Over at Ars Technica, Sean Gallagher simply turned his laptop into a WiFi hotspot with the name “attwifi,” the same SSID used by AT&T phones to identify friendly networks.
Once he turned on the faux hotspot, his AT&T phone connected to it without any sort of prompting, much like it would at train station or Starbucks with a legitimate AT&T spot set up.
It’s the kind of scammy behavior that people have been trying at hotels and airports for years, setting up bogus hotspots offering free WiFi access, only to try to hack the devices of those who sign on. The AT&T example is of particular concern because A) the default setting on AT&T smartphones to automatically connect to these networks, and B) the company’s legitimate WiFi network is so widespread in certain markets that some people don’t blink when their devices connect to one.
Thus, unlike the sketchy airport hotspot example, it doesn’t require any action on the part of the user to sign on to a fake AT&T WiFi hotspot. A hacker could just take an impostor hotspot into a building, turn it on and see who automatically connects.
So AT&T users would be well advised to turn off the auto-connect feature.
On Android phones, go into your list of available WiFi networks, then go into Advanced settings and turn off “Auto Connect.” On AT&T iPhones, go into the “attwifi” network on your phone’s list and turn off “Auto-Join” and “Auto-Login.”
The Comcast/Xfinity problem is similar but slightly more complicated. It became obvious to Gallagher after he turned off his fake AT&T hotspot and his phone automatically connected to an Xfinity hotspot without asking for login credentials.
See, the Xfinity hotspots require users to login — with the same credentials they use to access their account on the Comcast website — once per day. But once you’ve logged in on an Xfinity WiFi location, you can access other Xfinity hotspots for the day without having to enter those credentials.
So someone in a city with a large Comcast customer base could set up a fake Xfinity hotspot and hope that enough people will have already logged in elsewhere that day, thus not triggering the login requirement. Or, as Gallagher points out, a hacker could take the extra-sketchy step of creating a fake login page that then captures the users’ account info.