Wi-Fi Access Point or Account Credential Honeypot?

I shouldn’t have to say this as we all know better, but here it is: We need to exercise caution when connecting to ‘foreign’ Wi-Fi signals.

I’m no stranger to ‘roguing’, but I’ve recently become aware of significant security risks associated with connecting to unknown networks. Here is some food for thought:

WAPHoneyFreePublic20060818You’ve seen this image before, I’m sure. It’s a peer-to-peer (computer-to-computer, versus access point-to-computer) networking icon. You should NEVER (except under the circumstances when a known and trusted user is sharing their connection with you), connect to a wireless signal that has the peer-to-peer icon.

You may see these icons when looking for Wi-Fi signals in busy public places. They are broadcast because of an unusual feature of older Windows versions wireless network stack that causes a computer to broadcast the last-connected SSID when not connected to a wireless network.

I STRONGLY suggest you edit the advanced properties of your wireless network card to connect ‘to ‘Access point (infrastructure) networks only to filter them out.

WAPHoneyWiFiList20060818My flight was delayed at SeaTac the other day, so I did my usual “is there a wireless network in the building in the building that I trust" search. I have a T-Mobile account, and sometimes I get lucky. In this case, there wasn’t.

However, there was a seemingly-helpful AT&T access point in the building. Nothing against AT&T, it’s probably a legitimate hotspot. But their login page was interesting, offering a list of ‘other providers’ (presuming a reciprocal relationship with AT&T), on the left.

It’s a healthy list, but none of which I have an account. Ah, being helpful, there’s an ‘Other Provider’ link at the very bottom.

Once you find an Access Point, you should NEVER connect to a wireless network using your credentials from another wireless network (i.e., T-Mobile via xyzzy Wireless) unless you enter your credentials into your native wireless account logon page (I have seen services that do this, redirecting to a T-Mobile login page that ‘advises’ the local wireless the account credentials are valid).

You have no idea how your credentials are being used. If you post your credentials to a foreign wireless site, you have just given your login and provider information to an unknown party who might use it for illegitimate or illegal purposes, leaving you to hold the bag or pay the bills.

To finish this story, I filled out the login page like this (I didn’t log in, of course):


Let me point out that it would take a mediocre hacker about ten minutes to set up a page and host it on a laptop with a web server in an airport. In a busy public area, I’m confident a hacker could collect a pile of logins in just a few hours. Make the login experience compelling enough, including enough providers and data-hungry travelers will happily post their credentials rushing between planes. A polite "we cannot confirm your credentials at this time" message, and the traveler is none the wiser.

Be wireless-safe, people.

Original Post: August 18, 2006

About Michael Coates
I am a pragmatic evangelist. The products, services and solutions I write about fulfill real-world expectations and use cases. I stay up-to-date on real products I use and review, and share my thoughts here. I apply the same lens when designing an architecture, product or when writing papers. I am always looking for ways that technology can create or enhance a business opportunity .. not just technology for technology's sake. My CV says: Seasoned technology executive, leveraging years of experience with enterprise and integration architectural patterns, executed with healthy doses of business acumen and pragmatism. That's me. My web site says: Technology innovations provide a myriad of opportunities for businesses. That said, having the "latest and greatest" for its own sake isn't always a recipe for success. Business successes gained through exploiting innovation relies on analysis of how the new features will enhance your business followed by effective implementation. Goals vary far and wide: streamlining operations, improving customer experience, extending brand, and many more. In all cases, you must identify and collect the metrics you can apply to measure your success. Analysis must be holistic and balanced: business and operational needs must be considered when capitalizing on a new technology asset or opportunity.

One Response to Wi-Fi Access Point or Account Credential Honeypot?

  1. Pingback: Free Wi-Fi: Safety and Security be Darned! « OpsanBlog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: