Comcast MAC address spoofing...a potential problem for data caps

Update: For all the people who have asked.
1.  No I did NOT take this from theory to practice.  That would probably be illegal without Comcast/Xfinity's permission.
2.  No I will NOT provide you with more detail.  If you are asking you probably are hacking and not fixing.
3.  MAC addresses are notoriously easy to grab over the air.
4.  In all fairness to Comcast they state that they expire your MAC based auth every 24 hours.  I will leave it up to someone else to comment on whether that is short enough, secure enough, and/or it actually happens.

tldr; The MAC addresses that I refer to below where registered at Comcast/Xfinity when both my wife and I logged in at a local donut shop that has an Xfinity Hotspot.  Since there is never a "reauthentication" other than the MAC address...these MAC addresses, associated with our account, could apply to our data cap no matter which Xfinity hotspots they are used on.  It doesn't even have to be the actual device...just the MAC address.

Have you ever signed into an Xfinity WiFi hotspot?

If you have you could potentially be at risk for this type of attack.
1.  Someone has sniffed your MAC address from your connecting phone, laptop, tablet, etc (now registered to your account because you logged into an Xfinity WiFi hotspot).  Very easy to do it with something like Ettercap.
2.  They now remap their phones, tablets, laptops, etc. to use your MAC address (if you don't understand how to do this then this article is not for you).
3.  Now they can use any Xfinity hotspot and have the data go against your 300GB a month cap (without having to reauthenticate...Comcasts documentation says this is only good for 24 hours).  They can even turn on an Xfinity WiFi hotspot (FAQ...see the section on "guests") in their house.  This allows them to never leave their home and still use your allotted bandwidth each month.

...but I only logged in once and it was very brief.  I have never used it again.
Actually you probably have if you used your phone.  Most phones save wireless connection points by name and will connect automatically because it gives the user a better experience when connected wirelessly vs. pushing data over 4G (at best).  Comcast says this only lasts for 24 hours.

...all that a black hat has to do is sit in proximity to a local Xfinity WiFi hotspot along a busy road and scan for MAC addresses.  I have not done this because its illegal so I don't know the frequency that it works but my guess is that if you live in a Comcast region at rush hour...the chances are pretty good that you will find a compatible MAC address very quickly.

How did I find this out?
I received notification that we were consistently going over our data cap for the last 4 months.  Previously, in the last year, we had done this and it was explainable...we had downloaded a couple of XBoxOne games and content that had pushed things to the limit.  This month I couldn't explain it.

After talking to Comcast level 1 and level 2 Data Security support I couldn't get any sample data captures.  I was informed that they just download the logs from our modems and get the total data usage.  I am happy to hear that they don't keep logs of history but I was very surprised that they did not give me the option of voluntarily doing data capture to find out where the traffic originated, went to, and types of traffic.  Seemed a little odd since they were going to hold me responsible for paying money for any overages that I would incur.

I went the usual route of data captures on our router...not much there.  Cancelled Netflix in case the kids where streaming 24x7 at an HD rate (2.4 GB/hour)...still showed 26 MB up/down combined on the router ...yet according to the Comcast Usage Meter or the Adobe based Comcast usage meter...we had still used close to 1 GB of data in the 4 hour period that it records (mac address is hidden).

At this point I was thoroughly without explanation.  I started digging around until I found the Xfinity Hotspot FAQ.  I am not saying that this is what happened to my account...maybe...maybe not.  Could just be the kids watching huge amounts of Netflix (which can happen if you have the "Watch next episode automatically" turned on in your Netflix account)...it can also happen now that Netflix has signed a provisioning agreement with Comcast...you theoretically might be getting the 2.4GB per hour for Netflix HD content.  Who knows Comcast has claimed that you could get it all along so it shouldn't have been an issue since the same number of devices and people reside at my residence.

How can I quickly fix this security hole?
1.  Login to your Xfinity account.
2.  My Account > My Services > under Xfinity Internet > Manage > You should see your devices here.
3.  Delete or detach any devices shown there.  I had two that showed "registered" and Unknown...this should remove any association with that device and force a spoofed MAC to have to sign in again instead of the automatic sign in Comcast provides for Xfinity Hotspots.

I am not saying that this was my problem this month, although we are currently on a record data usage path (300 GB in 12 days...25GB a day...how is that even possible?).  We do use Netflix to its max...usually 1-3 devices going at once for about 4 hours a day...maybe more.  

I really wish Comcast could have provided me with a 24 hr data log.  I know that we do NOT use torrents, Tor, iTunes (very rarely), etc.  If its anything it has to be Netflix and/or Youtube.

This is only a theoretical scenario.  I have left somethings purposely obfuscated...make of it what you will.  Hopefully Comcast will change some of their policies to provide better security.