What’s one of the first things you do when you get to an airport, or roll into a new city for a conference or meeting? For many of us, the answer is: Find a free Wi-Fi hotspot. It is reasonable to expect to find some kind of free Wi-Fi service at airports, hotels, conference venues, some restaurants, and, of course, at ubiquitous Starbucks locations.
However, what if someone decided to place functional, though still rogue, unsecured hotspots in one of these locations? Would you be vigilant enough to notice reasonable-looking but bogus hotspot SSID names? This is exactly what security software company Avast did in Barcelona, Spain during Mobile World Congress (MWC) this week.
Avast set up functional rogue hotspots at MWC’s registration booth at Barcelona Airport with the SSID names “Starbucks,” “Airport_Free_Wifi_AENA,” and “MWC Free WiFi.” All these names look like reasonable names for legitimate hotspot networks. However, hotspots in Starbucks locations are named “Google Starbucks,” and AENA is the oldname for the government-owned organization that runs most of the airports in Spain. Its current name is ENAIRE.
In a four-hour test period, Avast recorded more than 2,000 unique users. It scanned the data from these devices for categorization, but didn’t store any data. Avast reported it was able to identify the device name and user identity of 63.5% of these users. For OS, 50.1% of the devices ran Apple iOS, 43.4% ran Android, and 6.5% ran Windows Phone. These percentages are quite different from worldwide market shares for these platforms, which generally are 80+% Android, 14% iOS, and 1 or 2 % for Windows Phone. We can guess that this difference is thanks to the unique mix of the kind of people who attend MWC.
Avast also found that 61.7% either searched for information using Google or checked email using Gmail. Another stats: 14.9% accessed Yahoo, 52.3% had a Facebook app installed, while only 2.4% had a Twitter app installed. And 1% used the Tinder or Badoo dating apps.
Note that Avast only reported about devices running mobile operating systems. Presumably, the registration area at the airport was not a place where people would use a notebook computer running Windows, OS/X, or Linux (though other areas would have been).
The company’s advice will seem obvious to many longtime readers of our site: “Many individuals recognize that surfing over open Wi-Fi isn’t secure. However, some of these same people aren’t aware that their device might automatically connect to a Wi-Fi network unless they adjust their settings,” said Gagan Singh, president of mobile at Avast, in a statement. “With most Mobile World Congress visitors traveling from abroad, it’s not surprising to see that many opt to connect to free Wi-Fi in order to save money, instead of using data roaming services. When taking this route, people should utilize a VPN service that anonymizes their data while connecting to public hotspots to ensure that their connection is secure.”
Avast sells its own SecureLine VPN product. Our own ExtremeTech article, The ultimate guide to staying anonymous and protecting your privacy online, recommends two multi-platform VPN products: TorGuard and Private Internet Access.
Finally, while Avast carried out a planned experiment, there was an interesting unplanned Wi-Fi experiment that took place years ago due to a bug in Microsoft Windows XP. As NPR explained back in 2010:
When a computer running an older version of XP can’t find any of its “favorite” wireless networks, it will automatically create an ad hoc network with the same name as the last one it connected to -– in this case, “Free Public WiFi.” Other computers within range of that new ad hoc network can see it, luring other users to connect. And who can resist the word “free?”
The result was that perhaps thousands notebooks running Windows XP were broadcasting the “Free Public WiFi” SSID after connecting to (but not having Internet access) to another notebook with that SSID. Although problem was fixed in Windows XP Service Pack 3 (SP3), some of us continued to see this SSID for several more years.