2

It seems to me that one of the major flaws of Wifi is that computers will auto-reconnect to a Wifi that merely has the same name as one you connected to in the past i.e. an evil twin. While perusing log files I've seen this happen and it is a surprising design flaw. There ought to be something more substantial than just an access point name to authenticate a Wifi router as being one that the computer spoke with in the past. Why does Wifi auto-reconnect based on only the access point name? Why isn't there a shared secret?

UPDATE I should describe what I saw that made me ask this question.

  1. I was on a train at one point, I can't remember the country, I had come from an airport where I'd been in a lounge that had free Wifi, no password, but there was a "captive portal" login screen.
  2. I noticed on the train, which was by then far from the airport, that my computer Wifi had once again connected to the airport lounge Wifi.
  3. I checked the log and indeed, a "fake" Wifi hotspot with the same name but a different MAC address was there and DHCP had provided me with an IPv4 address.
wudude
  • 121
  • 2
  • What made you sure that the first WiFi hotspot you connected to wasn't already rouge? Just based on its name? – Steffen Ullrich Oct 14 '20 at 17:52
  • Rouge? What do you mean. – wudude Oct 14 '20 at 19:01
  • A hotspot which claims to be a trustable hotspot but in reality sniffs and maybe modifies your data and tries to attack you. – Steffen Ullrich Oct 14 '20 at 19:19
  • That's rogue, not rouge. (Rouge is French for red.) – wudude Oct 14 '20 at 23:26
  • 1
    Thanks for the correction, my bad. Still, the question remains how did you consider the first open Wifi hotspot trustworthy. If it is just because you expected a hotspot with the name to be available your behavior is not much different from what a computer does. – Steffen Ullrich Oct 15 '20 at 03:29

2 Answers2

1

There ought to be something more substantial than just an access point name to authenticate a Wifi router ...

The name of the AP is not used to authenticate the AP against the client at all, it is only used to identify possible known networks.

Why isn't there a shared secret?

Because there is one. The password as used in most common setups is not only used to authenticate the client against the AP but also the AP against the client: the connection will only succeed if both have the same shared secret. Within enterprise setups there are also certificates for authentication involved.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • If there is no password then there's no shared secret, right? – wudude Oct 14 '20 at 17:49
  • @wudude: The password is the shared secret. But a pre-shared secret (PSK) is only one way of authentication, certificates are another way but mainly used in enterprises. – Steffen Ullrich Oct 14 '20 at 17:57
  • i am not sure this answer is what he even asked, from my understanding he means if you get disconnected from a network it will auto reconnect to something without any password, i am not aware that is how it works though, surely computers don't just try to reconnect automatically based solely on ssid? – Coderxyz Oct 14 '20 at 18:08
  • Yes Coder, that it what I observed. A computer "reconnected" to a Wifi router it had never connected to, solely based on the ssid. – wudude Oct 14 '20 at 19:01
  • @Coderxyz: It will only connect to another AP if this AP has the same name and password as the other one. In case of no password there is no authentication, i.e. the name is only used for identification. It is actually pretty common that there are multiple AP with the same name to cover an area and it is also very common for chains or for internet providers to offer their branded AP on many places. It is kind of expected in both of these cases that the phone will connect to these already known providers. – Steffen Ullrich Oct 14 '20 at 19:25
  • In America we do have a lot of these Xfinity no-password APs, however there is no reason to think some of these are not fakes that are merely harvesting users' account names and passwords. – wudude Oct 14 '20 at 23:29
1

As Steffen Ullrich points out in his answer, it is common for wifi providers to create a mesh network of wifi access points to blanket a large region, or even an entire geographic area - so that users of their service can move around within the area freely and stay connected. In these setups, all of the access points in the mesh group have the same SSID, and it's common to allow users to connect to the access point without a password, then authenticate through a captive portal.

Naturally, as the user moves around within the blanketed area, their device connects to different access points in the mesh group automatically (because all of the devices have the same SSID). Otherwise, if there were manual steps involved, this would be an inconvenience for the user.

This setup is identical to the one that you describe in your question. However, as you point out, this opens the door for an attacker to setup a malicious wifi access point, with the same SSID as the others in the mesh group, masquerading as another access point in the mesh group.

So, how do you know if you are connected to a legitimate access point, or a malicious access point? The answer is: you don't. That's why you should assume that ALL wifi access points are malicious, and accordingly, take appropriate precautions. For example, if you are browsing the world wide web, only connect to sites using HTTPS. If the wifi access point that you are connecting to is malicious and tries to eavesdrop or tamper with your connection, your browser will detect a certificate problem and warn you. The same holds true for other protocols as well - for example, if connecting to a mail server by POP3, IMAP, or SMTP, only do so securely and be sure your mail client authenticates server certificates.

mti2935
  • 19,868
  • 2
  • 45
  • 64