[Tfug] Fraudulent airport WiFi

Adrian choprboy at dakotacom.net
Mon Jul 3 13:22:48 MST 2006 

On Monday 03 July 2006 11:50, Angus Scott-Fleming wrote:
[snip]
> OK, I give up, how did you spot it? Both the "tmobile" cells are 
> Cisco gear and are "managed", so it's probably not them.  I didn't 
> find a manufacturers cross-ref for the MAC addresses for the three 
> "Ad-Hoc" units.  
> 

Hehehe... yep, of the 5 access points scanned, 3 are fraudulent (I was 
actually looking for a 6th "npwireless.com", which I couldn't quite get were 
I was sitting). The 2 cells "tmobile" are the T-Mobile hotspots (pay-per or 
on your cell account), the other 3 came and went as I sat in the airport.

Some of the clues in the data:
          Cell 01 - Address: 02:0E:35:00:29:FB
                    ESSID:"Free Public WiFi"
                    Mode:Ad-Hoc

          Cell 03 - Address: 2E:BD:F0:9F:A3:0B
                    ESSID:"Verizon Wi-Fi"
                    Mode:Ad-Hoc

          Cell 05 - Address: FA:CC:1D:44:C5:1E
                    ESSID:"Comcast Broadband"
                    Mode:Ad-Hoc

As you said, the biggest tip-offs are the Ad-Hoc mode and the MAC addresses. 
The "Free Public WiFi" and "trusted" names also tends to scream "come abuse 
me". First, all 3 are running Ad-Hoc mode, not something a normal access 
point would do (the "Free Public WiFi" came up first, followed ~5min later by 
"Verizon" and "Comcast" at the about same time). The first MAC address, 
02:0E:35:00:29:FB, is infact valid, but IEEE seems not to have updated their 
online OUI database in the last year (current assignments are in the 02:xx:xx 
range). The OUI 02:0E:35 is, from what I can tell, assigned to DLink, mostly 
used in their G604T DSL modem w/wireless and a few DLink 802.11G PCMCIA 
cards.

The second 2 are completely fraudulent. Cell 03 (OUI 2E:BD:F0) has not been 
assigned and is well outside the current MAC registration range. Likewise, 
Cell 05 is even farther outside of the registration range.

In addition, all 3 were running Windows APIRA addresses, 169.254.x.x/16 (all 3 
had the same address infact), with the "access point" periodically spitting 
NetBios announcements of itself. Unfortunately... the person running the 
machine appeared to have screwed up their routing. I couldn't get either of 
the "access points" to route packets properly and none were issuing DHCP 
responses.

Adrian

More information about the tfug mailing list