Windows Wireless Networking Flaw Identified 225
An anonymous reader writes "Washingtonpost.com is reporting from the 2nd annual Shmoocon hacker conference about the release of a previously undocumented vulnerability in Windows. The flaw takes advantage of a feature on Windows laptops that have wireless cards built-in. Security researcher Mark Loveless found that Windows laptops which cannot find a wireless connection are configured to broadcast the name of the last SSID they associated with. They assign themselves an ad-hoc 'link local' (think 169.254.x.x.) address, and an attacker can configure his machine to broadcast an SSID of the same name. Thus, the attacker associates with that 'network' and communicates directly with the victim's machine. The funny part from the Post blog entry is that Microsoft helped author the RFC for link local."
That's cool (Score:3, Funny)
Damn!!!! (Score:4, Funny)
Should be standard on all laptops and desktops (Score:5, Interesting)
Best advice in the article...
Re:Should be standard on all laptops and desktops (Score:5, Funny)
Re:Should be standard on all laptops and desktops (Score:4, Informative)
- You are not running a firewall
- Your firewall doesn't block access to unsecured services
- Your firewall makes exceptions solely based on IP subnets
The no firewall design is great if your computer is on a secured wired network that uses IPv4 networking. However, secured networks should be defined as having:- No unsecured wireless access points
- No WEP secured wireless access points
- No internet-accessable computers
- No internet-exposed computers that may contract any form of malware
- A system that ensures that computers may only be used by the intended user
- No possibility of a disgruntled workers or pranksters
This effectively means that you should treat your local area network as you treat your internet connection unless you are only working on your personal home network consisting only of computers behind a network address translator, and exposing no services to the internet. With the coming of IPv6 network address translation should become less popular, and this method of securing your computers will become even more dangerous.Run a properly configured firewall on all your computers. Do not use services that do not require authentication or base their authentication off of IP subnets.
Re:Should be standard on all laptops and desktops (Score:2)
I have noticed this many times where my PC thinks some random access point is around, and says so, even when there clearly is none at all. It's quite odd.
Re:Should be standard on all laptops and desktops (Score:3, Informative)
Dont panic (Score:5, Insightful)
FTA
First of all, if you are running any kind of network firewall -- including the firewall that comes built in to Windows XP -- you won't have to worry about some stranger connecting to your laptop. In fact, I had to shut down my firewall for both of us to successfully conduct our test.
its one of those "if you have no firewall and ignore all the alerts and warnings and have filesharing enabled and have a wifi card set to auto DHCP and an attacker is targeting you specifically" flaws
yawn, seems like much ado over nothing, you have more chance dropping and breaking your laptop than you have of being exploited by this "flaw" and if you goto Starbucks (and support their disgusting business model) you deserve everything you get
Re:Dont panic (Score:3, Insightful)
I don't think that's a requirement - couldn't a guy just listen for all SSID broadcasts and then connect to whatever PC he manages to fish?
Re:Dont panic (Score:2)
Re:Dont panic (Score:2, Insightful)
It's one of those, ...they can make your connection pass through a 'transparent' proxy logging everywhere you visit, capturing copy of e-mail in transit over paintext protocols, and possibly modify a file you download... flaws.
Think you're downloading something from your OS vendior? (Silent file replacement by hacker attached to Wireless Access Point).... Oops!
Riiiiiight... (Score:2)
You're sitting in your local coffee shop and someone is there listening for signals... they connect to your machine, install an vbscript that runs periodically and attempts delivery of a payload to any machines available on whatever network you connect to. Or perhaps one that simply puts an e-mail in your ou
Re:Dont panic (Score:2)
That's the problem with most people's view of security. If there's
Encryption? (Score:5, Interesting)
Re:Encryption? (Score:3, Insightful)
What difference does it matter?
This would have to be a direct targeted attack on an individual or small group of individuals, but is still possible.
Script kiddie situation:
Sets up rogue WAP, and gives free internet connection to the laptop. All ssh and SSL or other encrypted channels goes through the free WAP.
Advanced script kiddie situation:
Sets up rogue WAP, and gi
Re:Encryption? (Score:2)
You're right about the Man-in-the-Middle SSL attacks [crimemachine.com]; getting your username and password is just the beginning, but it's a damn good start.
Security? (Score:5, Funny)
Re:Security? (Score:3, Informative)
netstumbler + usb wifi (better reception) in any residential area will show you how little people know/care.
