My housemate Andrew recently wrote about his trip to the airport. He linked to an article detailing how the “Free Public Wifi” networks you see around are a scam. I would like to take a moment and help you out. I will tell you why Andrew’s post, the ComputerWorld.com article, and the Slashdot article Andrew found the link on are all misleading.
Here is the first comment I posted concerning the wireless networks you see.
Free Public Wifi is not a scam, it is a part of Ad-Hoc networking. See this blog post
or this tuaw.com post.
“It seems that our friends in Redmond have (since Jan 06) some strangeness in the wireless network management routines under XP; any WLAN that a Windows machine joins gets ‘echoed’ back out as an ad-hoc SSID if the machine can’t find the previous connection (an implementation of RFC 3927).” – Tuaw.com
Andrew than explained it still could be a scam. Which is true, any network could be a scam. Heck, anything could be a scam. I decided to comment on the article he agreed with. The article is Don’t fall victim to the ‘Free Wi-Fi’ scam – Computerworld.com.
The article you link too is terribly written.
From the computerworld.com article:
But because you’re using his connection, all your traffic goes through his PC, so he can see everything you do online, including all the usernames and passwords you enter for financial and other Web sites.
This is not true. The attacker cannot see everything you send. Plenty of data you send is easily sniffable on a wireless (or even wired network.) You should NEVER enter important information into a website without encryption. If it is encrypted (lock in the corner for web browsers) it is close to impossible to get that information. The information the article says you are giving away is visible even if you join a network the attacker is also connected (including most wireless networks and some wired.)
From the computerworld.com article:
In addition, because you’ve directly connected to the attack PC on a peer-to-peer basis, if you’ve set up your PC to allow file sharing, the attacker can have complete run of your PC, stealing files and data and planting malware on it.
This again is very misleading. Simply having file sharing on will not allow complete run of your PC, or let someone else install software. Although if you setup file sharing, you should ALWAYS have a password. You are no more insecure by connecting to this wifi ’scam’ then again being on ANY wireless network with the attacker.
Andrew’s post quotes a Slashdot post the believe the article is “a story from Computerworld about a rather simple scam that has been observed in the wild in several US airports.” This is a classic Slashdot post, where there is NO information and a lot of misinformation. Read the article, the article mentions “It found more than 20 ad hoc networks each time, with 80% of them advertising free Wi-Fi access.” No where does the article say ANYONE has had issues or any of these possible outcomes happen. As per my first reply concerning how XP’s wifi operates, it is not amazing at all he saw more than 20 of the networks. Would you be surprised to hear there may be more than 20 laptops at the airport?
Know your sources, trust wisely.
I’m always weary of networks that I don’t know. I usually end up VPNing over them just to be on the safe side. I’m not so much worried about hacking into my computer as I am about sniffing my traffic. Sure, most things I really care about are encrypted, but not all.
For example, GMail. Logging in a secure process, but once you get to your inbox, the traffic reverts back to regular old HTTP. I have a Greasemonkey scripte to keep the traffic HTTPS, but not everybody does.
To me, the “Free Public Wifi” looks and smells fishy. Would I use it? Not unless I needed to. If I was doing it, I would probably use VPN just to make sure.
Paranoid? Probably.
Andrew: I wouldn’t be paranoid about your e-mail. E-mail is terribly insecure as is. Your e-mails are never secure. Second it leaves your provider’s SMTP server its transferred in cleartext across a number of networks, at which any point in time, that network provider can sniff out your e-mails. Most e-mails are stored on the storage devices in cleartext and in a format very easy to be human processable. Root could decide he wants to see anyone’s e-mails.
Keep the password secure, but your e-mail is never secure. If you’re sending out e-mails that are that important, you need to be PGP/GPG to encrypt your e-mails.
BTW, we get these “Free” networks on campus periodically. In the green center, there was one labeled “Free Ricochet WIFI” that kept getting picked up. Never did figure out where it came from.
Now my iPhone picks up these “Free Public WiFi” connections automatically everywhere. The worst is somehow it overheats the phone and drains down the battery. Why?
I haven’t seen it on my iPhone yet, but you might try turning off the “ask to join networks” under Settings->Wifi. Apple lists that they have this turned off when they did their battery tests. So less distractions and better battery life could be a good thing.