An attacker can expect repeatable success against the vulnerable component. Specialized access conditions or extenuating circumstances do not exist. However, CVSS 3.0 only provides two values for AC anyway - either low or high: The National Vulnerability Database currently assigns this a CVSS 3.0 score of "5.9 - Medium", but claims the "attack complexity" (AC) is "high". It looks like this is a known vulnerability, aka CVE-2017-9475.
How ro enter roku mac address on my asus router for free#
And now the hacker has something they can use for free internet service (or masking illegal activity spoofing as some other innocent Xfinity subscriber instead). The valid users that end up repeating the Xfinity wifi login process will then have, unbeknownst to them, secretly added new MAC addresses to their list of allowed devices (under their Xfinity account/s). In that case, just have the malicious access point do some MAC address translation instead. The idea is just to steal MAC addresses, not login credentials, since apparently the right MAC address is all that's needed for xfinitywifi internet service anyway.Įdit #2: Xfinity might automatically de-register MAC addresses when it notices the same one being used from two different networks. And anyone using that device will never have to go through a login screen for xfinitywifi ever again! (unless that subscriber manually goes and removes that device via, a page most Xfinity users likely know nothing about!) Questionĭoes Xfinity recognize "allowed xfinitywifi devices" solely via their MAC addresses? If so, then what prevents someone from creating a malicious access point broadcasting SSID xfinitywifi, but secretly pointing to the legitimate xfinitywifi SSID, from sniffing (while sending over the unmodified) subscribers' MAC addresses? (i.e., to obtain mac address(es) for free internet service or for masking illegal internet activity)Įdit #1: One might say, "what about the volume of non-subscribers connecting their devices just hoping to get free wifi?" Well, you can probably find out which MAC addresses are registered or not by monitoring which traffic goes to the users' intended destinations, and which MAC addresses just end up sent over back to the Xfinity website (presumably for login purposes). All of this happens seamlessly and invisibly to the user. If all is good, Xfinity will simply store the MAC address of that device, and associate it with that subscriber's account. Only Xfinity subscribers are allowed to use a hotspot, and if an unrecognized device connects to xfinitywifi, the user of that device will be redirected to an Xfinity Wifi login page, where they enter their Xfinity account credentials. Xfinitywifi hotspots are all open/unsecured, and, to use such a hotspot, an Xfinity subscriber simply connects to the xfinitywifi SSID. Comcast/Xfinity operates various wireless hotspots across the US, accessed via the SSID xfinitywifi through the many wireless access points shown on
0 kommentar(er)
