Computerworld reports that in testing at airports, they found honeypots intended to lure unsuspecting users: I'm a bit lagging on this story, reported two weeks ago, but it's still relevant. The "Free Wi-Fi" scam involves password snatchers setting up fake Wi-Fi networks in public places, like airports, that use free in their network name. Connecting to these locations puts your machine at risk. Further, for Windows users, your laptop might connect in the future to other identically named locations without asking if you want to connect. The attacker can snarf unprotected passwords and unencrypted email, as well as infect your computer.
Computerworld cites security firm Authentium as having found dozens of "free," ad-hoc wireless networks of this sort at airports across the U.S. The firm told Computerworld that in multiple visits to O'Hare, they found over 20 ad-hoc networks advertising free service each time, and saw "fake or misleading" MAC addresses, the numbers designed to identify each Wi-Fi or Ethernet adapter uniquely.
The article offers specific advice on how to avoid this problem. The most prominent in my mind? Use a VPN. Several firms offer VPN-for-hire for travelers who don't work for companies that offer or require VPN use on the road. Try JiWire's Hotspot Helper (Windows only, $25/year) or WiTopia.net's personalVPN (Windows/Mac, $40/year), for instance.
(Disclosure: I have a very small stake in JiWire.)
So do these scammers connect you to the internet? In that case, you can easily turn the tables and take advantage of the free connectivity if you make sure you encrypt your stuff.
The easiest way to do that is not a VPN but rather SSL. All decent email services support that (but generally don't require it-double check!) and just make sure you see the lock in your browser before doing anything sensitive over the web.
This is correct. What is even scarier in a way is that some airports that offers free service utilize gateway solutions that can't handle (or possibly even worse) blocking vpn connections.
Last week I was through Phoenix Sky Harbor airport that is one of the airports in the US that offers free internet access. However I couldn't establish a VPN connection (neither l2tp, pptp so never bothered to check ipsec). Speeds where great but basically couldn't do any useful work so ended up just checking a few websites and finished my session.
I also stayed at numerous hotels that can or will not handle vpn properly which is as bad.
Many of these so called scammers are probably just unsuspecting travelers running a version of windows on their laptops that included a 'feature' where it will create an ad-hoc network using the SSID of the network it last connected to if it cannot find any others in the user's preferred list to connect to.
For many travelers, those last used connections are very likely to be hotspot networks, hence it looks like there are lots of people pretending to be hotspots.
While there are risks associated with this feature, it probably isn't as serious a threat as some people are making out. I've not seen any reports where the "investigators" actually connected to the networks and saw fake login web pages. Of course, before connecting to any network you should verify that it is what it says it is. You can also set your preferred networks to not auto-connect, and to not connect to ad-hoc networks, which will prevent your laptop connecting without your knowledge.
The bigger risk is that your laptop beacons out one of these ad-hoc connections while you're working in a public place without WiFi, and somebody connects to it and gains access to your PC.
(By the way, the "fake" MAC addresses are probably just the random BSSIDs that ad-hoc networks are required to use!).