AndroidGood and EVO

How two misbehaving apps made me face Comcast’s data cap

Comcast data cap overageThis is a very long story of how I hit Comcast’s (my internet service provider) 300GB data cap in ten days without doing anything illegal or being infected by viruses or malware (your definition may vary) – and what I had to do to prevent from being cut off from service. It’s also one of the reasons I haven’t had a chance to do much here the past couple of days.

Last month I switched from Comcast Business to Comcast Xfinity (the home version), after a series of issues which resulted in multiple installers, messed up accounts, and the escalations department finally stepping in after a Comcast Twitter team in Florida noticed the Tennessee Comcast group wasn’t helping me. Last month was not a good time with Sprint or Comcast for me, I can tell you.

Comcast Business is unlimited, and was being taken care of by work, as we used to move a large amount of data to my house for backup and disaster recovery purposes. It was something I didn’t have to think about much, and some months we moved nearly 200GB of data in offsite backups and project tests (video is huge), but that’s all been pretty much done away with in the past couple of years by cheap cloud services. And so last month I switched to the metered, limited, non-commercial home version.

With 300GB of available bandwidth, I didn’t think there was going to be a problem, but at the start of my first full metered month I ran into the cap. I figured I would call up Comcast and have one of them log into my modem and see which computer was the perpetrator of this madness, and quickly found that none of the level one techs had that ability.

After an infuriating call with a level one tech who took 12 minutes to understand what the problem was, I was given a number for a data overage department. I talked to a man who started reading me the standard virus, peer-to-peer networking, kids, unsecured or weak wifi password, etc. text and I told him I’d been doing network tech stuff since 1993 and this one was stumping me.

I didn’t expect that pulling the “I should know what’s going on” card out of my belt would do anything positive – it never does. People either don’t believe you or think you’re trying to say you’re better than them, but in this case we talked a bit about the makeup of my network and how it morphed from a business site into my personal network but how nothing should have changed from the business account, which was using ~150GB a month for backups, to my personal account, which no longer accepted off-site backups.

I should have been using around 30-60GB a month based on my activity.

He talked to someone in tier two who said they’d look at it, and I was told I’d get a call back and some help – that was the last I heard from Comcast.

I knew I was abandoned at this point, left with a Comcast Xfinity modem that would not allow me to see traffic usage, but did have significantly better WiFi than anything I had. I had to shut down the network I’d moved over to, and move all my devices (four HTC EVO phones, two tablets, a baby cam, two Chromecasts, wife’s HTC One, my One M8, several misc devices for monitoring the house, etc.) over to my old cheap rinky dink router that had a traffic status window.

I ran virus scans, malware scans, put a bandwidth monitor on anything that I could. Nothing was popping out from the usual suspects.

One at a time I added a device, then would wait and watch the bandwidth monitor for an hour or two at a time, writing things down to see what was using what. I didn’t have granular level monitoring, because I only had cheap consumer routers with no aftermarket firmware.

The music is gonna getcha

Google Play Music alone would have made me nearly hit my comcast data capOn the 16th, with everything connected to the new network and sitting idle I noticed some unusual traffic start which would add up to about five gigs a day if it kept up. This was not my now 400GB culprit, but that was a potential 75GB of the puzzle. I pulled things one at a time until I found the culprit:

An HTC EVO 3D that was mostly used as a media center for streaming music to get my rugrat to sleep at night. My expected bandwidth usage of this thing was about a gigabyte a month, as SiriusXM plays for a couple of hours and then shuts off due to inactivity timeout. I’d even measured the potential bandwidth before and dismissed it as not something to worry about.

I turned the device off and my five-gig a day drain disappeared. Cranked it back on and did not initiate XM and the drain started up again. I wondered whether this was a ROM that had some remote control backdoor or something sinister, wondered moreso as the developers of the ROM that on that 3D are probably the only developers who actively dislike me (well at least that I know of), but it wasn’t them.

There was a pin sitting in the status bar. The Google Play Music pin. On April 5th I’d decided to pin between one and five albums (I don’t remember, it’s been a while), and that pin had popped up with the message that it was keeping the music followed by that there had been an error. I didn’t think anything of that message as I wasn’t in a hurry for the music to be there, I just wanted some music on the device in the event that the internet went out and I needed to soothe a baby.

