Never Click On "Free Public Wifi"

When you’re cruising for a hotspot at a coffee shop, never click on the “Free Public Wifi” wireless network. “Free Public Wifi” is a Windows XP quirk; when a computer can’t find any of its favorite networks it creates a network on-the-fly, but it doesn’t go anywhere. At best, you’ll never connect to the internet. At worst, you could be exposing your computer to hackers.

Windows XP users should make sure they’re upgraded to Service Pack 3, which fixes it so your computer doesn’t broadcast the “Free Public Wifi” network.

The Zombie Network: Beware ‘Free Public WiFi’ [NPR via Lifehacker via Galleycat]

Comments

Edit Your Comment

  1. Loias supports harsher punishments against corporations says:

    Yay, the Consumerist Team is back in full force!

  2. kiltman says:

    This explains why my iPhone couldn’t connect at the Eaton Centre in Toronto. I was getting so frustrated.

  3. eyesack is the boss of the DEFAMATION ZONE says:

    Man, this non-story from three years ago is getting a lot of traction. This has got to be the third or fourth time I’ve seen it posted in the past week.

    It’s a quirk and does nothing. The “OH SHIT, HACKERS!!!” sentence that gets tacked on to this story each time is true for ANY public wifi network you connect to, and giving it special attention in this instance makes people less wary of choosing any of the other random wireless networks you see any time you’re in a laptop-heavy area.

    • kc2idf says:

      It would be very easy to set up a hack in this guise, based on how frequently it is found. I think it would be bad form to assume that this is all it is in any given instance, and instead to avoid it like the plague.

      Of course, you should be wary of any WiFi. For reasons why, listent to the presentation Wireless Security: Killing Livers, Making Enemies by Dragorn and RenderMan given at The Next Hope conference last summer. Wireless reïntruduces a whole slew of attacks that were removed from the wire by the introduction of switched networking. The big difference, however, is that even when these attacks existed on unswitched networks, you usually had some idea of who was on the network. Now, it can be anybody.

    • The Marionette says:

      Welcome to the consumerist.

  4. Blueskylaw says:

    But, but, but, it’s free????

  5. brianisthegreatest says:

    I saw this sitting in a terminal at jfk years ago. I had a couple hours to enjoy sitting there, so I thought I’d hop on Free Public WiFi for some internets browsing. This turned out to be a bad idea. Like the article says, it doesn’t connect to the internet. Later when I got home I seemed to still have this network in my list for a long time and was never really able to get rid of it until I installed Windows again. I’m sure there’s another way, but I didn’t really look for one. This article explains a lot. ;]

    • UltimateOutsider says:

      Once you successfully connect to any network, including the ad-hoc “Free Public Wifi” one, an entry for that network gets created in your computer’s “connection manager” so that you don’t have to re-enter your credentials the next time you connect. You can remove this and other entries in your system’s “advanced” wireless network settings. But XP, Vista, and Windows 7 all offer different paths to get to the same place.

      I can’t remember the XP behavior but I seem to remember that the entry, once created on your PC, would even show up in scan lists, since ad-hoc networks can be initiated by either PC. Choosing that entry would actually establish a new network instead of attempting to connect to an existing one.

  6. intense_jack says:

    I’m sketchy of free wifi in general – mostly because of a feature in XP and Linux called packet forwarding. A hacker can set up their machine to appear as a wifi hotspot, but all they do is bridge your connection to the internet thru their computer and they get to collect all your traffic. This even defeats encryption, since they’ll have your encryption keys. Of course, I’m probably just paranoid and this scenario isn’t likely, but even paranoids have real enemies.

    • adamstew says:

      Umn no. This would not defeat SSL (https) encryption. They will not have your encryption keys.

      The whole point of SSL encryption is to prevent man-in-the-middle attacks.

      It basically works like this:

      SSL uses a public-key/private-key combination. Anything encrypted with a public-key can only be decrypted with the private-key.

      When you connect to a website over SSL, their server sends you their public-key. Your browser then creates a public-key/private-key pair and sends the public-key to the website your connecting to.

      The private-key never leaves the web server you are talking to.

      Any data you send to the website is encrypted with that website’s public-key. That data can then only be decrypted with that website’s private-key, which only they know. Conversely, the website will encrypt any data they send you with your public-key, which can only be decrypted with your private-key…which only exists on your computer.

      Any man-in-the-middle will not know either of the private keys and would incapable of decrypting any information.

      The only conceivable way for a man-in-the-middle attack to work at this point, would be for them to do live on-the-fly decryption/re-encryption of the data as it passed through their system using their own public-key/private-key pair. This kind of attack is defeated by using certificate signing:

      A website will get their public-key signed by a trusted 3rd party (Verisign, Thawte, etc.) These 3rd parties verify the identity of public-keys that they sign. Your computer has a list of trusted signers and their public-keys. Anything signed by these trusted keys can be verified with the public-keys that your computer has. If a website presents a public-key that isn’t signed by one of the trusted providers, then your browser WILL display a security warning letting you know.

      There are other security measures as well… if a private-key gets leaked, then they can revoke the public-key and make it invalid, etc.

      All told: it’s a VERY secure system. It would be extremely difficult for someone to hack. So much so that there is no known verified case of SSL encryption being broken as just a simple direct attack on SSL itself.

      Everytime a “secure” website has been hacked, it wasn’t because of SSL… it was because something else on that server was configured incorrectly and/or other bad security practices.

