
Comcast modem activation bug potentially exposed customers’ private data (2018) - apsec112
https://motherboard.vice.com/en_us/article/mbkgn8/dont-rent-a-modem-from-comcast
======
panorama
Recently, Cox had an outage in the city where my parents live. My dad, close
to 70, misconstrued the situation and though it was just our modem being slow.
He drove to a brick & mortar Cox shop, where a rep promptly sold him on
leasing a gateway for $10/mo that would be (and I quote) "25 times faster"
than the speeds we were currently getting (roughly peaking at 250 Mbps down).

Of course, my Dad, not knowing too much about this stuff, rents the new
router. And of course, it doesn't solve the fact that there was an outage in
the first place. I tested the new connection and while I could see _rare_
instances of faster peak speeds, for the most part it was not much faster than
the old setup when sampled over time.

I really hope there comes a day when companies can be held accountable for
straight up lying and taking advantage of customers who simply don't have the
technical means to know any better. It really, really bothers me when my
parents get taken advantage of like this and I know I'm mostly helpless to
prevent it without micro-managing my dad's tech purchasing decisions.

~~~
Pristina
Caveat Emptor

Your dad has been around for 70 years. How has he not figured out not to trust
a salesperson and do independent research or consult an expert (literally YOU,
his son, one phone call away).

~~~
craftyguy
Not everyone enjoys the task of performing extensive research, and perhaps a
70 year old might value their time doing something else? I've also met more
than one 70+ year old person who was convinced that they understood how things
worked, and to admit otherwise was to display weakness/lose credibility
(despite that not being the case at all). The point is, what is obvious to you
may not be obvious to others, and you have no idea why they chose the route
they did.

~~~
AnaniasAnanas
> and perhaps a 70 year old might value their time doing something else?

They should be content with their inferior choices then.

> I've also met more than one 70+ year old person who was convinced that they
> understood how things worked, and to admit otherwise was to display
> weakness/lose credibility

These people deserve it.

Note, I certainly do think that there should be more regulation on lying
salesmen, but these are kind of bad examples imo.

~~~
supergauntlet
I hope in your old age you never have to interact with people as devoid of
empathy as yourself.

~~~
Pristina
I have empathy. I also have a brain, which I used to come to the conclusion
that you either have self-agency and therefore you are liable to the
consequences of your actions or you do not have self-agency. If a person chose
to not do research, then he is liable to the consequences of his ignorance.

------
cosmie
Warning for anyone using a customer owned modem with Comcast: Be sure you keep
your receipts and original packaging.

I recently canceled service and switched to AT&T Fiber. It was actually an
unexpectedly easy process. But when I dropped off my cable box at a Comcast
store, they asked me for my modem. The one that I bought myself. The person
taking receipt of my equipment was fine when I said I owned my modem, and just
"put a note" on my file.

... then I get a collections letter, explicitly related to the "unreturned"
modem. Despite having no history of receiving a rental modem, and no monthly
surcharge for modem rental on any of my years-long billing history, they
refused to budge. I happened to still have the original box with the serial
number on it and that combined with a printout of my Amazon order from back
then was enough to at least to successfully dispute the debt on my credit
reports. But it wasn't enough for Comcast, and I'm sure I'll still have to pay
that bill and put down a giant deposit if (when) I move somewhere that forces
me back to Comcast.

~~~
xrd
They did something similar to me too. I dropped off the modem, with my two
small kids on hand, and forgot to grab a receipt. I figured dropping it off in
person would leave no room for doubt. That was not correct.

A few months later, I'm getting threatening calls that I need to return the
modem. I call them and the rep says "Oh, thanks, we will note that you
returned it." So, they just send a collection notice and don't actually keep a
record you have returned it inside their own systems.

~~~
kreitje
In my case, it was the HD receiver. The Comcast guy was surprised I asked for
a receipt, and was shocked when I checked the serial number on the modem vs
what was on the receipt. They matched, as they should.

Then they still tried to ding me for an unreturned equipment and when I called
they said 'it takes 2 - 3 months for it to come off your account'. It
eventually did fall off, but was insane for hand delivering it to
Comcast/Xfinity.

------
Merad
I wonder how much longer we'll even have the option to use our own equipment.
Late last year I briefly tried AT&T fiber, and it was required to use their
hybrid modem/router monstrosity. It didn't even have options to disable the
router functionality, the best you could do was turn off its WiFi networks and
disable its firewall. Even after setting all of my own passwords on it it was
still possible to access settings through my AT&T account online, telling me
that the thing is backdoored all to hell. TBH that thing was a big factor in
me canceling the service after 5 days (also the service was mediocre and they
tried to screw me on pricing).

