1

Suppose a Wi-Fi network is present with a given SSID. Now I create a hotspot with the same SSID as that of the original network. If a user tries to connect to the Wi-Fi, which one will he connect to? Also suppose the original Wi-Fi asked for a password, while my hotspot doesn't. Does this mean that the user "prefrably" gets connected to my hotspot? How does authentication work?
Is the user shown both the SSIDs (with identical names) as result of a passive scan?

Vilican
  • 2,703
  • 8
  • 21
  • 35
faraz khan
  • 329
  • 2
  • 12
  • 1
    Your question seems similar to this one: [What previously-unknown Wifi access points will devices automatically connect to?](https://security.stackexchange.com/questions/86565/what-previously-unknown-wifi-access-points-will-devices-automatically-connect-to) – WhiteWinterWolf May 22 '15 at 17:03

2 Answers2

0

If it is a known connection(the user has connected to it before) chances are it'll automatically connect to that one and they wouldn't have to enter the password again, but if they'd never connected before, chances are the user will connect to one without a password if they do not know the password to the protected one, because hey, 'free wifi'. Any devices would connect to a wifi connection that they have been connected to before because it will be a trusted connection and wouldn't need to connect to any other wifi, so will ignore any other connections.

ChrisFloyd
  • 1
  • 2
  • Welcome to Information Security Stack Exchange! This answer is going to need some work - the OP isn't asking what the user will do, but what the underlying software will do. To make it a really good answer, you'd have to explain _why_ the software responds in the way it does. – S.L. Barth May 20 '15 at 12:46
0

The exact answer will depend on the specific client implementations. But based on my experience most clients will in the default configuration automatically connect if they are within range of an access point with an SSID and encryption method which the client has been used before.

If the network is unencrypted there is no more information needed on the client in order to connect to the access point.

It is still possible that the access point has a configured list of which MAC addresses it will allow to connect. But this does not in any way help the client know whether the access point it connected to is legitimate.

There is the possibility for the access point to make use of a captive portal after the client has connected. The client cannot know whether a captive portal is being used on an access point it has not yet connected to. The client can also not know whether the legitimate access point is supposed to use a captive portal.

Even if a captive portal is being used and is secured using https, it will still not prevent an attacker from spoofing the access point. The attacker can simply bring up his own access point and bridge all the traffic through his own WiFi interface connected to the legitimate access point. That way the client will be communicating with the legitimate captive portal, but it will be authenticating the attacker to access the legitimate network.

That attack could be made more difficult to an attacker if client and access point would validate that they are communicating with the expected MAC address. But the attack can still work if the attacker knows how to spoof MAC addresses.

If you want to protect against those attacks, you need to implement some actual security measures. Your options are either to use WPA or VPN.

An unencrypted access point which only provides access to a VPN server and nothing else combined with a client which will not use the wireless network for anything other than a VPN connection will be as secure as the VPN you are using. An attacker can still perform a MITM-attack on the WiFi connection quite trivially, but if he cannot break the security of the VPN, he gains nothing from this.

With WPA the attacker cannot MITM the communication because he only knows the SSID and not the key. An attempt to attack the communication would be noticed earlier than in the VPN case. But the attacker can still snoop the encrypted traffic and attempt to decrypt it.

When WPA is used a client which come across an access point with identical SSID but different key will attempt to connect. The connection will fail. Having the user think they are within range of the access point only to find it fails because it was the wrong access point is a minor inconvenience but not a real security problem.

Due to the inconvenience of this happening, it is a good idea to use a unique SSID. Also due to WPA not having any good protection against weak passwords, using a unique SSID also improves security. This is one of those rare cases where you can make a change to improve both security and usability.

kasperd
  • 5,402
  • 1
  • 19
  • 38