Mystery “Free Public WiFi” Access Point

Wi-FiRecently a colleague noticed a new wireless access point broadcasting in our building with an SSID of “Free Public WiFi”. The campus isn’t close enough to any coffee shops or other location that I thought would offer public wireless. My curiosity peaked, I fired up NetStumbler to gather some information.

My first thoughts were that an employee may have set up an unauthorized access point (AP), or that there was actually a business nearby offering public WiFi. The other thought in the back of my mind that I wanted to rule out was that a rogue AP had been set up nearby with the intent of enticing users to connect in order to exploit vulnerabilities or gather data about our network. But rather than looking for the conspicuous van in the parking lot, I started with NetStumbler. It quickly found the AP, and judging by the signal strength, it was in the building. Strangely I noticed the first byte of the AP’s MAC Address was 02, signifying a locally administered MAC Address, one that didn’t correspond to an Organizationally Unique Identifier (OUI). This meant the AP probably wasn’t going to be some generic Linksys device.

I next looked at the AP from XP’s wireless network listing and discovered it was an ad-hoc (computer to computer) network. So as this was being broadcast from another computer, does that mean that someone was broadcasting a rogue AP with a tool like AirSnarf or FakeAP? As it turns out, no. This was actually an intended, albeit odd, behavior of the Windows Wireless Auto Configuration service.

The short version of how the service works is:

1) Windows attempts to connect to available preferred AP’s, in order

2) Failing that, it attempts to connect to unavailable preferred AP’s (this enables connections when SSID broadcasts are disabled)

3) If that fails, it attempts to connect to available, preferred ad-hoc networks.

4) Finally, if step 3 fails, and there is an ad-hoc network in the preferred networks list, Windows configures the wireless adapter to become the first node of that network. Read the full details here on TechNet.

So at some point, this user had connected to an ad-hoc network called “Free Public WiFi” and made it a preferred network. Because we don’t have wireless where I work, the machine had completed through step 4 above, and started broadcasting this SSID. To compound the problem, I’ve read that this behavior is somewhat viral because people looking for access points will see “Free Public WiFi”, connect to it, and add it to their preferred networks. They won’t get anywhere as the ad-hoc network won’t route to the Internet, but the next time their computer makes it to step 4, they now unknowingly propagate the problem. This explains a lot of the mystery AP’s you ‘ll come across. I’ve since come across an “hpsetup” SSID that exists for this reason.

If I try really hard, I can understand Microsoft’s reason for designing Windows this way, but I believe it causes more problems & confusion than it alleviates. A few best practice tips regarding this issue: disable your wireless if it isn’t needed, especially in public places; and configure the Windows advanced wireless settings to connect to infrastructure access points only. There are only a few rare occasions when a peer-to-peer wireless network is needed.

The final mystery here is the locally administered MAC address, it didn’t match up to the wireless adapter’s actual MAC address. My theory here is that when Windows joins an ad-hoc network, a new dynamically administered MAC address is used for security purposes, but I could be wrong. I haven’t yet been able to confirm that by testing, and I can’t find any documentation on the subject. If you know the answer or have any ideas, please leave comments.

Links:

TechNet – 802.11 Wireless Details

NMRC Advisory – Windows Ad-Hoc Network Advertisement

MAC Addressing Reference

Advertisements

3 Responses

  1. I noticed one of these in a Hotel i was staying at one time, but doing some research, it sounded like the ‘free public wifi’ ssid was usually a honeypot or something as well.

  2. Thanks for the info.
    I remember noticing a lot of these popping up around my university campus (Uk) and halls when I was back in first year, and was always rather suspicious of them.

  3. just seen this on twitter cheers for the info.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: