"Free Wi-Fi" Scam In the Wild

DeadlyBattleRobot writes in with a story from Computerworld about a rather simple scam that has been observed in the wild in several US airports. Bad guys set up a computer-to-computer (ad hoc) network and name it "Free Wi-Fi." You join it and, if you have file sharing enabled, your computer becomes a zombie. The perp has set up Internet sharing so you actually get the connectivity you expected, and you are none the wiser. Of course no one reading this would fall for such an elementary con. The article gives detailed instructions on how to make sure your computer doesn't connect automatically to any offered network, and how to tell if an access point is really an ad hoc network (it's harder on Vista).

Avoid ad-hoc connections

[GreyPoopon]

To avoid this, just avoid ad-hoc connections. That will work until the perps start using Infrastructure (Access Point) connections with a bridge to the real one. You can even set up Windows XP so that it won't allow you to make ad-hoc connections.

Washington Dulles too

[Hokie06]

I've seen this in the B terminal of Dulles Airport, everytime I fly out. I guess it could be someone who works there or something. But since it was ad-hoc I never connected.

Not that hard in Vista

[jfurdell]

When you connect to a network, a little wizard pops up asking you if it's "Home", "Work", or "Public Location". Choose Public Location and sharing will be disabled automatically.

Re:Avoid ad-hoc connections

[Wanker]

Uh, they already use Infrastructure connections. Bummer, eh?

Even worse, their 200mW cards will out-power the real 40mW access points so Windows will prefer to use the attacker's "closer" "access point".

http://www.remote-exploit.org/backtrack.html [remote-exploit.org]

Not just airports

[dropshot]

I saw exactly this at the National Archives in College Park, MD. I told the local IT bubbas, but they just gave me blank stares. It was particularly disturbing because the average researcher at the archives won't have the technical sophistication to realize what's going on, and will then take their zombified system back to a university network.

Re:Quick question

[Vellmont]

eg. if I ssh to my home computer, or use access an https site am I still ok?

As long as you exchange keys with the actual end host, and not the man-in-the-middle, you're fine.

If the Man-in-the-middle tries to give you his own SSL key, your browser will throw up an error message that the key is invalid. If you click "accept key", then you're hosed and the attacker can read all your traffic.

As far as ssh goes, if you've connected to the host before, SSH will (or at least on the clients I've used) throw up a big warning message that someone is trying to hack you. If you haven't connected, no such warning will appear and if you type in your password the attacker will get your password, and everything you type in your ssh session.

Re:Free is still free for me

[singularity]

This is one of the funniest threads I have read in a while, partly because I turned to a friend while reading the Slashdot write-up and said "Wow, they still give Internet access? My machine is secure enough, I would use that instead of paying the $7.95/day they want in some airports!"

Then I read this thread.

And pointed out my UserID to the same friend.

Too bad - I have actually seen that "Free Wi-Fi" ad-hoc network in a few airports in the last month or so (I think in Midway airport in Chicago). I did not join it, since I knew the SSID of the official wireless service (and knew that it was paid access)

In interesting thing to do is to join the network, fire up a Bonjour Browser (or your other favorite ZeroConf browser) and see available services. If people are sharing their iTunes libraries, if they have a ZerConf chat program, and so on...

Why just ad hoc?

[BubbaFett]

With Linux and the hostap driver I can set up a legitimate access point. Ad hoc isn't a necessary part of this scam, and I don't see how avoiding ad hoc networks will prevent anything.

Old problem, Old solutions

[frostilicus2]

Besides the possible risk from malware infection if you have enabled file sharing, this really is the same man-in-the-middle attack that was so prominant in the 80's and early 90's. A problem which has been mostly fixed by the adoption of SSH over telnet. And is practically non-existant over HTTP today beacuse of the use of SSL on servers. And with regards to malware, how does this differ from picking up some spyware from the pr0n site you "accidently" visited?

I see no problem here that cannot be solved by adopting the same principles that you would use for ordinary domestic internet access:

1) Turn on your firewall and close all open ports.
2) Don't send sensitive data over an unsecured network.

forget about the network

[rsw]

The network isn't the problem here, your computer's configuration is. All of my machines can safely connect to an untrusted network (and they do---my non-firewalled, non-NATted internet feed) without being turned into zombies.

The message here shouldn't be "don't connect to untrusted networks," it should be "secure your machine."

Once you do that, these guys are just being nice and giving you a free connection!

-rsw

Re:P. T. Barnum...

[CodeArtisan]

said it best: "A sucker is born every minute".

