Two California residents recently filed a class action lawsuit against Comcast, accusing the company of using residential customers' routers as public Wi-Fi hotspots without their permission.

"Within the past several years, Comcast began supplying its residential customers with new wireless routers, equipped to broadcast not only its customers' home Wi-Fi network signal, but also an additional Wi-Fi network signal that was available to the public," the complaint states. "Comcast then began selectively activating these routers to broadcast the secondary network -- the public 'Xfinity Wi-Fi Hotspot' -- in various markets across the country, with the goal of enabling 8 million Xfinity Wi-Fi Hotspots by the end of 2014."

The complaint alleges that by deploying this network of hotspots without its residential customers' authorization, "Comcast has externalized the costs of its national Wi-Fi network onto its customers."

According to the complaint, the new wireless routers consume much more electricity to broadcast the Xfinity Wi-Fi Hotspot network, and the broadcasting of the secondary network degrades the performance of the customer's own home Wi-Fi network.

The complaint refers to tests conducted earlier this year by Speedify that found that hosting an Xfinity Wi-Fi Hotspot could cost Comcast customers up to $22.80 per year. A later test with a newer version of the router found that the costs could be as high as $29.05 per customer per year.

"Based on our tests, we expect that by the time they roll it out to all of their subscribers, Comcast will be pushing tens of millions of dollars per month of the electricity bills needed to run their nationwide public Wi-Fi network onto consumers," Speedify CEO Alex Gizis wrote in a blog post describing the initial test results.

The lawsuit also alleges that the broadcasting of the secondary network "subjects the customer to potential security risks" by enabling strangers to access the Internet through the customer's home router without giving the customer any ability to authorize or control that access, and claims that "any activity on the Xfinity Wi-Fi Hotspot will appear as though it originated from the Comcast customer's IP address."

The lawsuit seeks relief, restitution and damages for the plaintiffs as well as for a national class of Comcast customers and a California subclass of Comcast customers.

Rapid7 global security strategist Trey Ford told eSecurity Planet by email that ISPs have long failed to prioritize patch management for customer premise equipment. "These devices have an awful track record of responding to security notifications and receiving patches," he said.

"In general, as the modern American home becomes increasingly connected to the Internet, having a safe edge device (in this case, the cable modem) is extremely important," Ford said. "I hope that Comcast has done a good job segmenting the 'guest' network from the subscriber's 'home network,' which is critical to the security of users who are forced to partake in this initiative."

"For guests using this service, be aware that the 'guest network' is unencrypted -- and while the FAQ says, 'Comcast is committed to making your Wi-Fi experience as fast, fun and safe as possible” -- this wireless network is completely unencrypted -- you’re using a network that was considered unsafe over 15 years ago," Ford added.

Photo courtesy of Shutterstock.