      Lesson: If you are on public wifi and connected to a website with “https://” at the front of the address, then anything you send/receive to/from that website is secure and safe.

      • Mom says:

        yes and no. You might or might not recall, that SSL was hacked in 2009, and people *were* doing man in the middle attacks on SSL connections. It turns out that it was a flaw in the SSL design. If you have a fully patched browser, you’re protected from that particular attack, but given what I’ve seen hackers do, and what I can do myself with little skill and some tools I got off the internet, I would never call anything “very safe.” You’re probably safe, but basically, if you’re connected to an unsecured wifi, it’s the same thing as letting a bunch of random strangers into your house to connect to your home network. Even if they can’t crack SSL, there are other paths into your private data.

        Personally I might connect to an unsecured public wifi to do email or check in for a flight, but I wouldn’t do my banking from a public wifi.

        • adamstew says:

          This is another misconception. Here is a link to an article describing the SSL “hack” you mention:

          http://pcworld.about.com/od/dataprotection/Researcher-Shows-How-to-Hack-S.htm

          The SSL encryption itself was not hacked. The way it was hacked was that they setup a proxy (man-in-the-middle) that talked unencrypted to the user’s browser, but then took their input and encrypted it with their own public/private key pair and fed the encrypted information to the legit website. They would encrypt/decrypt the data with the legit website using their own keys, and then just feed the un-encrypted connection to the user’s browser.

          A user can detect this because their browser would have http:// in front of the address and not https:// (the “s” indicating a secure connection).

          My original post still holds true: if you’re connected to a website with https:// at the front of the address, you’ll be connected to the site and your communications with the site are secure. Just make sure you pay attention to any security warnings your browser may tell you, and before you submit any sensitive information, check to make sure

      • TPA says:

        And…you’ve never ignored an “expired” or “invalid” SSL certificate at some point?

    • shepd says:

      Man in the middle attacks are what you’re talking about, and the encryption is only defeated for unsigned crypto for which you don’t have the key already, and signed crypto if you decide to accept the invalid cert.

      If you are worried about this (And on any unencrypted, or crappily encrypted wifi you should be! Or even on ANY public wifi!) simply setup (or purchase) VPN service. As long as you’ve already connected to it and have the keys stored (normally the default) you will be as secure as the VPN crypto, which in most cases is pretty darn good. :^)

      • jessjj347 says:

        Is man-in-the middle also called a puppet net? That’s what I’ve read about before, but I think it had more to do with a server than a PC.

  7. RonDiaz says:

    The year 2005, the weather rainy, this story slightly current at that time.

  8. VOIDMunashii says:

    I got that on my netbook last week; I figured it was just a scam and ignored it, opting for one of my usual hotspots instead.

  9. Hi_Hello says:

    people should never jump on any open wireless network. all it take is one time for someone to setup a trap and get all your info

  10. BuyerOfGoods3 says:

    Here’s a hint…Don’t ever click on ANYTHING that says it’s “FREE!” on the internet.

  11. Rectilinear Propagation says:

    …when a computer can’t find any of its favorite networks it creates a network on-the-fly…

    Why? Did I miss the explanation in the NPR article? What’s the point of creating a network that doesn’t go anywhere?

    • Mom says:

      The original idea, which was thought up in a kinder, gentler time, was that people sitting in the same room together might want to be networked together. The idea never really caught on, and today it seems silly and dangerous, and Microsoft is calling it a “bug”, but there you are.

  12. pecan 3.14159265 says:

    Sometimes, sometimes not. Some areas, like Crystal City in Arlington, offer free public wi-fi. It’s important to note that some scammy people may be tempted to put up a hotspot and label it something that seems legitimate. Always check to see whether free wi-fi is offered by a legitimate source, and what the name of the network is.

    http://www.arlnow.com/2010/10/04/crystal-city-gets-outdoor-wi-fi/

  13. gargunkle says:

    Not that I needed another, but yet another reason I’m glad my netbook runs Ubuntu.

    • Mom says:

      True that there’s not as much malware out there for Linux (supply, demand, that kind of thing). However, if I’m doing a targeted attack of a machine (yes, I’m a professional…) I’d much rather attack Linux than Windows 7 or Vista. Linux (or Mac OS) are *way* easier to attack.

      Windows XP, however, is another story. Easy peasy.

  14. aloria says:

    The Consumerist: Bringing you groundbreaking information security news from the bleeding edge of 2005.

  15. The Marionette says:

    Yeah, they’re scraping the bottom of the barrel.

    *looks at who posted the “article” *

    Oh………..

  16. gman863 says:

    Mr. Obvious’ list of public network security tips:

    * At a coffee house, hotel or other public hotspot ask your barrista, deskclerk or other person pretending to be in charge what network name you should connect to. If still in doubt, show them your sign-on screen and ask if it looks official.

    * If you use Internet Explorer, update to version 8 (IE8) by downloading it free from Microsoft. It is far safer than previous versions.

    * If buying a new PC or netbook, Windows 7 actually works and is far more secure than XP. Thankfully, the retarded mutant monster known as Vista is dead.

    * If dealing with bank accounts, credit cards or other sensative info, avoid accessing it on ANY public network. Mobile banking on a cell phone has better security (and the numbers are smaller making “shoulder surfing” less likely).

  17. aaron8301 says:

    I always have wifi with me. I simply turn on wifi hotspot mode on my android phone, and my laptop connects to it and uses my phone’s 3G connection.

    What, your phone doesn’t do this?