (the "window" object). Depending on how the page's own Javascript is coded, it can conflict with the injected ad. And there's also the page structure; the only way the ad can show is by adding elements to the DOM, and if the page's normal Javascript did not expect that element (for instance, a normally empty page which is completely populated via Javascript), it could break.
When will people learn? The Internet is end-to-end; middleboxes have NO business modifying anything!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If you want to stop those ads, put adblock on your computer.
[ link to this | view in chronology ]
That could also explain why I have not seen those ads. Logging on to my VPN encrypts the connection, so Comcast cannot see the web pages I go to.
[ link to this | view in chronology ]
While everyone else thinks it is majorly fucked up and didn't give a shit about whose hotspot they connect to - until now.
[ link to this | view in chronology ]
(parody
This spells more money for Comcast turning their service more into cable and broadcast T.V. which is a good thing. Everyone knows those are the business models I like to push for because it's more profitable. Competition is bad because then the poor access providers can't make a living. Just like with the taxi cab companies. Imagine if there was capitalism then the taxi cab companies would all be poor. So the government must ban competition to make sure that those who work hard can make a profit. Capitalism at work.
[ link to this | view in chronology ]
CFAA Violation?
[ link to this | view in chronology ]