~~~
rayiner
Fiber doesn’t use a “modem” so I’m a little curious what you’re talking about.
As to “backdoors”—all fiber CPE has to have the capability to be managed from
the provider side. A lit fiber is like an Ethernet cable plugged into the
provider’s switch. Nobody would be crazy enough to not control both ends of
that connnection. Even if you spend thousands of dollars a month for a
business grade Metro Ethernet connection, the provider will install CPE that
it can manage remotely, usually an L2 switch.

~~~
ladberg
I think the issue is with the fact that it also forced you to use their router
as it was built in, as I'm pretty sure all fiber providers require you use
their hardware.

~~~
TeMPOraL
Good to have a service from a proper and somewhat local ISP. They set us up
initially with a DASAN fiber->WiFi router completely administered on their
end, but at some point I called them with the request to replace it with just
a fiber->Ethernet bridge. They complied without a problem, replaced the box,
and gave me the PPPoE credentials with a warning that past the bridge's
Ethernet end, I'm on my own.

------
salimmadjd
Last month we made a decision to buy our own router and not rent from Comcast
(Xfinity). Then I started doing the math, and soon realized at the end of the
day it might be that much better.

1 - It's unclear which is the best modem/router by doing research. Gives you
the maximum speed, etc. 2 - You start reading reviews on Amazon around
reliability and you see a lot of comments that basically give you doubt. It
falls in two ways: A - the model/router stopped working after a 12-18 months
so they had a buy another one. Put it at same price as renting. B - the
firmware upgrade path was unclear and it could only be initiated through
comcast (in some instances). Making you worry about upgrade support using a
third-party product.

C - Overall issues with support. Tech support is already a pain, again as
above is going to be worse with third-party products.

With modem/router price ranging from $100-200. Renting from Comcast at
$120/year it means that you always have a de facto warranty. Something goes
wrong with the modem/router call comcast they'll send you one or just drive to
the local store and get a new one. There is probably some savings if it all
goes well. But then again is it worth my time?

~~~
joecool1029
> 1 - It's unclear which is the best modem/router by doing research.

Comcast actually has a page for that:
[https://mydeviceinfo.xfinity.com/](https://mydeviceinfo.xfinity.com/)

> With modem/router price ranging from $100-200. Renting from Comcast at
> $120/year it means that you always have a de facto warranty. Something goes
> wrong with the modem/router call comcast they'll send you one or just drive
> to the local store and get a new one. There is probably some savings if it
> all goes well. But then again is it worth my time?

How often do you actually think modems fail? No seriously, I'd really like to
know the numbers. I bet failure rates are well under 1% annually.

So what this amounts to is enabling Comcast to sell fraud. It's not a
warranty, you're getting a replacement to fix an issue the modem didn't cause.
You can't tell me it's much of a time saver when local stores sell modems or
you could order same/next day from Amazon.

~~~
craftyguy
> Comcast actually has a page for that

That page doesn't give any info other than "sign in", "type in your address"
(lol), and "consider paying us rent for hardware, learn more".

~~~
joecool1029
> That page doesn't give any info other than "sign in", "type in your address"
> (lol), and "consider paying us rent for hardware, learn more".

Put a zip code in, no login. It will work.

------
mathnmusic
One of the biggest lost opportunities for the robustness of the Web has been
people not running servers at their homes, even though they do have a
connected computer running 24x7 - the Router. It will probably take a Google
or Apple to turn routers into standardized platforms with its own "app store",
but by then it will be too late.

~~~
tdb7893
I know people who are literally rocket scientists (most of them actually work
on fighter jets) that have trouble correctly configuring video game servers.
In my experience for most people trying to run any sort of server themselves
is quite a hassle (I mean my work has a lot of experts whose sole job is to
make sure the servers are all running correctly and they still get it wrong
sometimes).

~~~
mathnmusic
> for most people trying to run any sort of server themselves is quite a
> hassle

Yet we run background apps on our phones quite easily.

------
NoblePublius
My ISP (Altice/Optimum/Cablevision) makes it very hard to use your own router
or modem, despite Federal laws empowering customers to buy their own equipment
if they want to. For starters, their techs will not install new service with
your equipment; you MUST have their equipment installed, set up your
equipment, and then travel to nowhereville to return their equipment. After
doing this, I’ve had my modem bricked by Optimum for not having “the latest
firmware.” No explanation given beyond that. There is no justifiable reason
whatsoever to permit ISPs to rent equipment at all. The only reason they do
this is so they can advertise cheaper service prices.
Altice/Optimum/Cablevision markets a “$99 per month plus taxes and fees”
bundle that actually comes out to $145 per month once you have added the
equipment fees and taxes. They should also have to advertise total price. Good
thing that the Democrats are fighting so hard for “net neutrality” which would
solve this. Oh wait, no it’s wouldn’t. It just makes Netflix slightly cheaper.
Great priorities!

