AT&T Accidentally Provides Free Wi-Fi To All

SecureThroughObscure writes tells us about a hack broken by MacOSRumors: you can get free Wi-Fi at Starbucks, Barnes & Noble, and other AT&T hotspots if you know how to set your browser's user agent string (trivial on Safari), and know a valid iPhone phone number. ZDNet blogger Nate McFeters gives some more details and links. This can't last.

Security by stupidity.

[LostCluster (625375)]

This actually had some chance of working before it was revealed on /. Afterall, you don't usually publish your iPhone number to strangers, and if they ever caught the same user agent showing upo at two hotspots it'd be trivial to shut them both down. Not the best security idea... but it got the system up until they had to come up with better.

Re:

[Hijacked Public (999535)]

I have no idea how many strangers know my phone number, but all my friends have it and I suspect most of them know I have an iPhone.

And I'm sure AT&T sees thousands of the same user agent running through their hotspots at any given time.

It might last...

[sith (15384)]

Even if every /.'er did this, it still would be a drop in a bucket compared to the number of folks who happily pay the fee.

For example, many pay wifi points can be circumvented just by connecting to a VPN over UDP (since they're only filtering TCP requests). I doubt they're going broke due to that issue though..

Re:

[aliquis (678370)]

Exactly, I can't see why it couldn't last? What's so bad with offering free network connection at some locations? And as soon as one read that people "logged in" by typing in their phone number this was very obvious. I doubt they will care. And it's not like every person on the planet will know about it or care either (as you point out.)

Re:It might last...

[aesiamun (862627)]

Here you go [openvpn.org]

Re:

[rocketPack (1255456)]

Alternatively (for those who don't want to download an extra program):

• - Go to about:config in Firefox
• - Right click/command click in the list and chose New > String
• - For the preference name use "general.useragent.override"
• - Use any value you wish, such as "Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3"
• - You can verify your change by going to "about:" in Firefox and reading the information from the page!

Can't help you wi

Staying Power

[whisper_jeff (680366)]

A surefire way to ensure that this hack lasts as long as possible is to keep it super-secret and not let AT&T know they screwed up.

But I'm sure posting the story to slashdot is fine. Nobody reads this site, after all...

Re:

[peragrin (659227)]

If AT&T techies actually read slashdot then they would be smart enough to setup the system with more than just a browser user agent tag and a phone number.

how many systems have been setup that way and then suddenly laughed at?

The other option is why bother? Most people who visit starbucks don't know what a user agent string is, or have enough money that they don't care.

Re:

[irc.goatse.cx troll (593289)]

If AT&T techies actually read slashdot then they would be smart enough to setup the system with more than just a browser user agent tag and a phone number.

How would you set it up then? Assuming the predefined goal is "Allow iphone users free service with no hassle", what would you do if not sniff user agents?

The only way I could think of to do this more 'securely' would be a full network scan to see how their tcp stack behaves, possibly looking at tcp sequence numbers and timestamps to find any quirks.

T

Re:

[aliquis (678370)]

Hey, we read the headlines, eventually the summary and then head on to comment and read comments. It's just TFA we skip ;)

I don't think that's what you meant

[techpawn (969834)]

Accidentally providing free wi-fi to everyone... IF they use this hack to work around... That's not providing ANYTHING. It's not having proper security in place.

SuddenOutbreakOfMoralSense

[AKAImBatman (238306)]

Maybe it's just me, but am I the only one who's sitting here thinking that using this hack is tantamount to stealing service? Hacks for stealing cable service have existed for decades now, and were very much illegal. And why shouldn't they be? Not everything has to be hacker proof. Sometimes it's just about putting a lock on the door and saying, "This doesn't belong to you."

To use a typical Slashdot analogy, the lock on my front door is pretty flimsy and could probably be picked or forced without much effort. Is that an invitation to walk into my house and use my computer?

This also differs from open WiFi points in that open WiFi points have no security. It's difficult for a passerby to tell the difference between an intentionally shared access point and an access point that has accidentally been misconfigured.

