March 5th, 2010

A Viral SSID

First of all, you can stop worrying about me--Carol and I took an intense week-long trip to Chicago tending to family business, and I just couldn't summon the energy to post while I was there.

But I was reminded of an interesting thing on the trip home, while we waited at the gate for our plane at O'Hare. I opened my new laptop to check for connectivity, and in addition to the airport's Boingo network, I saw the oft-encountered but poorly understood "Free Public Wifi" SSID. I've seen that SSID in airports on almost every trip I've taken in the last three or four years, well-aware that it's not anything like free connectivity. I've always assumed that it was a virus running on somebody else's close-by laptop, because it's not an infrastructure node like an access point, but an ad-hoc (peer-to-peer) node instead.

Well, it is a virus, but one of a truly fascinating sort. And that may be a little unfair. It's not malware in the sense of adverse execution on the machine, but a consequence of some Windows foolishness in XP and (possibly) more recent versions. The "Free Public Wifi" SSID spreads virally without the help of anything except Windows itself. I never completely understood the mechanism until I looked it up yesterday. There's a great writeup here, and I'll summarize:

Wireless Zero Configuration (WZC) is the part of Windows that manages Wi-Fi connections. When enabled, it will do the following when the machine is booted:

  1. It looks to see if one of your preferred network SSIDs is present in the list of detected infrastructure networks, and will connect if present. Failing that,
  2. It attempts to connect "blind" to infrastructure networks on your preferred list that are not detected, to cover the possibility that your network's SSID beacon is disabled. This is the Wi-Fi implementation of "security by obscurity," and no one really uses it anymore. Having failed to connect to a hidden infrastructure node,
  3. WZC will look to see if one of your preferred network SSIDs is present in detected ad-hoc networks, and will connect if it finds one.
  4. Now the weirdness begins: If none of your preferred network SSIDs is present as an ad-hoc node, and if there is an ad-hoc SSID in your preferred networks list, WZC sets your system up as an ad-hoc network with the first ad-hoc SSID it finds in your preferred list.

Hoo-boy. Read that again: If you've ever connected to an ad-hoc node and no networks in your preferred list are available, your machine becomes an ad-hoc node. This may not be the worst wireless idea ever, but it's right up there. Basically, you've opened a door to your machine, and (depending on your firewall situation) if somebody connects to your laptop through the ad-hoc node that WZC has created, they can browse your shares.

It didn't take malware to make this happen. Windows did it all by its lonesome. Here's a likely scenario explaining why this SSID is so commonly seen in airports:

  1. Somewhere, somewhen, there was a mesh (peer to peer) network named "Free Public WiFi." It was probably legitimate. I don't like mesh networks for various technical reasons, but they have their uses, and there's nothing necessarily scurrilous about them.
  2. An XP user logs into this original "Free Public Wifi" network and connects to the Internet. The SSID is added to their preferred networks list as an ad-hoc node, where it remains. When finished using the mesh network, the XP user breaks the ad-hoc connection and life goes on.
  3. Later on, which could be months or even years, the same user ("User #1") goes to an airport and while waiting for a plane, boots his or her laptop to do some local spreadsheet work. No connectivity is found, so Wireless Zero Configuration happily establishes an ad-hoc node called "Free Public WiFi."
  4. A nearby XP user ("User #2") boots a laptop, looking for connectivity. He or she sees "Free Public Wifi" as an available network, and (naively) clicks to connect. An ad-hoc connection is established to User #1's laptop. Nothing happens, since neither user is connected to the Internet. However, the "Free Public Wifi" SSID is added to User #2's preferred networks list. User #2's plane eventually comes in, and he or she shuts down the laptop, disappointed that no free connection was found.
  5. Later on, User #2 is again at an airport and boots the laptop. WZC establishes an ad-hoc node, and this time, two users see the "Free Public WiFi" SSID and connect. Again, nothing either good or bad happens, but the "Free Public WiFi" ad-hoc SSID is added to the preferred networks list of both User #3 and User #4.
  6. User #3 and User #4 (neither of whom have any idea what's going on) boot their laptops at other airports, or at conference centers, or some place where laptops tend to congregate. Similarly naive users connect, looking for a free Internet connection, and add "Free Public WiFi" to their preferred networks list.
  7. Contagion continues, as road warriors spread the SSID as explained above.

Although malware isn't involved, this is far from harmless, since an ad-hoc connection is a door to your machine. Your firewall will probably stop any shenanigans...if you have it working and configured correctly. Some people won't.

Note well that this only happens if your system has the WZC service running. If you have vendor-specific software installed to manage your wireless subsystem (as all newer Dell laptops do) this craziness won't occur. Only if Windows and WZC are in charge of wireless are you vulnerable. The solution? Limit your connections to infrastructure networks. There's a step-by-step at the end of this article.

Other such viral SSIDs exist; I've seen "hpsetup" and "default" myself, and others have been reported. Any ad-hoc network SSID can go viral with the help of Windows Wireless Zero Configuration. The "hpsetup" SSID was "contracted" from certain HP printers that connect to laptops via ad-hoc connections. I've only confirmed this on XP; the issue may have been resolved with Vista and 7. It's a fascinating example of unintended consequences in system design, and should become a textbook case in CS coursework. (Why don't I think that this will ever happen?)