A new twist on the 'free Wi-Fi' scam

A new twist on the 'free Wi-Fi' scam

Summary: As Robert Heinlein said, TANSTAAFL

TOPICS: Wi-Fi, Mobility

As technology professionals you are undoubtedly aware of the various “Free Wi-Fi” scams that turn up from time to time, from the issues with Windows XP and access points to actual honey traps and unscrupulous operations that weren’t exactly free. But I heard today about a new scam from a client who does trade show operations.

Keep in mind that the majority of trade shows are on a much smaller scale than those we traditionally associate with IT, and that for non-IT products, the attendees are usually not exceptionally technically astute. So when the trade show operators promote free Wi-Fi for attendees and vendors it is usually accepted as a given that there will be some form of free Wi-Fi available, though  there may be no better performance than the level offered by budget motels.

And as we all know, the most effective malware attacks often come in the form of social engineering; give someone something they expect to see and they will likely click on it and move on. And that is what this scheme is based on. I discovered this when a friend called me this morning to tell me about their experience at a mid-sized, industrial equipment, trade show.

It seems that someone was using the trade shows promise of free Wi-Fi to get users to connect to an unsecured and presumably well-sniffed network so that these unknown actors could acquire passwords and other related internet connected information. A little technical knowledge and a tool like Wireshark makes this information fairly easy to acquire.  

The social engineering part was this; attendees to the trade show would be presented with a wireless access point with a name like “Free TradeShowName Wifi” and expecting the free Wi-Fi related to the tradeshow, would use that connection.

The only problem was that it wasn’t the actual tradeshow network connection. And it is unlikely that someone went to the trouble of setting up this spoof network with anything other than nefarious purposes in mind.

Other than letting people know the name of the actual tradeshow network and putting up appropriate signage, there is little tradeshow management can do.  Even providing a secured password protected wireless network for vendors and attendees won’t stop some percentage of people from attaching to the “Free”, seemingly official, network.  And no matter how much you tell users to be very careful when using public Wi-Fi access, there will always be those who think those admonitions don’t apply to them or simply don’t understand the problem.

Topics: Wi-Fi, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Thats why ill skip the wifi

    I skip the wifi at the places I visit. The 4g on my phone works just fine to get data I need.
    • I agree

      I agree with spikey289; I have 4G on my phone, it downloads at apx 28Mbs, I have a grandfathered unlimited data plan with Verizon (alas, I rarely exceed 1Gig/month), and a 13 character password that will not be easily cracked (U/L case letters, digits, special characters). Works like a charm on my Android-powered Droid-4. Of course, I leave it off unless I am using it. Good solution!
      • Hackers crack 16-character passwords in less than an HOUR.

        • Agreed...Past tense.

          I go to the trade shows here all the time. Most are in a small venue, but the boat/fish/hunting show is in the big convention center. All have 1 free public Wi-Fi except for the convention center which has 6. I connect to them all automatically when I walk in the door. The old ways attacking in mass at the unprotected is still done, but not by the professionals. Too easy to get caught. And if the hacker is wanting to show off his skills, he wont be boasting about doing what a 13 year old Swede did 10 years ago. He will look for a challenge. Granted there are still some out there that will do it just to do it, like throwing rocks at windows, knocking down mailboxes, spray painting overpasses... but they always seem to get caught because they tell too many people.
          Daniel Bissell
  • Good article

    Thanks for writing about this. That someone would do that didn't cross my mind yet.
  • VPN

    If you don't have a corporate VPN to go to immediately after connecting to public wifi, get a personal one.
    • Re VPN

      Remember -- he's talking about NON-tech folks. The ones who are either too busy or too lazy or just too plain dumb to either know or care.

      Same group as, "We've never had a problem, so we don't want to waste the money for backup software." Then when a problem occurs, no one wants to say, "I told you so!" because anyone who does will be the one who somehow winds up getting blamed.
  • Not a surprise, given how free Wifi is often offered.

    In fact, I'll go you one better than the "How do you know at the trade show?" issue. The Boston area Commuter Rail system offers free Wifi on many (if not most now) of the commuter rail trains that travel to and from Boston. And rather than using any kind of coordinated AP topology, about every other or every 3rd car simply has it's onw Wifi AP, each implemented with a page redirect to a terms and conditions page after which you can use the wireless.