Which reminds me, WiFi security is not all that hard to crack. Does that give people a free license to crack their neighbor's WiFi and begin using it without permission?

Re:

[dissy (172727)]

Maybe it's just me, but am I the only one who's sitting here thinking that using this hack is tantamount to stealing service?

No it is not just you. Unfortunately it is still incorrect despite the fact others see it that way too.

Since everyone is different and has different morals, sure, it can easily be morally wrong.
But legally and technically, it isn't wrong at all.

Clearly their service allows iPhones to access for free, and stupidly it asks the users computer if it is an iPhone or not, so lying and saying 'yes' shouldn't be enough for access, but apparently is.

They are just asking the users computer if it is an iPhone, and i

Re:

[mr_matticus (928346)]

It's a violation of the law in all jurisdictions, and finding a jury is a cakewalk. The only person that needs luck is a defendant in finding an attorney who can get him out of it.

"Theft of service" is its own special category. Chances are that AT&T will just fix it to something a little more robust than a user agent string and won't bother to sue anyone about it, unless they just feel like being dicks this month.

Re:

[Mister Whirly (964219)]

So is jaywalking, but the point the OP was making is that it is a rarely prosecuted crime. I have only read about 1 case where someone was actually charged with this before. Not saying it hasn't happened more than that, just that I don't think it is very common.

Re:

[mr_matticus (928346)]

the point the OP was making is that it is a rarely prosecuted crime

No, it's not.

It happens all the time. We're not talking about wardriving or hopping on unsecured wifi. This is bypassing (however easily) access restrictions on a paid service. Also, skipping on restaurant bills, gaming the phone system, and splicing into cable systems are all also theft of service.

Jaywalking, further, in most places is not a crime. It's a citation.

Re:

[Hatta (162192)]

I sort of agree. I'm 100% in favor of letting people borrow open wifi. If it's wide open, the server is giving you permission to use it when you get an IP. But if you have to trick it into giving you an IP, that's not so ok.

But still, having thousands of slashdotters flood their network for a few days seems like the appropriate consequence for AT&Ts negligence. Maybe they won't make the same mistake in the future.

AT&T Intentionally provides free WiFi to all.

[bughunter (10093)]

1 - Put your coffee money in a Starbucks Card.

2 - Take your laptop to Starbucks for a coffee.

3 - Profit!

Re:

[Megane (129182)]

4 - Drink bad coffee!

Free

[jav1231 (539129)]

Frankly, Starbucks should provide WiFi free. It's a great tool for them. Many small shops are doing it and I'd go to one of them before Starbuck's, obviously.

Re:

[qoncept (599709)]

Starbucks should also start charging 1/3 of what they do for their coffee. I don't think either is hurting them much, though.

Also, in my opinion, Starbucks should just go to hell. Aside from the fact that I think coffee is disgusting, my generalization of a Starbucks customer is a person I'd love to punch in the face. I can't decide if I dislike the yuppie small coffee shop goers more or less.

Re:

[Mister Whirly (964219)]

The yuppies ARE the ones that go to Starbucks. Where I live, there are so many small independent coffee shops, no self-respecting person would ever go to Starbucks for coffee.

Also, I think you have some anger management issues. I would tell you to lay off the coffee a little, but...
(I am only jesting here. I generally want to punch yuppies too.)

Re:

[techpawn (969834)]

"The more complicated the Starbucks order, the bigger the asshole. If you walk into a Starbucks and order a "decaf grande half-soy, half-low fat, iced vanilla, double-shot, gingerbread cappuccino, extra dry, light ice, with one sweet-n'-Low, and one NutraSweet," ooh, you're a huge asshole." - George Carlin

What's with the Yuppie hate?

[Blahbooboo3 (874492)]

What is a Yuppie anyway? Someone who has a job and/or business that earns good money after spending a lot of time studing and/or working hard to become successful? Wow, what an awful person!

Oh right, this is Slashdot, where IT folks all work for free for the betterment of society.