As for your PC connecting to a network other than the one you want, you can tell windows which networks are "preferred" and they can be placed in order of preference.
right-click on the network icon ---> status ---> properties ---> wireless networks ---> (the "
Re:Security? (Score:2)
Re:Security? (Score:2)
Re:Security? (Score:5, Funny)
I bought a new wireless card for Christmas. I was working on getting the madwifi stuff working in Debian and I decided not to set up my AP until I had my wireless card working. Besides, I'm a n00b to wireless under linux so I wanted to take appropriate precauitons.
I got the card working, and iwlist brought up two APs in my neighborhood. One name "simpsons" and one name "zr45ytg" or something similar with WEP enabled. Not being 1337, I left the WEP one alone (for now) and decided to hop onto simpsons. As you can probably guess, I was given a private IP and internet access. A quick nmap showed two Windows machines connected, using smbclient I found an open printer share.
Digging farther, I tried to log into the AP itself. Linksys WRT54G with, you guessed it, defult passwords. Oh, let the fun begin! I changed his SSID to "0wn3d" and sent the relevant sections of the Linksys WRT54G manual to his printer. This guy now should know how to set up WEP and change his admin password. He should also notice that his SSID changed.
One week later, still broadcasting an SSID of 0wn3d, no WEP, and default admin password. Either he didn't get the message or he's illiterate. Oh well, free internet for me!
Re:Security? (Score:3, Funny)
Try printing that out and see if he doesn't notice.
Re:Security? (Score:5, Insightful)
If you're capable of doing that, why didn't you just print off something telling him his network was unsecure, include your phone number and offer to go over and sort it out for him? Let me guess, you're about 13 years old?
I'm unfortunate enough to have one of those WRT54G access points, and due to a hardware flaw I can't run it with WEP *OR* WMA *OR* MAC filtering. I need to get a replacement, but right now I don't have the time to sort it out. So it's unsecured (but I did change the admin password.)
What you need to do is try to help other people, rather than lord it over them. This is why anyone that works in IT is treated like shit, because end users assume we hate them and won't do anything to help.
Get a life, and to hell with my karma.
Re:Security? (Score:2, Interesting)
Printing your name and phone number is just as wrong as printing instructions for securing the network, and is way dumber. There are lots of people in the world who are going to consider this an intrusion, and report it to law enforcement. Do you really want a visit from the police as thanks for your "helpful" offer?
If you find an open network, leave it alone. If yo
Re:Security? (Score:2)
Re:Security? (Score:2, Insightful)
last time i checked, you have no right to be on a network (wired or wireless) unless you have been explicitly granted permission by a person in a position of authority over said network. just leaving the network open is not a grant of permission.
Re:Security? (Score:2, Interesting)
> WTF are you smoking? how the hell can you conclude that leaving a network open creates an implied "use me" policy?
If things like public municipal WiFi are to take off, we can't have that point of view.
Let's say I'm the city of Philadelphia and I want to put free WiFi in the parks. If there's a legal precedent that says you're not allowed to use WAPs you stumble across, then this idea will never take off.
Or what if we want WiFi to become a truly open broadcasting medium? What if I want to stre
Re:Security? (Score:3, Informative)
A private house with an unlocked door - Not free and open for use, stay the hell out.
An AP that is meant to be open is fine. Thats what the owners/administrators intended. A private AP in someones house is not necessarily open for all to use. It may be, if that is what the owner intends. But just because it is unsecured is not necessarily an invitation or permission to use it.
Re:Security? (Score:2)
When you broadcast your messages onto my property, does that not change things? If I simply fail to discard the messages you send within earshot, am I at fault? Yes, passive listening is different than active communication, but if we can listen, and you can broadcast messages from your private property to my private property without a problem, why can I not respond?
Re:Security? (Score:2, Informative)
If your neighbor calls out to his kids in the yard that its dinner time, and you can hear him from your yard would you show up at his table ready to eat? After all, "it was a clear invitation for dinner broadcast into your private property" right? Your neighbor wasn't speaking in code, and his door was unlocked too.
Perhaps your neighbour ought to install some so
Re:Security? (Score:2)
Re:Security? (Score:2, Informative)
i can smell you smoking out in my back yard.. i guess i'll come over and take away some of your cigs to smoke
light strays from your living room is entering mine.. i guess i'll read my newspaper in your living room
you are watering your grass and it is leaking into my yard.. i guess i'll use your hose to water my grass
tr
Re:Security? (Score:3, Insightful)
That involves you going to get something, trespassing on your neighbour's property at the same time. Wireless is sent to you, in your house. Not the same at all. It would be closer to you being allowed to sit at your window and smell your neighbour's cooking to your heart's content. The smell is being "broadcas
Re:Security? (Score:2)
RTFA - Nothing to See . . . Move Along (Score:5, Insightful)
This isn't just an MS Windows flaw . . . it is a flaw in the way that the administrators (users) manage the machines.
