48 comments

[ 2.8 ms ] story [ 95.0 ms ] thread
The giveaway is when you see another network at full signal strength right inside your house...
Another subtle clue is when the SSID says "CoxWiFi".
Comcast has been doing this for years. And unless you get your own modem, theirs tend to turn the feature back on (even if you turn it off) automatically at various intervals.
First thing I did when I signed up for Xfinity was purchase my own cable modem. Cost under $50, ROI was less than a year at the $5 monthly equipment fee. But the Peace of Mind of not having to worry about public traffic on the device is priceless.
Additionally, I feel keeping the cable modem / router separate is important because my internal network traffic is none of my ISP's business.
They give you unlimited data way cheaper if you have their modem though. I just check every so often to make sure the SSID is off.
It's $25 for Xfi Complete vs $30 for BYOD unlimited. It's not really way cheaper.
$30 + (the cost of the modem) though.
I used my own cable modem with Xfinity for this very reason.

The more annoying part is if your cell service is with Xfinity Mobile - their sim makes your iPhone automatically join Xfinity public hotspots, and there seems to be no way to turn it permanently of. It comes back on periodically.

The performance on these hotspots is terrible.

If it shares the same IP, this gives you plausible deniability for all kinds of things.
They can distinguish whether it was your traffic or hotspot traffic at the billing layer. That doesn’t necessarily mean they can at a legal level, but I wouldn’t depend on this for protection against govt/legal investigations.

> The Cox Hotspots data stream does not impact your home network data stream, so it will not impact your household's data usage or speeds. The usage and activities of guest users are associated with the guests’ accounts and therefore do not impact you.

They are not that stupid
This^^, I’ve seen thousands of cases in federal court in the US. It’s amazing how many people think talking in code through text will make it so they don’t get into trouble. On the contrary, they are knowingly committing a crime and the evidence usually proves it. “Deniability” of leaving your computer open so that anybody can download something is within this realm of absurd. Government isn’t that stupid.
Yeah, this happens a lot with programmers who see law as some kind of program which is supposed to perfectly determine what's a crime and what isn't. Then they come up with all kinds of "workarounds" where you're not violating the letter of the law directly. Like, no buddy, a judge will take one look at that and send you to the clink.
It doesn't. There is a Cox hotspot near me (CoxWiFi access point) and it's basically a VPN that puts you on an isolated network. It is routed to Virginia, if I recall.
This is also extremely common with Spectrum although you do have override control with their supplied modem/router combos. Obviously not an issue if you insist on a customer-supplied modem, another reason to go with that.

Interestingly Spectrum had two authentication mediums, you had a SpectrumWiFi open SSID (which they advertise on a map: https://www.spectrum.com/internet/wifi-access-points) and a SpectrumWiFi Plus which is not open and requires a mobile profile to authenticate. More info here: https://www.spectrum.net/support/internet/spectrum-wifi/

Highly recommend you try to find profile-authenticated alternatives if you ever find yourself needing a hotspot in the wild.

In France, Free has been doing this for years although I don’t remember if it was something you could disable because IIRC it was a big chunk of their mobile cell operator strategy, that they had fallback to Wi-Fi hotspots all over cities like Paris, Lyon, Marseille, etc.

Cox should pay its customers for this.
A good use case for those paper holders/Faraday cages.
This is one of several good reason to buy and use your own modem.

The security of sharing your service with others is questionable, for starters, and Cox does not have a good security history. Every "reset" of the modem (where they remotely check in on it) will turn off your preferences, and many people have reported disabling this wifi "sharing" only to come back to see it re-enabled.

Cox, or any ISP, having access to your internal network by virtue of having administrative access to your modem / NAT router is problematic. People can be bought or are sometimes evil. People click on links and get compromised. It's better that they stay outside of your home network, where they belong.

Cox rents this modem / router device for $12 a month. That's $144 a year. A high end DOCSIS 3.1 modem would pay for itself in less than a year, plus you can get a NAT router / wifi access point of your choosing, keeping the function of the two devices separate. This means that if you want to upgrade wifi later, you're not paying to replace everything. Or if there's a security issue that the vendor isn't going to fix, or is in hardware, like the Intel Puma chipsets, you're only replacing one of the devices.