Re:

[Slightly Askew (638918)]

Starbucks should also start charging 1/3 of what they do for their coffee. I don't think either is hurting them much, though.

I [msn.com] beg [tmcnet.com] to [google.com] differ [guardian.co.uk].

Re:

[drhamad (868567)]

Maybe they should, but that's their choice, not yours. It's their business decision.

In general, companies are afraid of wifi (and legitimately so, I believe) because it causes people to sit around, NOT consuming things. Sure I might go buy a drink at sbux and sit and read a book for 30 mins or something, but with wireless I'll sit there with that drink for 4 hours. I'm not going to buy more.

Re:

[spiffyman (949476)]

True story. Where I live, WiFi is ubiquitous. It's more shocking to me when a shop doesn't have it. And in the downtown area, there's pretty wide-area coverage. Apparently the city's doing some kind of experiment in conjunction with Cisco.

All this means that I'm spoiled. I suspect a lot of other /.'ers are spoiled, too. And if I've come to expect free WiFi, I most certainly won't go to a shop where they don't have it. On the other hand - and probably more importantly - if I haven't come to expect such a

Re:

[Lemmy Caution (8378)]

That's because the small shops are trying to catch up with Starbucks, and are willing to fill up their tables with people who aren't buying anything to do it.

Having gone to some indie cafes, bought a coffee, looked for a table to sit at, and found nothing but tables full of people sitting at their laptops, not drinking or eating anything, the wisdom of "free wifi for all!" started to seem a little dubious.

Re:

[jav1231 (539129)]

True. But these shops can also say, "hey, buy another cup or you have to go." I think by and large most people are willing to buy a cup of coffee to sit and have wifi (otoh, could they not just pay for the wifi?). Some shops would like to have the people there as a draw.

Re:

[drinkypoo (153816)]

Corollary: a coffeeshop that looks pleasantly busy is more likely to draw business than an empty coffeeshop. Most people have a neurotic need to be around people all the time, or so it seems. Also, a coffeeshop full of laptop users is not a coffeeshop full of people who will bother other customers. So all you have to do is figure out what the sweet spot in population is, and kick out people who don't buy anything, down to that number. If you have half a clue you'll kick out your regulars last and everything

...and a valid iPhone phone number?!

[erroneus (253617)]

Are you kidding me?! I'm not quite creative enough to know exactly what to do with it, but a phone number is like part of a person's identity. Using that as a form of identity in this instance can't be good.

Re:

[Dog-Cow (21281)]

That's a silly view of a phone number. Have you never looked at say, a NY City phonebook? That's a whole lot of "identity" available to the public right there.

... always been free wifi ...

[PC and Sony Fanboy (1248258)]

Maybe its different (okay, it IS different) ... but it is very very very rare to see a café up here in canada that doesn't have free wifi. They limit the bandwidth per connection, and (attempt to) block non http / https requests, but I *never* pay for wifi when I'm at a café ...

It makes you wonder, what the world is coming to... or at least, what is going on in the USA.

Re:

[ColdWetDog (752185)]

Maybe its different (okay, it IS different) ... but it is very very very rare to see a café up here in canada that doesn't have free wifi. They limit the bandwidth per connection, and (attempt to) block non http / https requests, but I *never* pay for wifi when I'm at a café ...

Yeah, you commies. Free this, free that. Gonna kill the economy. How is any multi billion dollar company supposed to make a living? Next thing you'll tell me is that you don't have to pay for things like med

Re:

[PC and Sony Fanboy (1248258)]

yup. free health care. free EEEs too.. Just for opening an account... [rbcroyalbank.com]

I'd have to say that Yup.. canada rocks. We now have the iPhone legally too... but it is way too common for people to just cross the border and buy (and unlock) an iPhone. Seriously. The iPhone has been here so long, it isn't even cool to own one anymore...

what's next

[gEvil (beta) (945888)]

Next you're gonna be telling us how to get free wifi from all those "Linksys" hotspots, aren't you?

Re:

[imamac (1083405)]

I always look for those "belkin54g" hotspots. They're everywhere!