~~~
craftyguy
Well, if they are obviously violating a Federal law, then it sounds like
lawsuit time. They clearly aren't going to change by themselves.

Considering that ISPs insist on being monopolies (in the US), it shouldn't be
too hard for any competent law firm to make it into a class action lawsuit.

~~~
NoblePublius
They aren’t violating the law as one can still buy. They just make it really
really really hard to buy. They should be banned front renting outright.

------
paultopia
People who write this kind of article grotesquely underestimate how hard these
companies make this task.

I use centurylink DSL, mainly because the local cable monopolist is mediacom,
and I tried mediacom for two weeks of downright insulting lack of service[1],
it was the only alternative.

This[2] is the information centurylink provides about what modems are
compatible with their service. Do I know whether I have ADSL, ADSL2, VDSL,
GPON, or whatever the hell any of those other acronyms mean? No. Does it say
so on the bill? Who knows, I haven't seen a paper bill for years, no idea when
they stopped sending them. I suppose I could dig up some three-year-old piece
of paper from a kitchen drawer somewhere that might say which, or that might
say the unused landline number they hooked the DSL to so I can maybe try to
figure out how to get into some online account (lord knows I've tried to find
a username that they'll recognize to get a password reset). Or I could call
them, and talk to a minimum wage, probably offshore, customer service person
in a call center who might maybe give me accurate information as to which
acronym I have.

Or I could not look a gift horse in the mouth. Right now, I'm sending someone
a not huge amount of money per month, and I actually have residential internet
service that kinda works (and when I actually need reasonable speeds I can
bring my laptop to the office). Relative to the standard condition of life in
our third-world situation in the United States with crooked monopolists
charging people for service they don't actually provide, I feel lucky being
charged for service I actually do receive. And don't feel particularly
inclined to rock the boat on that.

I rather suspect a similar calculus is going through the heads of millions of
American households. What we need is regulation for the monopolists, not more
articles scolding captive consumers about buying their own goddamn modems.

[1] This letter sums it all up. [http://paul-
gowder.com/pgmediacom.pdf](http://paul-gowder.com/pgmediacom.pdf) Needless to
say, after receiving a "this is a lawyer who is clearly insane and extremely
angry" letter they sent me my money back.

[2] [https://www.centurylink.com/home/help/internet/modems-and-
ro...](https://www.centurylink.com/home/help/internet/modems-and-routers/what-
modems-are-compatible-with-centurylink.html)

~~~
toast0
If you really wanted to buy a modem for CenturyLink, the best thing to ask
about technology is the current modem -- it will tell you somewhere. But
you'll notice that almost all of the listed modems are customized for
CenturyLink, that's what the C in the name means (and presumably the other
letters too). That means you're more than likely stuck with whatever
customization that you might have liked to get rid of, or features you might
like to add. (Like a bridge mode that actually works).

Not being able to realistically do better than what equipment you already
have, you could probably just buy a new one of the device you already have,
but then again, it's hard to predict how long that will be useful. If you move
or by some miraculous force, CenturyLink offers an upgraded service, your
device may be useless.

------
strictnein
Comcast has a site to help determine what 3rd party modem will work with your
Internet package:

[https://mydeviceinfo.xfinity.com/](https://mydeviceinfo.xfinity.com/)

Sign in, it takes a look at what speed/connection you have and then will
recommend a list.

Or don't sign in and just specify your address. It'll tell you the speeds
available at your location. Select the speed and it'll list out the modems
they officially support, including ones with phone support.

The ones that everyone I know has is the ARRIS SB8200 or the Motorola MB8600.
Both support Docsis 3.0 up to something like 1.4Gbps. They're $150 or so, so
you'll break even in a little over a year.

------
kevin_thibedeau
My cable ISP makes it hard to use your own by refusing to use just any DOCSIS
3 modem and not publishing an approved list. It would be nice if regulatory
policy changes would force the industry to accept all standards compliant
modems.

