Public wi-fi hotspots are more dangerous than you think

Is it Xfinity or AT&T ... or a malicious hacker pretending to be?

You've known for a long while now that there's an inherent security risk every time you go online, hence the near-constant warnings you hear about hackers, phishers, malware and other threats that literally didn't exist in your parents' day.

And you know that going online via any sort of free or public wi-fi hotspot is risky even by Internet-security standards, because that free network might be nothing more than bait offered by hackers seeking full access to any device connecting to it.

But you might not have known just how risky that free wi-fi access is — especially if you're a customer of Comcast or AT&T. Ars Technica tried a little experiment and the results should concern anybody who takes advantage of Comcast or AT&T's free offerings: “Millions of AT&T and Xfinity customers could be leaving themselves exposed to surreptitious hacking of their Internet traffic, exposing their personal data as a result.”

Here's a (very oversimplified) explanation of why: unless you specifically turn off that feature, or your device itself, your smartphone, tablet or other connectable device is always looking to connect with a familiar network.

Let's say you occasionally visit Starbucks to take advantage of their free wi-fi. So the next time you go there, your phone will automatically send out a signal, basically saying “Hey, Starbucks wi-fi, where are you?” and waiting for the electronic response “Here I am! Starbucks wi-fi, now connecting with you.”

But it's very easy for anyone to set up a wireless hotspot to respond under a false name: “Here I am! A hacker up to no good, but I told your phone I'm actually Starbucks wi-fi and now I'm connecting with you.”

That particular danger — that your devices might automatically connect to fake Starbucks or fake McDonald's or any other falsely labeled store-specific wi-fi hotspot — is easy to guard against: simply shut off the wi-fi connections on your mobile devices when you're not using them, set it so that it must ask before joining a mobile network.

How easy is it?

Ars Technica discovered just how easy it is for anyone with minimal knowledge and everyday equipment to set up as a wireless hotspot spoofing Xfinity or AT&T:

I set up my laptop as a Wi-Fi hotspot broadcasting the network name (SSID) “attwi-fi” (after alerting my neighbors, of course). After killing off the settings for my preferred networks on my iPhone, I turned on the Wi-Fi, and it connected to the fake “attwi-fi” hotspot without prompting.

When I killed the “attwi-fi” network after a few seconds, my iPhone promptly demonstrated the further risks of auto-connecting—it automatically reconnected with another network in the list of trusted networks on my phone: a hotspot called “xfinitywi-fi.” I had used an Xfinity hotspot while waiting for an appointment a few days earlier, and suddenly I was logged into a hotspot running on my neighbor’s cable modem.

Comcast’s Xfinity wireless hotspots present a Web page for login that requests a customer’s account ID and password, and each time you connect to a new hotspot it re-authenticates you. But if you’ve connected once during the day, the hotspot remembers your device and reconnects you without prompting.

This isn't a problem if your device is connecting to the legitimate Comcast or AT&T network, of course, but if it connects to a hacker-bait hotspot with a fake name, pretty much any data on that device is at risk.

Ars Technica pointed out that the security risk here does not come from the actual Comcast/Xfinity or AT&T wireless hotspots, but from the risk of connecting to fake ones. “AT&T’s and Xfinity’s networks are insecure in themselves. They are just common enough to give someone with evil in mind a way to cast a wide net for potential victims over Wi-Fi. The same tools I used to spoof Xfinity could be set to automatically respond to a victim’s phone as any Wi-Fi access point they’ve trusted.”

How can you protect yourself? No matter what type of mobile device you have, disable any and all auto-connect features in it. The minor inconvenience of taking a few seconds to “manually” connect your devices to wi-fi when necessary beats the major inconvenience of giving hackers access to every bit of confidential data on those devices.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.