This is true of all ISPs, really.

Indeed. I bought my own modem and router when I last moved to a new apartment under Cox in 2017. At the time I paid $130 for a Netgear CMS500 DOCSIS 3.0 modem and a Nighthawk AC1750 router. They paid for themselves in a year, but I'm still here four years later.
How difficult is it to switch from the Cox-owned Panoramic WiFi gateway to one's own modem and router? Is it necessary to contact Cox technical support, e.g. so they can change the MAC address (or equivalent) associated with the customer's account?
In my experience with Cox, you simply plug it in and it just works. It might take a little longer to initialize with a new MAC, but I've never had to call or notify them of a modem swap.
Just a heads up: if you’re asking these questions, you might want to reconsider until you understand it more.

You’re going to need: A new modem A new router

You’ll need to talk to Cox and give them the HFC ID and Serial number.

Then, you’ll need to connect everything, and configure your router so that it’s secure.

That’s a nebulous word, ‘secure,’ because my security might be different than yours, but you’ll want to make sure the router is locked down so outside attacks are avoided, and the neighborhood isn’t using your services.

So, take that in consideration.

> you’ll want to make sure the router is locked down so outside attacks are avoided, and the neighborhood isn’t using your services

What are some key settings you would recommend to prevent these exact things? It's a bit challenging to grok all of the advanced router settings, and I don't think mine comes with "locked down against outside attacks" presets.

One of the big ones is upnp port forwarding. Your router might call it something else, but it's essentially a way for software to request a port forward from your router. This sounds alright at first but it's frequently abused to allow stuff that shouldn't be publically accessible bypass any firewall. The biggest issues with it is that it's completely unauthenticated so with the right commands sent, an attacker can cause anything to be exposed. Port forwarding alone isn't a bad thing, but the automated unauthenticated setup is just usually too much.
They have a list of certified modems.

https://www.cox.com/residential/support/cox-certified-cable-...

I had a bit of an issue with such a modem. It took a couple of support chats calls to get it going but it's been fine ever since. I did seem to be related to the MAC, but the expectation was that it should have just worked.

I just got a new Motorola MB8600 modem which is on their list. I swapped modems, called support and gave them the model and MAC address. It took about 10 minutes total. Very painless.
Yes, usually it is that simple. Sometimes you can just plugin the modem and switch it yourself using your browser or their mobile app.
I just bought a modem and then started service on the website. I never had their modem in my house.
Cox started giving the modem away. I pay $65/month and it came with a router that I don’t have to send back. It works fine. It’s not a “panorama gateway” tho.

I’m not sharing your reservations on security or sharing your personal bandwidth. But I do share your concern over cox handling security. Ha.

Are you aware of project like Althea or Helium. Or libreMesh if you want to weed out the blockchain aspect.

Anyway, I was surprised how those stack seems ready to “disrupt the last mile delivery of bandwidth/broadband.” (Sorry for the use of “disrupt” )

It depends on the implementation details. Comcasts implementation had a separate wifi chip that was separate from the customer wifi network for its network. I remember reading some years ago some hackers managed to spoof its Mac Address to double their bandwidth with interface bonding...

Found one: https://msol.io/blog/tech/how-i-doubled-my-internet-speed-wi...

ISPs in the UK have been doing this for a while now. BT FON and recently Virgin Media.

Virgin's thing never seems to work though.

Ziggo in the Netherlands has had this for more than a decade as a ‘free’ feature. Yet, I have never run into a public spot that had one of these hotspots provide coverage.
> Yet, I have never run into a public spot that had one of these hotspots provide coverage.

It's a feature on their residential modems. Therefore, the coverage is only there where they have residential subscribers.

Here in France, the ISP "Free" has been doing this for at least 10 years, and they also have a special "hotspot" for mobile phone (called "FreeWifi_secure") on which you can connect using EAP-SIM.

