Airport Snooping

I’ve always wondered why ill-intentioned hackers don’t set up fake free WiFi hotspots in public places like airports to collect passwords and other personal information. As it turns out, they do:

Authentium did an in-depth survey of the ad hoc networks found at O’Hare, visiting on three different occasions. It found more than 20 ad hoc networks each time, with 80% of them advertising free Wi-Fi access. The company also found that many of the networks were displaying fake or misleading MAC addresses, a clear sign that they were bent on mischief.

The Computerworld article focuses on the dangers of associating with ad-hoc (peer-to-peer) wireless networks and provides a number of tips for Windows users to avoid unintentionally connecting to an ad-hoc network.

It seems to me just a matter of time, though, before malicious agents set up “real” (infrastructure-mode) access points in public places to collect such data. In fact, based on the airport study above, I would be shocked if it weren’t already happening. Numerous trivial variations could be very difficult to detect for the average user: for example, someone could set up a WiFi access point advertising itself as a T-Mobile HotSpot, and copy the T-Mobile web interface. If they wanted to be especially crafty, they could sit outside a Starbucks (or other known T-Mobile HotSpot) and simply use a different channel than the existing hot spot. Even a sophisticated user might have trouble telling the difference.

The lesson is that you need to expect that all network traffic is insecure if not encrypted and signed at both ends. Although even in that case there are possible man-in-the-middle attacks, at least we have a cryptographic certificate/certificate authority infrastructure to mitigate the risk. (That sort of attack is also a bit more difficult to pull off, thus perhaps deterring the simplest “script-kiddie” type attackers.)


  1. gouki Jan 28

    Hi Adam,

    Regarding the use of ‘real’ infrastructure-mode for ‘evil’ purposes I’m affraid to tell you that it is already done. A couple of months ago I tried a little something which can be done with some ease on airports.

    It consists of using a WRT54G router and a firmware from the The Shmoo Group[0].

    [0] –

  2. bonobo Jan 28

    Even standard SSL based browser can be easily tricked, even for advance users. The router can run a croaked DNS which redirects everything to its own password capturing site. All it need is a verisign signed cert.

    Who would check if the server is the real one(and how as many banks choose oddball domain names).

  3. Ewan Marshall Jan 28


    GNU/Linux / Macos

  4. gouki Jan 28

    Ewan Marshall,

    I don’t believe there is a solution. If the homepage of a Access Point is well designed, pretty much everyone will fall for that and give in their password.

    Like bonobo said, even SSL can be tricked. A simple Man-in-the-Middle attack will work.

    What I’ve startad to do what is use ICMP tunneling. Most of the AP’s are not configured to block ICMP traffic, so I connect to one of them and then use ptunnel to SSH into a computer I own. Lynx, Mutt, IRSSI and NAIM. All work like a charm! (=

Leave a Reply

(Markdown Syntax Permitted)