March 09, 2010, 5:16 PM — When I'm really, really bored at an airport, I'll start looking around the local Wi-Fi networks with WireShark. This is an outstanding network protocol analyzer. Usually it's used for checking out what's really going on in your business network. Of course, if you know what you're doing you can also use it on Wi-Fi to see just how awful everyone's security is around you. But, that's a story for another day. Recently, I noticed that I kept seeing "Free Public Wifi" APs (access points) showing up. I assumed it was someone trolling for innocents wanting to be infected with malware. I was wrong. It's actually a much more interesting Windows XP security flaw.
A friend of mine pointed me to what was really going on. If you want to know more of the details, I recommend this article Free Public WiFi SSID. The short version is that Windows XP includes a utility, WZC (Wireless Zero Configuration). This was superseded in Vista and Windows 7 by WLAN Autoconfig. In either case, the idea is to make connecting to Wi-Fi APs easy.
The problem is that they make it a little too easy. If you have WZC enabled when you boot up, it starts looking around for a preferred network SSID (Service set identifier), the human-readable name that many APs use to identify themselves.
Let's say it can't find one. Next, it will try to connect to other APs on your 'preferred' list of APs just in case it didn't detect it the first time or the AP isn't transmitting an SSID anymore. If it fails again, it will then start looking for any ad-hoc networks on your preferred list. Ad hoc networks are made up of computers sharing their Internet connection when they're not an AP to be found. Keep that in mind because it becomes important for when the trouble starts.
Now, let's say you have an ad hoc network in your preferred network list, but it's not around either. You'd think at this point that Windows might ask you about joining any new, but unknown Wi-Fi APs in the area. Nope. What actually happens is that it will now automatically and silently setup your laptop as an ad hoc Wi-Fi node.
What fun! Now, somewhere out there at some time, people did use "Free Public Wifi" as the name for an ad hoc Wi-Fi network. Chances are that it was to rip people off. We know that it existed because WZC will use whatever the SSID was in your list of preferred ad hoc networks and "Free Public Wifi" keeps popping up.
Now, let's say your system does this, and someone comes along, say in the row behind you at the airport and they go looking for an Internet connection. They can't find one, but they do find your PC advertising itself as an ad hoc wireless network node. So, they connect to you and, ta-da, now their XP system will start advertising itself as an ad hoc node with the SSID of "Free Public Wifi!" And, on and on it goes.
The problem with this is that you're basically inviting the world to come in and network with your computer. Your firewall -- you are using one right? -- should stop most attacks. Yeah, most attacks. I don't know about you, but I'd rather not invite any potential hacker from pawing away at my computer's defenses.
Keep in mind that I'm using 'Free Public WiFi" as a common example. I've seen other SSID names being used in the same mistaken way. No matter the SSID name, this is an almost invisible viral infection being passed on from one XP system to another. It could work in Vista and Windows 7. I don't know. I do know, however, it can happen to XP systems because I tried it and, sure enough, my XP laptop 'caught' it.
The answer to this problem is to just avoid using WZC. Chances are your laptop comes with its own Wi-Fi connection software that's been optimized for its particular Wi-Fi chipset.
To stop WZC from doing this you can either turn it off or set it to only use APs. To turn it off for once and all do a Start -> Run and type in "services.msc." Once in the services display, scroll down to Wireless Zero Configuration and right click on it to edit it. There, you'll want to turn it off and set it Startup Type from Automatic to either Manual or disabled.
If you want to keep WZC around, you can stop it from using ad hoc networks -- which isn't a bad idea anyway -- by clicking on the System Tray's Wireless icon and heading to the Wireless Network Connection window. Once there, click on "Change advanced settings," and click on the Wireless Network Tab in the Wireless Network Connection Properties window. From here, click on the Advanced button and set it so that it will "Access point (infrastructure) networks only."
Congratulations! You're now safe from inviting in any Tom, Dick, or Harry from visiting your PC via your Wi-Fi card.
