Comcast Using Packet Injection To Push Its Own Ads Via WiFi, Apparently Oblivious To Security Concerns

from the because-it's-comcast dept

Mon, Sep 8th 2014 12:20pm — Mike Masnick

David Kravets, over at Ars Technica, has a good post detailing how Comcast is doing questionable packet injection to put its own javascript ads onto websites if you're surfing via Comcast's public WiFi access points. The practice was spotted by Ryan Singel, who saw the following "XFINITY WIFI: Peppy" ad scoot across his screen:

Comcast, in typical Comcast fashion, appears to be totally and completely oblivious as to why this could possibly be seen as a problem:

A Comcast spokesman told Ars the program began months ago. One facet of it is designed to alert consumers that they are connected to Comcast's Xfinity service. Other ads remind Web surfers to download Xfinity apps, Comcast spokesman Charlie Douglas told Ars in telephone interviews.

The advertisements may appear about every seven minutes or so, he said, and they last for just seconds before trailing away. Douglas said the advertising campaign only applies to Xfinity's publicly available Wi-Fi hot spots that dot the landscape. Comcast customers connected to their own Xfinity Wi-Fi routers when they're at home are not affected, he said.

"We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast," Douglas said.

It's a courtesy to hijack the page a person asked for and insert something that no one asked for on it? I don't think so. There's a reason that packet injection is considered an attack and a security risk -- and it's got nothing to do with courtesy.

Certainly, the website that Singel was browsing when he spotted it, Mediagzer, was not pleased about having its own site hijacked and defaced:

"Indeed, they were not ours," Gabe Rivera, who runs Mediagazer and Techmeme, said in an e-mail. In another e-mail, he said, "someone else is inserting them in a sneaky way."

Kravets also talks to Robb Topolski, the guy who first provided the evidence to show that Comcast was throttling BitTorrent a while back, kicking off one of the first big net neutrality fights (which resulted in the FCC slapping Comcast's wrists). Topolski notes that what they're doing here is technically equivalent:

To Topolski, what Comcast is now doing is no different from before: Comcast is adding data into the broadband packet stream. In 2007, it was packets serving up disconnection commands. Today, Comcast is inserting JavaScript that is serving up advertisements, according to Topolski, who reviewed Singel's data.

"It's the duty of the service provider to pull packets without treating them or modifying them or injecting stuff or forging packets. None of that should be in the province of the service provider," he said. "Imagine every Web page with a Comcast bug in the lower righthand corner. It's the antithesis of what a service provider is supposed to do. We want Internet access, not another version of cable TV."

But, of course, to the big broadband players, the last few years have been all about them trying to make the internet much more like cable TV, where they get to act as the gatekeepers and have much more control. The ability to inject their own ads into various webpages is just another bonus.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ads, broadband, isps, packet injection, security, wifi, xfinity
Companies: comcast

56 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 8 Sep 2014 @ 12:26pm

Honestly, I have nothing left to respond to stories of shitty behavior by Comcast except to continually mutter to myself an invitation for that company to dine of a cornucopia of rotting dicks while playing a rousing game of "Hide-and-go-fuck-yourself."
[ link to this | view in chronology ]
- art guerrilla (profile), 9 Sep 2014 @ 6:32am
  
  Re:
  (parasitizing off your post)
  
  here it is right here, PROOF POSITIVE that cable/media DO NOT give a shit about their PAYING CUSTOMERS: bugs on the screen...
  
  could someone PLEASE tell me what groundswell of consumer outcry has made it so The Bastards! take up MY TEE VEE SCREEN with their incessant 'bugs', popup ads, bullshit little animations, etc, etc, etc, that often take up a quarter of the bottom of the screen, WHILE THE SHOW IS GOING ON...
  
  oh, you mean there WASN'T a popular outcry to put MORE stupid fucking ad shit on MY SCREEN ? ? ? you mean they foist that shit on us because we don't have a fucking choice ? ? ?
  
