Here’s Why You Should Think Twice About Using AT&T Or Comcast WiFi Hotspots

If you’re a customer of AT&T or Comcast, you’re probably very aware of these two companies’ efforts to create massive networks of free WiFi for their subscribers to use when away from home. But a new report shows just how easy it is for an unseemly character to fake one of these hotspots and steal your information.

Over at Ars Technica, Sean Gallagher simply turned his laptop into a WiFi hotspot with the name “attwifi,” the same SSID used by AT&T phones to identify friendly networks.

Once he turned on the faux hotspot, his AT&T phone connected to it without any sort of prompting, much like it would at train station or Starbucks with a legitimate AT&T spot set up.

It’s the kind of scammy behavior that people have been trying at hotels and airports for years, setting up bogus hotspots offering free WiFi access, only to try to hack the devices of those who sign on. The AT&T example is of particular concern because A) the default setting on AT&T smartphones to automatically connect to these networks, and B) the company’s legitimate WiFi network is so widespread in certain markets that some people don’t blink when their devices connect to one.

Thus, unlike the sketchy airport hotspot example, it doesn’t require any action on the part of the user to sign on to a fake AT&T WiFi hotspot. A hacker could just take an impostor hotspot into a building, turn it on and see who automatically connects.

So AT&T users would be well advised to turn off the auto-connect feature.

On Android phones, go into your list of available WiFi networks, then go into Advanced settings and turn off “Auto Connect.” On AT&T iPhones, go into the “attwifi” network on your phone’s list and turn off “Auto-Join” and “Auto-Login.”

The Comcast/Xfinity problem is similar but slightly more complicated. It became obvious to Gallagher after he turned off his fake AT&T hotspot and his phone automatically connected to an Xfinity hotspot without asking for login credentials.

See, the Xfinity hotspots require users to login — with the same credentials they use to access their account on the Comcast website — once per day. But once you’ve logged in on an Xfinity WiFi location, you can access other Xfinity hotspots for the day without having to enter those credentials.

So someone in a city with a large Comcast customer base could set up a fake Xfinity hotspot and hope that enough people will have already logged in elsewhere that day, thus not triggering the login requirement. Or, as Gallagher points out, a hacker could take the extra-sketchy step of creating a fake login page that then captures the users’ account info.

“Free” Wi-Fi from Xfinity and AT&T also frees you to be hacked [Ars Technica]

Read Comments2

Edit Your Comment

  1. MarkyMark says:

    My personal experience in the DC metro area with the Comcast/Xfinity hotspot is that the speeds are horribly slow. Even when it says your are connected, it doesn’t seem like it is even for a simple connection to google.com. Better off not connecting at all.

  2. mongo says:

    Not that it works the other way to deter bogus hot spots, but AT&T “attwifi” hot spots (and Comcast as well) do require subscriber authentication, which is built in to the phone or tablet. Otherwise, they’d be public hot spots that anybody could use.

    AFAIK, the hot spots won’t work for devices that don’t have active data service subscriptions.