[tkmcc]

Do xfinitywifi hotspots permanently authenticate clients based only on their MAC addresses? A malicious client could easily find the MAC address of any device connected to a xfinitywifi hotspot (by using e.g. airodump-ng [0]) and then spoof that device's MAC address on their own computer to access the internet via the hotspot without any authentication.

[0] http://www.aircrack-ng.org/doku.php?id=airodump-ng

[finnn]

Yes! I discovered (completely by accident) that 00:11:22:33:44:55 is authenticated to someone's account, so I just set my mac to that when I need to use their shit

[aselzer]

That's basically the only way to do it. If it were really clever, it could ignore packets based on vendor extensions and device characteristics. They are not that easy to spoof (you would have to modify the driver, as opposed to just changing the MAC).

I actually use this method to use school WiFi anonymously (or rather, as someone else).

[CHY872]

Mm not entirely - I'd imagine that they could fairly easily run wpa-enterprise, authenticating against Comcast servers. Then when a user tries to connect, they'd be asked for their Comcast creds, which they could type in once, and then be authenticated with on all such servers.

It's how eduroam works, and that works fairly flawlessly (provided the routers have enough bandwidth).

[daniiyyel]

Wi-Fi Alliance released a new standard to solve hotspot roaming called "Passpoint". Time Warner Cable started using it for their hotspot authentication recently (in NYC at least). It works well in my experience.

"Passpoint automates that entire process, enabling a seamless connection between hotspot networks and mobile devices, all while delivering the highest WPA2™ security. Passpoint is enabling a more cellular-like experience when connecting to Wi-Fi networks."

[leni536]

There is a bunch of non-broken (at least in design) client authentication protocols for WiFi. It's rarely used though since it causes problems on most devices and hard to set up (at least on win7 it didn't work for most people on my dorm).

[wampus]

I don't think it's permanent, but once you authenticate, any other device that can spoof the MAC address can connect. It might expire a month or so after the last connection.