A Rogue Hot Spot Could Turn a Coffee Shop into a Den of Thieves

June 25, 2014

By J. Sharpe Smith —

Today’s coffee shops are jammed with Wi-Fi users.

The aggressive rollout of networks of millions open, public Wi-Fi nodes by Comcast and AT&T from coast to coast is a boon to unlicensed spectrum use. But with phones equipped to automatically roam to the next accessible node, the question is can users trust their phones to choose an honest access point? ARS Technica, an online technology publication, engaged in an experiment with National Public Radio where they cast some doubt on just how smart today’s phones really are when it comes to automatically logging on to spoofed Wi-Fi nodes.

AT&T sets it smart phones to recognize and connect to “attwifi” hotspots automatically. Ars Technical Reporter Sean Gallagher set up a laptop as a Wi-Fi hotspot broadcasting the network name “attwifi.” After the Wi-Fi was turned on, the phone connected to the fake “attwifi” hotspot without prompting. When the spoofed AT&T node was turned off, the phone automatically reconnected to another hotspot called “xfinitywifi,” which was running on a neighbor’s Comcast cable modem.

Gallagher notes that while Comcast’s Xfinity wireless hotspots initially request a customer’s account ID and password the first time you log on each day, every succeeding connection to a new hotspot it re-authenticates you without prompting.

“That means that if someone were to set up a malicious Wi-Fi access point called “xfinitywifi,” devices that have connected to Xfinity’s network before could automatically connect without alerting the user or asking for the password,” Gallagher wrote. “Alternatively, using a “honeypot” tool such as PwnStar, an attacker could spoof both the “xfinitywifi” SSID and the Xfinity login page — stealing their Xfinity credentials in the process…and then pass the victim on to Internet access as if nothing had happened.”

Wi-Fi Can Make a User’s Life an Open Book

As a part of the experiment, all of NPR Reporter Steve Henn’s over-the-air Internet traffic was intercepted for a week.

“There’s a hole in mobile security that could make tens of millions of Americans vulnerable,” NPR reporter David Greene said. “It has been well known in the industry for years and it could let even unsophisticated hackers capture your traffic, monitor your connections, even maybe steal your identity.”

Henn and the team of reporters were shocked by how much data spilled out of the smart phone over the air as it contacted Apple, Google and Yahoo and opens apps such as Facebook and Twitter.

“Seeing the amount of data that streamed out of my phone the second I turned it on kind of blew everyone away,” he said. “This all happened in seconds and I never touched the phone.”

The vulnerability continues as the phone makes probe requests looking to log onto the next Wi-Fi network. The problem occurs when a rogue Wi-Fi node dupes the smart phone into thinking that it is a trusted network, such as AT&T or Comcast, Henn said.

The answer to the security problem appears to be encryption. Users need to buy apps that automatically encrypt transmissions when the phones access public networks, but most don’t. When NPR asked officials of Comcast and AT&T when things would get more secure, the answer was when manufacturers catch up with the public Wi-Fi network phenomenon and build safeguards into all devices that access the Internet over Wi-Fi.

At the AGL Conference in Washington, D.C., Jake MacLeod said that cybersecurity, in general, is a perpetual issue that is getting more complicated.

“About 12 years ago National Laboratories were getting hit 3,000 times a month from state-sponsored cyber-terrorists,” MacLeod said. “They were able to thwart those attacks and identify the attackers. Now it has become so sophisticated that all of our power grids and networks are vulnerable.” The answer to the problem is to accept that cyber attacks are the new normal and constantly upgrade cyber protection, he added.

J. Sharpe Smith is editor and AGL Small Cell Link and AGL Link newsletters