  'cause -like most people- i WANT their idiotic distracting shit on MY SCREEN RUINING MY VIEWING EXPERIENCE...
  right ? ? ? grrrrrrr...
  
  why do i bet that when/if media execs ever go out in public, they NEVER identify themselves as such, or they would be strung up by irate customers for the stupid, greedy shit they subject us to all the time...
  
  oh, and to PROVE this has NOTHING to do with OUR benefit, WHEN would be the ONLY TIME these 'bugs' and shit would actually offer ANY benefit ? ? ? during commercials.. and when is the ONLY TIME you DON'T see bugs, etc ? during commercials...
  QE fucking D, bitchez...
  [ link to this | view in chronology ]
  - FloxenTurtle (profile), 12 Dec 2017 @ 9:16am
    
    Re: Re:
    (Late to party) Not to mention sucking up a tenth or so of my Internet bandwidth, and slowing down my web-browser by a quarter (at least).
    [ link to this | view in chronology ]
Anonymous Coward, 8 Sep 2014 @ 12:27pm

Someone should sue them for copyright infringement, they are creating derivative works from websites. That is what they are trying to do to companies whose technologies remove adds from their TV programs.
[ link to this | view in chronology ]
Michael, 8 Sep 2014 @ 12:28pm

I don't use Comcast hotspots, but if their usage counts toward any data caps, I would think that injecting additional data could be a huge problem for them.
[ link to this | view in chronology ]
- nasch (profile), 8 Sep 2014 @ 2:51pm
  
  Re:
  I don't use Comcast hotspots, but if their usage counts toward any data caps, I would think that injecting additional data could be a huge problem for them.
  
  How could use of a public hotspot count toward a data cap?
  [ link to this | view in chronology ]
  - nasch (profile), 8 Sep 2014 @ 2:53pm
    
    Re: Re:
    Never mind, I misunderstood the program. Looks like it's not public, but a hotspot for Comcast customers only.
    [ link to this | view in chronology ]
    - John Fenderson (profile), 8 Sep 2014 @ 3:02pm
      
      Re: Re: Re:
      You can use them (for free) even if you don't have a Comcast account, but you're limited in the total amount of time -- I think it's a couple of hours a week.
      [ link to this | view in chronology ]
SpaceLifeForm, 8 Sep 2014 @ 12:29pm

SpaceLifeForm
[ link to this | view in chronology ]
- SpaceLifeForm, 8 Sep 2014 @ 12:33pm
  
  Response to: SpaceLifeForm on Sep 8th, 2014 @ 12:29pm
  Apologies for the
  mispost. Does this mean that Comcast is an official beta tester for the NSA?
  [ link to this | view in chronology ]
Anonymous Coward, 8 Sep 2014 @ 12:36pm

Hey that looks familiar...
"We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast," Douglas said.

It's the Microsoft defense: "It's not a bug. It's a feature."
[ link to this | view in chronology ]
- Anonymous Coward, 8 Sep 2014 @ 12:38pm
  
  Re: Hey that looks familiar...
  So sure. Let them do this, then organise a class-action lawsuit for 'potential loss of property.' Or something.
  
  Hit Comcast in their wallets, and whoever thought this was a good idea in jail for reckless endangerment.
  [ link to this | view in chronology ]
- Anonymous Coward, 8 Sep 2014 @ 2:15pm
  
  Re: Hey that looks familiar...
  Not only that, Belkin was caught doing that through their router.
  
  This reminded me that this occurred over ten years ago. Also of note is that this incident is currently under the "Criticism" section of their Wikipedia entry.
  [ link to this | view in chronology ]
John Fenderson (profile), 8 Sep 2014 @ 12:38pm

They have a real talent
"We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast," Douglas said.

