Comcast Using Packet Injection To Push Its Own Ads Via WiFi, Apparently Oblivious To Security Concerns

David Kravets, over at Ars Technica, has a good post detailing how Comcast is doingquestionable packet injection to put its own javascript ads onto websites if you’re surfing via Comcast’s public WiFi access points. The practice was spotted by Ryan Singel, who saw the following “XFINITY WIFI: Peppy” ad scoot across his screen:Comcast, in typical Comcast fashion, appears to be totally and completely oblivious as to why this could possibly be seen as a problem:

A Comcast spokesman told Ars the program began months ago. One facet of it is designed to alert consumers that they are connected to Comcast’s Xfinity service. Other ads remind Web surfers to download Xfinity apps, Comcast spokesman Charlie Douglas told Ars in telephone interviews.

The advertisements may appear about every seven minutes or so, he said, and they last for just seconds before trailing away. Douglas said the advertising campaign only applies to Xfinity’s publicly available Wi-Fi hot spots that dot the landscape. Comcast customers connected to their own Xfinity Wi-Fi routers when they’re at home are not affected, he said.

“We think it’s a courtesy, and it helps address some concerns that people might not be absolutely sure they’re on a hotspot from Comcast,” Douglas said.

It’s a courtesy to hijack the page a person asked for and insert something that no one asked for on it? I don’t think so. There’s a reason that packet injection is considered an attack and a security risk — and it’s got nothing to do with courtesy.

Certainly, the website that Singel was browsing when he spotted it, Mediagzer, was not pleased about having its own site hijacked and defaced:

“Indeed, they were not ours,” Gabe Rivera, who runs Mediagazer and Techmeme, said in an e-mail. In another e-mail, he said, “someone else is inserting them in a sneaky way.”

Kravets also talks to Robb Topolski, the guy who first provided the evidence to show that Comcast was throttling BitTorrent a while back, kicking off one of the first big net neutrality fights (which resulted in the FCC slapping Comcast’s wrists). Topolski notes that what they’re doing here is technically equivalent:

To Topolski, what Comcast is now doing is no different from before: Comcast is adding data into the broadband packet stream. In 2007, it was packets serving up disconnection commands. Today, Comcast is inserting JavaScript that is serving up advertisements, according to Topolski, who reviewed Singel’s data.

“It’s the duty of the service provider to pull packets without treating them or modifying them or injecting stuff or forging packets. None of that should be in the province of the service provider,” he said. “Imagine every Web page with a Comcast bug in the lower righthand corner. It’s the antithesis of what a service provider is supposed to do. We want Internet access, not another version of cable TV.”

But, of course, to the big broadband players, the last few years have been all about them trying to make the internet much more like cable TV, where they get to act as the gatekeepers and have much more control. The ability to inject their own ads into various webpages is just another bonus.