------
jalgos_eminator
I tried. The modem didn't work. It was on the approved list. Had a tech come
out, he installed a Comcast router and it worked. They waived the rental fee
for 6 months. As much as I hate Comcast, I hate not having internet more.

~~~
JauntyHatAngle
It all ends up back as a problem of that monopoly.

Here in Australia, while we have our own problems, you could just switch ISP
if they're playing shenanigans like that.

In America, don't like your ISP? Guess you're living without internet then!

~~~
wyqydsyq
Unfortunately unless you live in a metro area your options in Australia aren't
much better. Most rural or country areas and even some suburban zones are only
serviced by a single ISP who may decide you don't need internet.

I lived in Ipswich for 1.5 years, prior to moving in I signed up for ADSL2 (no
NBN available in the area yet) with Telstra as they are the only ISP servicing
the area.

I was told that the local exchange has no available ports, and that I would
need to go on a waiting list to be given a connection.

I was periodically getting their "Sorry we can't provide you usable internet
yet, how about ADSL1 or some 4G data at rip-off prices?" for that entire time,
until I moved out and cancelled the still-pending service.

~~~
JauntyHatAngle
That's specifically due to Privatisation of Telstra though, which is exactly
the monopoly being talked about.

NBN was supposed to fix this, not sure if it still will though with the
neutering of it.

------
tylerjl
This is a topic that is near and dear to me - last year I attempted building
my own router/firewall on an ARMv8 board (the espressobin) and I've been
extremely happy with it as a DIY router solution [1]. While this sort of
approach doesn't solve the larger problem of non-technical folks being fleeced
by Comcast and other ISPs en masse, maybe with gradually-increasing tech
literacy, projects like loading up an espressobin with a pre-imaged SD card
for a home router will be a tenable option someday for more people.

From a hobbyist perspective, the router has been a dream to work with, and you
can do some really weird stuff when the router is a Linux box you're in
complete control of (DNS tricks, packet scheduling experiments, et cetera.) I
always get a kick out of updating it periodically and seeing the latest
mainline kernel loaded up (it's on 4.20.10 at the moment).

I've never studied up on home-brewing the modem/DOCSIS 3 aspect, but
realistically I don't know how feasible that is in comparison to the
relatively more simple DHCP/DNS/firewall parts of a typical home router.

[1] [https://blog.tjll.net/building-my-perfect-
router/](https://blog.tjll.net/building-my-perfect-router/)

~~~
fulafel
ARM boards tend to be bad wrt getting timely security patches because they
don't run the mainline kernel, and don't run a mainstream Linux distribution
with a paid security team. Even relatively well supported ones like Raspbian
have this problem.

My advice is to rather get a low end x86 device.

~~~
tylerjl
While I've absolutely had this experience with some of my ARM boards (notably,
most of my ODroids are stuck on some variant of the 4.14 kernel with vendor
patch sets), the essential parts of the espressobin are in mainline, device
tree and all.

The larger problem of developer/security team time and effort is still there,
though. Arch Linux ARM and Armbian are active and well-maintained, but I do
find myself running into problems that indicate that the community of active
users for this type of hardware is vastly smaller than a traditional
architectures.

------
andoma
I returned Comcast's modem because:

1) I wanted better control of routing (have a bunch of wireguard tunnels). I
want all the IOT-crap on a separate network, etc.

2) Whenever there is a transient link connectivity issue on the cable side it
seems that the comcast modem tries to "fix" this by rebooting itself which
takes a good 5 minutes.

I got a Netgear CM700 which is basically just a DOCSIS / Ethernet -bridge (you
just get the public IP using DHCP on the ethernet side).

The cable modem connects to a homegrown Linux ARM based router and then I use
Unifi PRO Access Point from Ubiquity Networks for Wifi. Never looked back
since. The Unifi AP have multiple SSID's configured which is separated on
different vlans on the way back to the router. The Netgear modem have so far
never had a single hick-up from what I can tell (about six months in now).

OpenWRT certainly is an option, but unfortunately getting high performance
wifi out of it is a bit of a dice roll in my experience. I've tried a few
hardware variants but eventually gave up and bought the Unifi PRO instead.
Also I'd just rather have separate things that do each thing well.

------
m0zg
Where I live, we have Frontier FIOS. Frontier FIOS _requires_ you to get their
"wifi router" for $10/mo even though, I quote, "you don't have to use it".
There's simply no option to not get it with a new subscription, not online,
not on the phone. How this is legal, I don't know.

------
innocentoldguy
I would love to stop renting Comcast's over-priced modem, but those fuckers'
gigabit service is extremely unstable in my area and causes both my Arris
SB8200 and NetGear CM1000 modems to constantly hang. I have to reboot my modem
at least 2 or 3 times a day, no matter which one I use, and sometimes every 20
to 30 minutes. I haven't tried the Motorola MB8600 yet, but I'm kind of weary
of dropping another couple hundred dollars on a modem that isn't guaranteed to
work.

Comcast's router at least stays up for more than a day at a time, but of
course I'm only getting 400 to 500 Mbits down on my gigabit service. I'd leave
Comcast in a second but the only other option in my area is CenturyLink, with
their whopping 20 Mbit speed.

------
girzel
I just signed up for a CenturyLink connection in Seattle. CenturyLink feels
like they're playing catch-up to Comcast, and thus are sort of on the humble
end of the arrogant-to-humble pendulum of monopolies. They are giving me a
per-month service that can be cancelled any time, "no price-hikes" (though how
can that be possible, am I going to get the same price in perpetuity into the
future?), and I clicked the "I will install my own router" option, and there
are no extra installation or equipment fees. My Ubiquiti Edgerouter Lite is in
the mail.

We'll see if there's another shoe to drop.

------
Zarath
Not sure why you wouldn't. Modem rental costs, what? 5 or 10 bucks a month?
Just buy a modem and it pays for itself pretty quickly. I'm honestly surprised
that they let you do it.