So, once again they insult everyone by saying their unsavory practices are for the customer's benefit or even a "courtesy". These same people would probably, after punching you in the face, explain how it was a "courtesy" because it helps you to find out how quickly you can heal.
[ link to this | view in chronology ]
- Michael, 8 Sep 2014 @ 12:42pm
  
  Re: They have a real talent
  Terms of Use Page 53 Sub-Section 12a:
  
  Should the fist used to strike your face be damaged, any medical bills will be included on your next bill.
  [ link to this | view in chronology ]
Michael, 8 Sep 2014 @ 12:40pm

How to Connect
Using your Wi-Fi-enabled device, connect to the XFINITY WiFi network (network name: xfinitywifi) and launch your browser.
The browser will redirect you to the XFINITY WiFi sign-in page. If you don't see the sign-in page, enter a different URL, like http://xfinity.comcast.net/, in your browser to be redirected to our sign-in page.
Sign in using your Comcast.net email address or Comcast ID and password, then start browsing the Web!

People are really mistaking not having done that?
[ link to this | view in chronology ]
ltlw0lf (profile), 8 Sep 2014 @ 12:42pm

CaptivePortal?
Isn't this whole courtesy thing exactly what a CaptivePortal is supposed to provide? CaptivePortals are well understood by consumers in the free-wifi field, and most users understand that when they connect to a wifi access point, they may initially see a captive portal. Once they clear it, they know who they are connected to and there isn't any further need for courtesy (at least until they connect again.)

So, like usual, the big-cable ISPs have no understanding of social conventions and the technology.
[ link to this | view in chronology ]
- John Fenderson (profile), 8 Sep 2014 @ 1:09pm
  
  Re: CaptivePortal?
  The courtesy thing is a joke, of course, but the way they do their captive portal arguably makes it less obvious than others. Once you've signed in through the captive portal, you don't every have to do it again from that device, even if you use a different Comcast hotspot. If you've done this from your portable device, and you have the device configured to automatically connect to Comcast's hotspot, then you could travel across town (or to a different town) and be connected to Comcast without realizing it.
  [ link to this | view in chronology ]
  - ltlw0lf (profile), 8 Sep 2014 @ 1:55pm
    
    Re: Re: CaptivePortal?
    Once you've signed in through the captive portal, you don't every have to do it again from that device, even if you use a different Comcast hotspot.
    
    So, in other words, don't fix the problem by logging users off after a predefined period of time, but instead open the user up to security issues and difficulties instead.
    
    Of course, they probably have no encryption being used on their points either, so it seems that there really could be a case where an attacker might not know what network they are on, so Comcast is just being really helpful for the attackers out there that might not know what network their victims are connected to.
    [ link to this | view in chronology ]
    - John Fenderson (profile), 8 Sep 2014 @ 2:47pm
      
      Re: Re: Re: CaptivePortal?
      Yep. I can see why the design decision was made (convenience), but it took me by surprise when I discovered it. I was moving, and had a week of no internet service at all while the service was being transferred to my new place. In the meantime, I used the Comcast hotpots for my essential internet activities.
      
      Once I got service again it took a day before I noticed that my portable devices weren't connecting to my own WiFi, but to Comcast's (a neighbor apparently uses Comcast's WiFi boxes). I never saw that injection, though, probably because I disable Javascript everywhere.
      [ link to this | view in chronology ]
Anonymous Coward, 8 Sep 2014 @ 12:45pm

In telecommunications there is a word for this
3rd party Intercepting and reconfiguring of communications would be called "wire fraud"
[ link to this | view in chronology ]
- nasch (profile), 8 Sep 2014 @ 2:56pm
  
  Re: In telecommunications there is a word for this
  3rd party Intercepting and reconfiguring of communications would be called "wire fraud"
  
  Only if someone is being defrauded. Seems like a stretch here.
  [ link to this | view in chronology ]
Anonymous Coward, 8 Sep 2014 @ 12:56pm

I presume that access sites using only https would block this, right?
[ link to this | view in chronology ]
- Anonymous Coward, 8 Sep 2014 @ 1:04pm
  
  Re:
  Not everything is encrypted on https sites. They could still stick a banner ad onto the page.
  [ link to this | view in chronology ]
  - Anonymous Coward, 8 Sep 2014 @ 1:32pm
    