To put this in perspective before the reveal, the HTC EVO 3D I have has an 8GB external SD card, of which three gigs are free. What I was attempting to pin to the device was at most 300MB of data. Baby music that I wanted to pull from the cloud in the event of an issue.

Google Play Music, when I looked in the WiFi usage (settings, more, usage,) had pulled 76.23 gigabytes from April 5 through April 16.

I don’t have 76.23GB of music. Just checked. Nope, not near that. Play Music used more data than it would have taken to download 800 full length albums. As it stands there’s one song from one of the albums that I pinned.

My guess is it just kept downloading a song, having an error, and downloading the same thing over and over.

The deactivated HTC EVO 3D was 1/3 of my bandwidth cap culprit, but it was not the totality of it.

I spy with my little eye

Digitial SigThe other part of my puzzle involves a Foscam 8910W camera. These are the same ones you may have heard about being easily hacked / people yelling at children over the internet. I picked one up cheap, updated the firmware, locked it in an internetless prison so that shouldn’t have been a worry.


The Foscam web interface has three modes, ActiveX, Server Push, and mobile. I used Active X and Internet Explorer to stream audio upstairs as the other option’s VLC plugin causes issues with the screen never shutting off, and causes the audio to be delayed by several seconds.

In general, I advise staying the hell away from Internet Explorer, but I thought that I’d be pretty safe in local area only browsing. It was just a matter of convenience.

This past month, the webcam would run constantly as a side project of mine was running full time on the computer, and there seemed no reason to actively shut off the webcam viewer unless I just wanted to kill the audio stream.

I fired up the webcam and noticed my bandwidth out-of-network suddenly spiked to 250K per second. Yes, big K, kilobytes. Nine hundred megabytes an hour. Twenty one gigabytes a day.

I was at first in a panic that my webcam was sending out to the internet… then I caught my breath and realized this was my computer, and the traffic direction was incoming, not outgoing. There occasionally would be one little shot from my computer out, but nothing large enough for an image.

The Foscam Viewer ActiveX plugin is manufactured by a company called ShenZhen Foscam Intelligent Technology Co.,Ltd. It allows a pretty seamless video+audio experience with the camera, and it also seems to be downloading from a random internet address, which is something in AT&T’s network and when Google searched returns two search results claiming it’s a bitcoin node.

So wait, my webcam software’s been mining for bitcoin? Doesn’t seem likely, nor does it seem it would require 250K per second to do it in. Then again, I don’t really follow bitcoin mining tales, so maybe. Update: not mining for bitcoin, sucking a video stream out of another Foscam camera.

I tested several safe sites with Internet Explorer and determined the only time that connection occurs is when that particular ActiveX control kicks in.

I’m using the VLC plugin version now and have no out of network traffic when viewing the webcam.

Update: It’s connecting to another camera out in the net and streaming at full blast. Investigating now. Oh look, it’s an associated webcam of some other baby’s room. Great.

That’s all folks

The first 17 days of my first month of capped service saw nearly 400GB wasted by a malfunctioning Google application and an extremely suspect ActiveX control distributed by a company that won’t get back to me on what in the world that control is doing.

Google would have peaked at around 210GB a month had I not caught it, the webcam weirdness at 651 gigs.

Comcast gives people who go over the absurd bandwidth I’ve used a few months to get their acts together, but gives no tools or help in the matter. Their solution was to use the Comcast Bandwidth monitor, which is an Adobe Air application that refreshes a page that contains up to day-old usage information. They claim to have no ability to see what’s happening.

This has taught me once again to never get in a situation where you’re having to trust cheap consumer goods running stock firmware to report your bandwidth for you. I’m just unfortunately trapped in a WNDR3400v2 and there doesn’t seem to be any firmware upgrades on that from my usual suspect (Tomato, DD-WRT). However, I at least have a bandwidth usage page that gives me up to the second use, if not who’s using it.

If you’re getting a new WiFi router, make sure you can root it/install aftermarket firmware on it, as the stuff that ships with consumer grade is useless.

Pocketables does not accept targeted advertising, phony guest posts, paid reviews, etc. Help us keep this way with support on Patreon!
Become a patron at Patreon!

Paul E King

Paul King started with GoodAndEVO in 2011, which merged with Pocketables, and as of 2018 he's evidently the owner. He lives in Nashville, works at a film production company, is married with two kids. Facebook | Twitter | Donate | More posts by Paul | Subscribe to Paul's posts

Avatar of Paul E King