Comcast Injected Ads Highlight One More Danger of Public Wi-Fi

Comcast has begun injecting ads into webpages accessed by users using one of its 3.5 million public Wi-Fi hotspots. With this action, Comcast joins the list of businesses (e.g. airports) that provide Wi-Fi service with ads.

The injection itself happens using Javascript. Despite Comcast’s claim that they have “multiple layers of security ‘based on industry best practices,'” a staff member of the EFF says even if Comcast has no malicious intent, and even if hackers don’t access the Javascript, the interaction of the Javascript with the website could create new security vulnerabilities. To prevent the ad injection, he recommends using https, which isn’t provided by all websites.

Another potential solution is to use a VPN, which encrypts all the traffic between you and the VPN provider instead of between you and the website.

I have not personally used one of these public hotspots, so take this with a grain of salt, but it may help to turn off all Javascript while using the hotspot. Using a browser extension like NoScript probably won’t work because a normally trusted, unencrypted webpage with an ad injected will likely appear to be coming from the same trusted domain.

The risk of security vulnerabilities being introduced by ad injections is just one more item on the list of things you have to worry about when using a public Wi-Fi hotspot. Other dangers include shoulder surfing (not just people looking over your shoulder at your keyboard and screen, but surveillance cameras), people having physical access to your computer when you use the bathroom, and the interception of unencrypted traffic using freely available tools such as Firesheep (see Steve Gibson’s post on how hotspot providers can easily mitigate this threat), the need to install a firewall to protect from threats from other users on the hotspot, accidentally connecting to decoy hotspots with similar names that eavesdrop on your data, and more!

With all these risks, you might want to ask yourself whether it’s really so critical that you check your e-mail right now at the nearby hotspot. It may be better to wait until you’re back home.

Leave a Reply

Your email address will not be published. Required fields are marked *