Hacked by former employees

Xfinity gear has a few problems that fail my security audit, as well as the audit performed by other IT departments for contract work.  You have to have your own house in order to do work for a lot of companies.

The first problem is your critical infrastructure is controlled via a phone app -- the least secure device you own.  Anything controlled with a phone app needs to be on it's own isolated subnet, separate from the rest of your gear.  This includes streaming devices, cameras, IOT gear like smart outlets/thermostats/temp loggers etc.  You don't want them on your "trusted" network.  Publicly traded companies like Xfinity DO NOT control their critical infrastructure with PHONE APPS.  If they do, you want nothing to do with them, nor give them any personal data.  

Another problem is the Xfinity gateways have MoCA capability for their TV set top boxes (ethernet over coax).  You can leak data if you do not have an MoCA point of entry filter installed properly.  Your neighbors devices can join your network, either intentionally or unintentionally.  It's a major problem and most people do not have one installed, especially in close neighbor situations like apartment buildings.  You are then responsible for your neighbors internet activity if what they are doing is criminal.  This can be a costly problem for you to defend yourself in court. 

Xfinity gear has 3 radio broadcasts too.  One for your WiFi network.  A hidden one for their security systems.  And a public hotspot "feature" where anonymous users can connect to YOUR gateway.  This is a horrid idea.  You share memory and CPU, and an internet connection with random people on a 3rd party outsourced device with extremely sketchy firmware with zero documentation. 

Yet another issue with consumer cable modems/gateways in general is, the production run is 5 years.  Usually, there are no bug/security exploit fixes after that, and when there is a reported exploit, you could be running for months until the firmware is fixed, if they even bother to fix it.  Usually they don't.  The firmware is "closed source", so you have no way to identify if you have a problem with a library used to craft the firmware when exploits are found.  You're just blind.    

Work machines -- well those have to be isolated from the rest of your gear too.  I also isolate gear by customer and do not want work and personal gear to be able to communicate with each other.  When you log into someone else's network remotely, you are inviting their security problems onto YOUR network.  You also do not want to cross-contaminate other customers.  Reformat hard drives after a job is completed.  You spell that out in a "data retention" plan upfront so everyone knows you do not retain data, they are on their own for that.  Many want to see your data handling plan.  Many also require you do not use WiFi and only hard wired connections.    

Best practice?  A straight cable modem (not a gateway) connected to a firewall that can split network connections to isolated subnets. A dedicated box or firewall appliance.  Commercial gear costs money.  You can write it off.  For free, Netgate's pfsense community edition or opnsence are BSD based distributions that can do this for you that run on a dedicated PC.  All it takes is reading the manual.  Stay current on your own firewall software and even compile it yourself when exploits are identified to mitigate issues.  

This is concerning, and not the experience we want any customer to have! Firstly if you have any concerns about devices connected to your internet please start with changing your Wi-Fi password to a more secure password and do not share this with anyone. Next please check your connected devices using your Xfinity app, so you can see what is on your network. You can check out how to do that using this page here: https://www.xfinity.com/support/articles/manage-wifi-devices-my-account If there are any devices connected that you are not familiar with I would pause the connection to these devices in the Xfinity app. You can find more information on pausing devices on your network here. https://www.xfinity.com/support/articles/xfinity-xfi-manage-profiles 
As a note, we do not have any listening devices that we offer only your Xfinity voice remote and home security options like a camera and doorbell. If you do not have any of these items through us and did not reach out for help or receive an email notice you need to update or make a change then please do not provide any of your personal or account information to them. If you still have security concerns please reach out to our team of security experts: Customer Security Assurance by calling 1-888-565-4329 8:00 am - 12:00 am EST, 7 days a week.

If it's a concern, OS "listening devices", like Mac's Siri, or Microsoft's Cortana, or if you bugged your house intentionally with an Amazon or Google voice activated device, a camera, a TV with voice recognition, or other remote broadcast capability you may have allowed  such as mirrorcast or chromecast if you allowed that on a smart TV in it's settings, and your cell phone itself is also a listening device that can be hijacked.  Bluetooth devices in a close neighbor situation are also a problem.  It's a bigger problem if your own data handling practices are terrible and you are reusing passwords across multiple sites.  Then when any one of those are compromised, all of your stuff is. 

If you have decent gear, and are clever about what you buy, and how you configure and manage your network, you can keep these devices from communicating with the company host data collection activities, and also identify who your devices are actually talking to in real time.  They are designed to steal personal information for targeted advertising.  You can do this with firewall rules for things connected to your network, but you need the infrastructure in the first place. 

A cell phone is always a problem because it uses a cellular network.  Don't install "free apps".  Free isn't free, they are private data collection tools.  Lock down permissions on your phone for apps.  Do NOT use devices that have to be controlled with a phone app.

If you do suspect hijacked equipment, stop using it.  You can try resetting compromised devices to factory defaults.  Change any email account associated with the device to a new one you create somewhere, doesn't matter where, protonmail, gmail, wherever.   Unlink other devices, services, especially anything you had linked with Xfinity if that account is compromised especially banking information.   Do not reuse passwords across websites/services after that.