    10's of thousands of people ride these trains daily, and many of them take advantage of the free wifi.

    But they take a significant risk in doing so. You see, each access point is individually named, with a naming nomenclature of something on the order of "MBTA-CAR-
    • too long!!


      Since there's not way on earth that the riders of the train can even determine the car number of the car they are on let alone others on the train, there's absolutely nothing from preventing the same sort of "wifi-scam" you are describing. Even worse, while having another open WIFI connection named in such a way as to confuse trade show attendees show up at a trade show is likely going to cause whoever is setting up and/or maintaining the official one to raise an eyebrow, having an extra "MBTA-CAR-NNNNN" or two show up on the list is almost certainly going to go unnoticed, especially on a moving train with a staff of 2 conductors and an engineer!
  • free wifi is for me...

    I love free wifi, I use UNIX on my notebooks, and secure shell (ssh ) tunneling to my servers,
    besides, acessing all of the internet (bypass routers block ports....) I can watch youtube videos, access all my emails via pop, skype, voip... and so on what just needed is an open port...
    I do not care about sniffing...
    • Ah, ever heard of

      "Man in the middle?" How do you know you are actually making the connection directly to your server... you might need to rethink your "security knowledge". Unix has no direct relationship to your security problem.
  • They Can Sniff All They Like

    People are using end-to-end-secure protocols like SSL/TLS and SSH, right?

    I mean, did you think the Internet was secure anyway?
  • It's the best way to let someone into your Yahoo Account

    but then what Yahoo user would care?
  • Free Wifi isn't bad if you know what it's good for

    Yes, free wifi isn't secure but that doesn't mean it's not useful. If you want to go online to read the news then free wifi is fine. Just don't expect what you're doing to be private unless you're using a VPN (and preferably also SSL).
  • Is this to scare us all into paying for a VPN?

    If so, I'll need to do a reisk assessment and value for money calculation first!
  • Here's your risk assessment.

    How much does a VPN subscription cost?

    How much do you have in your checking account? Savings? IRA? How much additional credit would your current credit rating allow you to get? Does your house have a good burglar protection service?

    I'll use a free wifi to google random trivial questions, or to find a store, but not to do anything involving account signins. My phone has 3G/4G and can act as a hotspot. If I carry my full Windows laptop out of the house, I take a subscription based 3G/4G hotspot set up to impersonate my WPA-2 secured home router, or in an emergency, use the phone hotspot (also set up to impersonate my home router). Since I do this so seldom, I am thinking of dropping the hotspot and using my phone.

    I am thinking of adding a VPN, but will still not use random free wifi networks. Besides, the problem with them, for phones, is that you have to use a browser to sign in after connecting before using the connection for anything else, but the prompt to connect often comes in the middle of another task.
  • free wifi

    The only place I have ever used free WiFi is at Starbucks, and then only once in a great while. I do not use it anywhere else. I am very careful about what I do and don't do on my PC, laptop and phone. Way too many dishonest people people out there looking for the trusting folks who do not know any better.
    Paul on the Mesa
  • Free Wi-Fi security????

    Where is a test that shows us that something is actually hacked and the result. All these comments sound so esoteric, that it is hard to take them seriously. This sounds like the global warming scam. Show me some hard information on some things put on the Internet and show me the hack and tell me what kind of protection is on the device. Almost every security article that I have seen on the Internet never shows the interdiction happening. It is just so much rhetoric with no actual factual information that you can have a real security expert look at and pass down information about conditions and let you know what to do to actually improve your security with the device you have.
    • Re: All these comments sound so esoteric

      Well, you se‌e, it's all heavily bas‌ed on stu‌ff called "scie‌nce" and "maths". Unless you've got a basic grounding in those, you're going to have trouble understanding the arguments.

      Thankfully, anybody can learn something about these, but you have to p‌ay attention to the tea‌cher explaining them in class. Did you pa‌y attention? Or did you believe that all the tru‌th you needed came out of that "Bi‌ble" book?