~~~
tetromino_
Say rental is $8/month and approved docsis 3.1 modem is $180 to buy outright.
Buying doesn't really make sense unless you will be sticking with the same ISP
for at least two years. (And in two years, you might take a promo deal and
sign up with another ISP; or move to a different apartment building which
doesn't allow your current ISP; or your roommate or SO might decide to take
care of connectivity; or technology will advance and you would want a
different modem anyway.)

~~~
quadrangle
If you quit the ISP in under two years, you can still sell your used modem for
a decent chunk of change. If you actually own, you can resell it. I've done
this both ways, selling one I no longer use but also buying one used from
someone else. So, there's no actual reason for most people to ever pay $180.

------
sliken
I switched from Comcast's router to a Ubiquiti Edgerouter 6p. It's fast, easy
to configure, flexible, and gets regular security updates. Overkill, but still
cheaper than renting a comcast router. Adding QoS really helped as well. In
particular I wanted a VLAN/dedicated port for untrusted consumer widgets (TV,
Stereo, fitbit, etc).

------
judge2020
Even if you use an "approved modem", their support will not by any means help
you unless you're using the official rented modem+gateway. You end up having
to lie about using the rented one they give you (they don't check if you're
actually paying for it) to get any actual support.

~~~
jwcooper
I've always had my own modem and I've never had a problem with Comcast/Xfinity
not helping me. Maybe I'm the exception.

Recently they updated my area to DOCSIS 3 (or 3.1, not sure). My DOCSIS 3.1
Motorola modem (found this out later) has a firmware bug that causes random
modem lockups. Comcast went as far as replacing the cable from the telephone
pole to my house in the middle of winter (it was ridiculously cold that day),
running signal analyzers, and various other things before looking into the
modem.

Also, Motorola Modem customer service was shockingly good as well. They sent
me a free replacement modem while they worked on the firmware updates.
Provisioning that temp modem was as simple as using the online provisioning.

Now, it would be nice if I didn't have to set annual calendar reminders to
call them for when they increase my monthly price by 40%...

~~~
m-ee
Which modem do you have? I have a motorolla modem and my service has gone to
shit recently

------
wnevets
I went from having to restart the FiOS router all the time to fix the WiFi to
never restarting with the edgerouter/unfi ap.

Buying your own hardware cost more up front but over the course of a 2 year
contract you're paying over $240 ($10 a month) for something that barely works
from Verizon.

------
trumped
I'll rent you modems and routers for $8/month.... you'll save at least
$5/month.

------
meroes
When I worked there we only guaranteed speeds coming off a Comcast
router/modem.

------
purplezooey
_" Over time, users wind up paying Comcast significantly more money than the
modem or router is worth."_

It's not really the cost, probably for 90% of users, it's more your average
soccer mom doesn't want to deal with owning, updating, and maintening
networking gear. So the service has some value to people.

------
dvtrn
For the love of God, can the titles remain consistent with the posts?

------
ronlobo
We should sue those ____

------
tryphotography
good

------
phil_folrida
Most users, consumers, on Comcast do not have a choice, next election go out
and vote rather than stating the obvious.

~~~
zdragnar
That's strange, I've had cable internet through Comcast at four different
houses and have always used my own equipment, didn't rent theirs at all.