    Re: Re:
    That doesn't matter. In order for a JavaScript function to be executed it or a link to it would have to be inserted into the page code which would require the page to be decoded first. Second, if non-encrypted http content appears on a page that was initially requested via https, those are separate requests that are executed from the initial code from the https request. Third when http requests for content appear on a page initially requested via https most browsers will display a browser warning that alerts the user that the some information is not secure.
    [ link to this | view in chronology ]
  - Anonymous Coward, 8 Sep 2014 @ 1:37pm
    
    Re: Re:
    The only way that could possibly happen on https pages is if the data was diverted, decrypted, altered, then re-encrypted before being passed back on to the user. This is essentially a Man in the Middle attack.
    
    http://en.wikipedia.org/wiki/Man-in-the-middle_attack
    [ link to this | view in chronology ]
    - Anonymous Coward, 8 Sep 2014 @ 1:58pm
      
      Re: Re: Re:
      That's what I was thinking. So the only way they could do that is if you had to accept Comcast as a CA before using xfinity then they could generate certs on the fly.
      [ link to this | view in chronology ]
  - Anonymous Coward, 9 Sep 2014 @ 8:58am
    
    Re: Re:
    If you see that little lock on your (presumably uncompromised and hopefully well behaved) browser then that means everything on the site is encrypted and the keys being used are, according to a 'trusted' third party, valid (well, different browsers may have different ways of indicating this and hopefully your browser isn't ambiguous about what it's telling you) and the information is from the signed sources. Now this isn't to say that just because something is from a signed source means it's necessarily safe and free of nefarious intent. A website can have all sorts of signed content from different locations (ie: some content from the target website and some ads from a third party website). Just that, at least, to some degree, you can track back who sent the information and a 'trusted' third party hopefully at least did some preliminary work to be able to identify the signer before just granting them keys.
    
    I've downloaded spyware before written by malware companies that were signed whose signature was verified by windows before I ran it. So just because you identified who sent you something doesn't necessarily mean the entity sending it is trustworthy.
    [ link to this | view in chronology ]
Eric, 8 Sep 2014 @ 1:02pm

Hopefully they include on their phone service soon
I hope they start doing something similar on their phone service to ensure consumers are aware they are using a comcast provided phone service in their home. Every 7 minutes: "You are currently using a comcast connected phone"
[ link to this | view in chronology ]
- Jeremy Lyman (profile), 9 Sep 2014 @ 4:59am
  
  Re: Hopefully they include on their phone service soon
  And the message is spoken in the voice of the loved one you're conversing with. For convenience.
  [ link to this | view in chronology ]
Anonymous Coward, 8 Sep 2014 @ 1:09pm

since when has Comcast (or any other major business!) given a shit about anything other than their own agenda?
[ link to this | view in chronology ]
Roger Strong (profile), 8 Sep 2014 @ 1:19pm

Peppy....?
"Peppy" is a weasel-word from the automotive industry used to gloss over a lack of speed. Any cheap little subcompact car - with a tiny subcompact engine - inevitably has its engine or performance described as "peppy."
[ link to this | view in chronology ]
Anonymous Coward, 8 Sep 2014 @ 1:28pm

Imagine every Web page with a Comcast bug in the lower righthand corner.

That symbol? *shrug* It just indicates that you're connected to the net. I wouldn't worry about it.
[ link to this | view in chronology ]
Anonymous Coward, 8 Sep 2014 @ 1:38pm

Wonder if they'll roll that delightful courtesy out to all their regular internet customers after they're done testing it on a small subset? Maybe they're aiming to have it ready to go by the time the Time Warner merger is done, so all the current Roadrunner customers can get their lovely packet injections as well.
[ link to this | view in chronology ]
Falindraun (profile), 8 Sep 2014 @ 1:52pm

i havnt seen an ad in years and years. i use adblock. there is also another ad-on that helps you hide the ads that make it past that.
[ link to this | view in chronology ]
- Anonymous Coward, 8 Sep 2014 @ 2:49pm
  