Except P.T. Barnum never said this.

http://www.historybuff.com/library/refbarnum.html/ [historybuff.com]

Re:Better yet...

[ajs318]

Someone's been reading this [ex-parrot.com], haven't they? :)

If / when I ever get any wireless kit, I will change the name of my neighbours' unprotected router (currently set to the make and model name; a quick Google search revealed the default password) to "pWn3d", have my router emulate theirs but with suitably distorted graphics, and see what happens. Jut a shame I can't listen in on their call to tech support ..... but I could, if I had what fone phreaks once referred to as a "Sky Blue Pink Box with Yellow Spots On". Oh, wait, such a thing [grandstream.com] already exists [debian.org]!

Now, that does sound like serious PHUN!

Re:Not that hard in Vista

[Anonymous Coward]

I've managed it.
1. Become SYSTEM.
2. Open explorer to My Computer
3. Open share properties (be careful: do not open folder security)
4. Open share security
5. Change permissions to deny for all.

ad-hoc or access point

[norpan]

Wireless network cards can be set up as access points to. So just looking for if it's an ad-hoc network does not protect you. Turn off all sharing when connecting through public access points and use encryption.

There you go - free wi-fi!

Re:Free is still free for me

[LinuxGeek]

If you use a CA, stunnel is quite secure. If you search, certificates are available for less than $20/year.

Re:Relay?

[indigest]

Most banks offer a SSL encrypted login page but don't explicitly encourage people to use it. For example, if you go Washington Mutual's homepage [wamu.com], you can login, although the login page is not encrypted. With a little bit of digging, however, you can find the SSL encrypted login page [wamu.com]. I assume they make you work for the encrypted page to avoid the overhead of creating an SSL connection with every person that happens to visit the WaMu homepage. I am not a web developer, but I think that if a form posts to an HTTPS site, then the form data is encrypted before being sent. However, there is no way to know whether a form intends to post to an HTTPS site except by digging through the page source. Perhaps this is why a lot of banking sites are now using the two page login sequence.

Gmail has a secure login page [google.com] as well but you have to explicitly type in https in order to get to it.

These open WiFi networks are really scary. A criminal could park his car next to Starbucks with a laptop and an AP in the trunk. The AP would broadcast an SSID with the name "Starbucks" and forward almost all packets transparently. However, for banking websites, the laptop would form an SSL connection to the bank and forward an unencrypted page to the user. A lot of people wouldn't notice that the connection wasn't secure, especially if all other websites seemed to be working fine. I don't know if a hacker would really want to read your Gmail, but he would be thrilled to get the login info for your bank!

It is too easy to get screwed (and not even realize it) using an open WiFi network. At least if you physically lose your credit card or know that a hacker has gotten your information, you can cancel or freeze your accounts. But if you don't know your account has been compromised, it could be totally drained by the time you realize it. My advice is don't do anything requiring a login on an open WiFi network unless you use a secure VPN tunnel to a machine that you trust. Also, don't keep very much money in your checking/ATM account; invest it or put it in a savings account where it is not as easy to clean you out in one shot.

I switched away from Bank of America partially because they required me to enter my card number and PIN as part of the login process. They claimed it was secure because you entered the two pieces of data on two consecutive web pages. But I might not notice if that second page was not SSL encrypted but was otherwise identical to the real page. WaMu requires an Internet-only login and password. If a hacker somehow got my online banking login info, he/she would not be able to clean me out through an ATM. But if my BofA info had been stolen online, they would have been able to make a fake ATM card and withdraw everything in the account.

Another scary thing that I just realized is that phishers could use the same trick that I mentioned above. They could set up a similar sounding banking website except forming an HTTP connection rather than an HTTPS connection. However, they would forward the data so that it would seem to the end user that everything is fine. They could even create an unsigned certificate and use SSL between the phishing server and the user. Of course, the user would have to accept the certificate, but most people just blindly click "Accept", don't they? I don't know if phishers are using this technique yet, but I would definitely watch out for it in the future.

gmail Can start with a Secured Connection

[Skippyboy]

try this: https://mail.google.com/mail/ [google.com] (gmail) It starts a secured connection, and stays secure. I use it at work - since stupid WebSense blocks all webmail accounts that don't start with a secured connection.

Re:Free is still free for me

[Anonymous Coward]

I don't understand how a windows computer could become a zombie simply by having filesharing enabled. I supposed an attacker could place an executable on a user's writeable share directory, but the user would still have to run the executable in order for his or her computer in order to actually become "infected". The only thing I can see this type of ad-hoc sharing being good for is to snoop personal information either by acting as a proxy for the user or sniffing unencrypted traffic.