Nobody cares as we have optical fiber in most of the places.

Main problem: when you're in a public transport in the city and your phone tries to associate with the random access point it can hear, leading to a potential disconnection as you're too fast anyway.

NB: You can turn off the hotspot but you'll lose the ability to use others subscribers hotspot, and unlike some ISPs (according to this thread) they won't turn it back on.
Cox is the only option in my location. Supposedly I can log into any of their hotspots. I have never been able to get this to work. Ever.
Wow, I had no idea this was this much of a thing.

A few months ago I thought of the following crazy idea, which I dismissed after realizing it probably wouldn't scale too well. Maybe I'm wrong and it's worth pursuing (obviously for free).

Here's how it would work. Is this a good idea?

- A connection request broker functions as a central hub

- Nice users configure their ISP access credentials in a small Win32/Linux/macOS daemon that connects to the hub and idles waiting for connection requests

- At some point a wild device wants to connect to an ISP-provided Wi-Fi hotspot, and starts a companion app

- The app a) initiates a Wi-Fi connection to the network in question, which should result in a captive Wi-Fi situation requiring a login, b) opens a TCP connection to the captive login server, and c) sends a connection request to the broker over a pre-existing cellular link, providing a reference/handle to the opened TCP connection.

- The broker selects a random daemon then sends a connection request event to the selected daemon. The resulting handshake provides the daemon with a handle to the TCP socket the app opened.

- The broker now functions as an intermediary, passing raw TCP packets back and forth between the daemon's socket handle and the TCP connection opened by the app.

- The daemon is now able to reach through the just-in-time proxy connection that has been established to perform whatever ISP-specific magic is needed to get past the Wi-Fi captive login page.

- ___IF___ your ISP uses HTTPS for its Wi-Fi login, the daemon will thusly be able to send your ISP login credentials directly through an encrypted tunnel (the HTTPS link) without even a malicious app user ever being able to access your password.

IMHO the connection broker should definitely marshal requests between apps and daemons, so malicious app users can't get daemon IP addresses (which would only work out badly).

In any case, for something like this to work out scalably, people would need reassurance that the risks are low and the benefits are high.

And the main problem, at the end of the day, is that you're all but running a Tor node if you do this. :/

You probably wouldn't add this to the Raspberry Pi you've already got running at Grandma's house for whatever reason, because it's simply too open-ended.

But before even that, there's the problem of network effects: this would only work if thousands of users provided ISP access credentials, either via the daemon approach or by simply providing their ISP access credentials to the central hub directly (!).

Maybe there are people out there that would be willing to do this though...?

Technically this is sadly (lol) one of my better ideas, but practically it's.... just a tiny bit... ._.

---

For completeness, Telstra in Australia also provide a pretty much identical feature called Telstra Air. You select the special modem option, it creates a Telstra Air hotspot, your account gets the "can access Telstra Air on others' hotspots" flag enabled. Telstra Air access points also hide inside specially marked payphones (https://www.google.com/search?q=telstra+air+payphone&tbm=isc... - the top is pink and/or has a Wi-Fi symbol on top).

On the OP page, there's a similar question:

> Is there a limit to the number of devices that can connect to Cox Hotspots at one time?

> Cox Hotspots is limited to five devices simultaneously connected so that users can enjoy a better experience.

FWIW, as per https://crowdsupport.telstra.com.au/t5/broadband-nbn/te...

There's a reason why south park made the nipple rubbing cable tv company guys as a satire of the whole huge regional near-monopoly cable operator industry. Comcast, charter (spectrum), cox, rcn, Shaw, others.

It's actually even worse if you work in the ISP industry and see how the sausage is made.

It uses same WiFi airtime but does not count towards your quota. They use L2oGRE tunneling and authenticate on cloud for hotspot users. So there is no risk bad traffic from bad actors but still people will use your WiFi time.
This part was hilarious: “ By enabling guests to use Cox Hotspots, you increase your network security because you won't need to provide your private home WiFi network password.”
For anyone setting things up themselves, a separate “guest” VLAN is usually the way to go.