  Re:
  The issue really isn't about whether you see ads or not so much as what they are doing to display the adds. They are essentially changing the content requested, inserting executable code to display an add on content requested from third party sites.
  [ link to this | view in chronology ]
Anonymous Coward, 8 Sep 2014 @ 2:04pm

It is not just hijacking a page, it's defacing other's property. Websites are not beholden to Comcast. Comcast has no right to display any kind of advertisement over a website that they do not own.
[ link to this | view in chronology ]
- nasch (profile), 8 Sep 2014 @ 2:59pm
  
  Re:
  It is not just hijacking a page, it's defacing other's property.
  
  Let's not further the myth that creative output is property. The web site in question is just fine, and hasn't been altered at all. You can verify this by going there and observing that there isn't a Comcast ad on it.
  [ link to this | view in chronology ]
  - Roger Strong (profile), 8 Sep 2014 @ 3:09pm
    
    Re: Re:
    In the same sense when a tagger spray-paints something on the wall of your building, your wall hasn't been altered at all. You can verify this by sandblasting off his paint and observing that your original paint - and wall - are still there.
    
    Personally I still call it defacement.
    [ link to this | view in chronology ]
    - nasch (profile), 8 Sep 2014 @ 3:35pm
      
      Re: Re: Re:
      In the same sense when a tagger spray-paints something on the wall of your building, your wall hasn't been altered at all.
      
      No, it really isn't like that. I don't think there's any real need to bring in physical world analogies. It's better to just understand what is actually happening in this case. Comcast's actions were terrible; we don't need to pretend they broke into someone's web site and changed it to make it seem bad.
      [ link to this | view in chronology ]
      - jarfil, 8 Sep 2014 @ 5:02pm
        
        Re: Re: Re: Re:
        Defacement means changing the look of a website. Whether you do it by breaking into a server, or altering the packets it sends its users, is irrelevant.
        
        This reminds me why we needed all that anti-framing legalese from the portal era, but in a more twisted way.
        [ link to this | view in chronology ]
        
        nasch (profile), 8 Sep 2014 @ 8:06pm
        
        Re: Re: Re: Re: Re:
        Defacement means changing the look of a website. Whether you do it by breaking into a server, or altering the packets it sends its users, is irrelevant.
        
        Well first, I disagree, I think it is relevant. But more importantly, my real point is that Comcast didn't do anything to anybody's property. They interfered with someone's service. There's a difference.
        [ link to this | view in chronology ]
        
        MrTroy (profile), 8 Sep 2014 @ 11:55pm
        
        Re: Re: Re: Re: Re: Re:
        Better physical analogy?
        
        Comcast is spraypainting the car window of the person looking at the building. People in other cars are fine, the building is fine, it's just the poor sap with a spray-painted car that's unhappy.
        
        Obviously pedestrians are unable to see the building, but that's their own fault for walking through an imperfect analogy!
        [ link to this | view in chronology ]
Anonymous Coward, 8 Sep 2014 @ 2:15pm

It's a courtesy to hijack the page a person asked for and insert something that no one asked for on it?
The courtesy is in letting people know that they're vulnerable to surveillance and packet injection (but apparently only after they've sent their Comcast password over the connection).
[ link to this | view in chronology ]
HMTKSteve, 8 Sep 2014 @ 2:17pm

Money
Think how much money they could make if they just used this technique to change the ad code on web pages to their ad code? Google AdSense? With the amount of traffic Comcast users generate an unscrupulous technician could replace the AdSense ID with their own via this hack and make millions an hour.
[ link to this | view in chronology ]
Mark, 8 Sep 2014 @ 3:27pm

"sneaky" advertising
Comcast is pretty good at "sneaky". They are some of the sneakiest mother f*ckers I have ever seen.
[ link to this | view in chronology ]
- nasch (profile), 8 Sep 2014 @ 3:36pm
  
  Re: "sneaky" advertising
  They are some of the sneakiest mother f*ckers I have ever seen.
  