Re:

[SCHecklerX (229973)]

Hey! That's the name of mine at home! Well..the one on the DMZ that redirects all http traffic through a proxy that does interesting things with images, anyway.

How does Starbucks get away with charging?

[swb (14022)]

Here in Minneapolis we have two other chains competing with Starbucks, Dunn Bros. and Caribou, both starting out locally. Both of the competitors offer free Wifi. Caribou's is limited to an hour, but you can circumvent that pretty easily. I don't frequent Dunn Bros. often enough to know what kind of limit they might have.

Many other indie coffee shops, restaurants and other places offer free wifi.

I'm always amazed when I see people sitting in Starbucks using laptops (maybe they're not online) when they co

Re:

[steveo777 (183629)]

Yup, there's Panera Bread and a thousand independent coffee shops with free wifi in the Twin Cities and metro areas. Heck, there are even bars with free wifi. Buffalo Wild Wings has free wifi! I've used it with my iPod touch (usually checking team scores and stats), but I don't think I'd get a lot work done while eating 12 mango habaneros. And I imagine the keys would get coated in wing sauce.

I mostly hit Caribou and anywhere but Starbucks. It used to be because Starbucks had bad coffee, but now it's bec

Re:

[swb (14022)]

Caribou and Dunn Brothers combined outnumber Starbucks in Minneapolis. You can't turn around without finding a Caribou, they seem to have better or more visible locations.

Not a good idea

[MikeRT (947531)]

This sounds like a very simple and stupid way to run afoul of the federal anti-hacking laws. They prohibit you from using surreptitious means of gaining access to a network that you otherwise shouldn't have access to. That sounds like what you would be doing here. While the odds of you getting caught are pretty slim, it would probably be a pretty easy case for the government to take, and with prosecutors always looking for another notch in their belt, why risk it?

Re:

[UnknowingFool (672806)]

I have confirmed it works and surfing right now and . . . hold a sec there's some guys in dark suits wanting to talk-#%$)(*J*&^!@

[CARRIER LOST]

MAC Address

[suggsjc (726146)]

Why couldn't they have just used MAC address (a simple range) filtering? I would guess that there are a few ranges of addresses in use by the iPhones. Even if there was some overlap with other devices, I would think that possibly in addition to a user-agent check would be a lot more secure/efficient.

Re:

[Deagol (323173)]

MAC addresses can be trivially spoofed. There's even a database of MAC ranges for manufactured devices, so you can pick and choose which device to masquerade as on the network.

The real wtf...

[Grelli (98061)]

The real wtf is that the iPhone's number is in the user agent string. How long till that is used to justify an "existing business relationship"?

WIFI is becoming free, anyway

[natoochtoniket (763630)]

I have a friend who owns a small restaurant, selling smoothies and sandwiches. He has internet access from the back office, and uses it to communicate with vendors.

He doubled his breakfast and lunch business over the last few months by putting up a wireless router and giving away wifi access. The sign says "with any purchase" but there is no easy way to implement that, so he just leaves it unsecured. Most people buy something anyway.

It costs him almost nothing, and helps to sell food by making the location more welcoming to his customers. It won't take very long for other small food and beverage businesses to catch on.

It's kind of like "air conditioned" businesses used to be. Fifty years ago, air conditioning was unusual. But customers liked it, so the businesses that had it got the customers. Now, every business has it. The only real difference is that wifi is a lot cheaper to provide.

Outrageous!

[hacksoncode (239847)]

Apple should demand that iPhone users not give their phone number to other people because they might abuse this!

Errrr...

Re:

[imamac (1083405)]

Twelve dollars?!?!?!?? Are they having a special sale??

Re:

[Hijacked Public (999535)]

I don't recall the company names, but lately I've been finding that a lot of places advertising 'Free Wi-Fi' restrict access to 'partner' sites. To receive unfettered access to the tubes you have to pay.

A couple of months ago I tried to connect through a Starbucks and took away that impression, but they could be pay all the way now.