Wi-Fi Access Point or Account Credential Honeypot?

I shouldn’t have to say this as we all know better, but here it is: We need to exercise caution when connecting to ‘foreign’ Wi-Fi signals.

I’m no stranger to ‘roguing’, but I’ve recently become aware of significant security risks associated with connecting to unknown networks. Here is some food for thought:

You’ve seen this image before, I’m sure. It’s a peer-to-peer (computer-to-computer, versus access point-to-computer) networking icon. You should NEVER (except under the circumstances when a known and trusted user is sharing their connection with you), connect to a wireless signal that has the peer-to-peer icon.

You may see these icons when looking for Wi-Fi signals in busy public places. They are broadcast because of an unusual feature of older Windows versions wireless network stack that causes a computer to broadcast the last-connected SSID when not connected to a wireless network.

I STRONGLY suggest you edit the advanced properties of your wireless network card to connect ‘to ‘Access point (infrastructure) networks only to filter them out.

My flight was delayed at SeaTac the other day, so I did my usual “is there a wireless network in the building in the building that I trust" search. I have a T-Mobile account, and sometimes I get lucky. In this case, there wasn’t.

However, there was a seemingly-helpful AT&T access point in the building. Nothing against AT&T, it’s probably a legitimate hotspot. But their login page was interesting, offering a list of ‘other providers’ (presuming a reciprocal relationship with AT&T), on the left.

It’s a healthy list, but none of which I have an account. Ah, being helpful, there’s an ‘Other Provider’ link at the very bottom.

Once you find an Access Point, you should NEVER connect to a wireless network using your credentials from another wireless network (i.e., T-Mobile via xyzzy Wireless) unless you enter your credentials into your native wireless account logon page (I have seen services that do this, redirecting to a T-Mobile login page that ‘advises’ the local wireless the account credentials are valid).

You have no idea how your credentials are being used. If you post your credentials to a foreign wireless site, you have just given your login and provider information to an unknown party who might use it for illegitimate or illegal purposes, leaving you to hold the bag or pay the bills.

To finish this story, I filled out the login page like this (I didn’t log in, of course):

Let me point out that it would take a mediocre hacker about ten minutes to set up a page and host it on a laptop with a web server in an airport. In a busy public area, I’m confident a hacker could collect a pile of logins in just a few hours. Make the login experience compelling enough, including enough providers and data-hungry travelers will happily post their credentials rushing between planes. A polite "we cannot confirm your credentials at this time" message, and the traveler is none the wiser.

Be wireless-safe, people.

Original Post: August 18, 2006