  Yeah, but the very sneakiest motherf*ckers are the ones you never see at all.
  
  http://www.theonion.com/video/ninja-parade-slips-through-town-unnoticed-once-aga,14181/
  [ link to this | view in chronology ]
DB, 8 Sep 2014 @ 3:36pm

I'm not certain why this isn't considered copyright infringement.

If you took the Washington Post and substituted your own ads, you would be quickly sued into oblivion. This situation is no different, just adding "on the internet".
[ link to this | view in chronology ]
- John Fenderson (profile), 9 Sep 2014 @ 8:06am
  
  Re:
  I'm not sure how it could be considered copyright infringement. Whose copyright was infringed? Where is the unauthorized copy?
  [ link to this | view in chronology ]
Anonymous Coward, 8 Sep 2014 @ 4:41pm

This can break things
Not all HTTP is "the web".

Just yesterday I used a program which self-updates over HTTP (it checks a signature on the downloaded files, so it's safe). If an ad injector had modified the HTTP response, the updater would have gotten terminally confused.

And even for the web, this can break things. Javascript uses a global namespace (the "window" object). Depending on how the page's own Javascript is coded, it can conflict with the injected ad. And there's also the page structure; the only way the ad can show is by adding elements to the DOM, and if the page's normal Javascript did not expect that element (for instance, a normally empty page which is completely populated via Javascript), it could break.

When will people learn? The Internet is end-to-end; middleboxes have NO business modifying anything!
[ link to this | view in chronology ]
orbitalinsertion (profile), 9 Sep 2014 @ 12:44am

Shades of Rodgers Cable, oh how thou haunt us.
[ link to this | view in chronology ]
Anonymous Coward, 9 Sep 2014 @ 12:52am

I have never seen those ads on Comcast WiFi. It could be because I am using AdBlock.

If you want to stop those ads, put adblock on your computer.
[ link to this | view in chronology ]
Anonymous Coward, 9 Sep 2014 @ 12:55am

You could also connect to VPN. I connect to my own private VPN, when using Comcast, or any other Wifi, so my activity cannot be monitored.

That could also explain why I have not seen those ads. Logging on to my VPN encrypts the connection, so Comcast cannot see the web pages I go to.
[ link to this | view in chronology ]
Anonymous Coward, 9 Sep 2014 @ 4:52am

"We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast," Douglas said.

While everyone else thinks it is majorly fucked up and didn't give a shit about whose hotspot they connect to - until now.
[ link to this | view in chronology ]
Whatever, 9 Sep 2014 @ 8:36am

(parody
This is a good thing. Comcast gets to make money to recoup their expensive costs of providing service. Think about broadcast T.V. The commercials are there to fund all the programs as well as the cost of distribution to the broadcaster. The networks that the commercials fund must pay the broadcasters for those costs. Well, here the commercials are there to fund access. In cable T.V. you have to pay for the high cost of access but, on top of that, the commercials are necessary to fund all that expensive programming as well. At one time it may have been possible to provide cable T.V. without commercials but once everyone discovered they can make even more money by charging to watch commercials and there wasn't anything customers can do about it because they have a monopoly they started doing that. and it worked and that's a good thing because it's all about capitalism. What, you don't support capitalism?

This spells more money for Comcast turning their service more into cable and broadcast T.V. which is a good thing. Everyone knows those are the business models I like to push for because it's more profitable. Competition is bad because then the poor access providers can't make a living. Just like with the taxi cab companies. Imagine if there was capitalism then the taxi cab companies would all be poor. So the government must ban competition to make sure that those who work hard can make a profit. Capitalism at work.
[ link to this | view in chronology ]
Mark Wing, 9 Sep 2014 @ 10:14am

CFAA Violation?
Wasn't this the kind of thing the CFAA was meant to address?
[ link to this | view in chronology ]