I wish you all would quit pointing fingers. This isn't some kind of new thing.
Re:RTFA - Nothing to See . . . Move Along (Score:5, Insightful)
Re:RTFA - Nothing to See . . . Move Along (Score:2)
But how is this behaviour a flaw anyway? I don't get it.
Re:RTFA - Nothing to See . . . Move Along (Score:2)
This is another stupid mis-feat
Re:RTFA - Nothing to See . . . Move Along (Score:2)
Dino and K2 demonstrated this and some other fun quirks that can be abused in windows wifi selection process (including getting a windows laptop to associate without wep even if it's supposed to be on). I can't find the slides handy, but here's a summary:
http://blog.ncircle.com/archives/2005/05/cansec_we st_day_3.htm [ncircle.com]
What?! NO! (Score:3, Funny)
I'm sorry, this is old info (Score:4, Informative)
String quartet? (Score:4, Informative)
Violin! Cello!
Seriously, though, TFA doesn't seem to say quite the same thing as the summary. The demonstration the reporter saw involved him setting up an ad-hoc network, and then the security researcher was able to connect to it. Err... that's how it's supposed to work.
The article then goes on to assume that this will happen when you connect to access points and then leave them, but you don't usually set up an ad hoc network for that process. Has he just got something wrong? Missed a step out or something? Is there a URL for a technical level article on this flaw?
Should you at a later date happen to open up your laptop in the vicinity of another Windows user who also had recently gotten online at Starbucks, those two machines may connect to each other without any obvious notification to either user
You mean other than the big speech bubble thing popping up and saying "Wireless Network Connection now connected to T-MOBILE"?
Useless functionality.. (Score:3, Insightful)
This is a common security problem: useless or rarely used functionality. As I've said before, functionality sells whereas security doesn't. Spend a million dollars on functionality and you (hopefully) get a product that can sell for more money. Spend a million dollars on security and you have almost nothing tangiable to show for it.
Before this article, I didn't even know that "link local" thing existed. I guessing that this is probably quite representive of the Slashdot crew. The question is, then, is why on earth is it on by default and why is it even there in the first place?
This is not just a Microsoft issue, this is an issue that applies to nearly every computing project. I was recently playing with Knoppix and two things struck me:
My parents got a new HP computer a month or so ago and I've just gotten round to doing a proper security shake-down on the XP box. I was surprised to find the Python runtime on the computer. Most of you would say, so what? Or perhaps, even applaud HP for doing this. From a security perspective, I think it's downright silly. What possible use could my parents have for the Python runtime? Absoutely none. They'll be running Open Office, Gmail and Itunes to the cows come home so all this does is opens another vector for attack. Don't install stuff on computers that your customers will likely never need.
Of all the pieces of software out there at the moment, Windows XP is the most frustrating. In terms of security, XP should completly out-class Linux/Unix in every metric of measurement. Instead, it's the most disease ridden piece of shit ever concieved by humanity. It's a shame because it could have set a really high standard for everybody in the industry but through a choice of poor defaults they condemed their own product to be a liability to CTOs everywhere. If they'd had some sense, they would have choosen defaults like this:
I haven't got any figures on how many viruses/malware this configuration would stop but I imagine it's somewhere in the region of 99%. If Microsoft had taken the time to consider the platform in a more paranoid sense they could have produced a product of barn-storming quality. Instead, they listened to the marketing people and we all know what result that lead to.
Simon
Re:Useless functionality.. (Score:2)
I'm not disagreeing with you in general, but on that point, I can definitely see why they'd leave it on by default.
Re:Useless functionality.. (Score:4, Insightful)
If ActiveX was off by default, how would people use Windows Update?
Simple! Change Windows Update! Why should Windows Update be a web-application anyway? Actually, It's damn scarey that it's a web-application. Doesn't it strike you as odd that a web-application can so throughly inspect your system to determine your patch-level on a whole host of products?
There is no excuse for ActiveX being on by default and the proof of Microsoft's commitment to security will come with the launch of Internet Explorer 7. If it's still on by default in their latest version then we know their grand security initiative was nothing but hot air.
Simon
Re:Useless functionality.. (Score:2)
I'm not entirely sure that it is. The service must be running for the updates to happen.
Re:Useless functionality.. (Score:2)
Actually, they wouldn't have to do anything. Enable automatic updates by default, and let automatic updates take care of everything. The people savvy enough to use Windows Update can probably enable ActiveX for microsoft.com.
Re:Useless functionality.. (Score:2)
In the absence of that, you can run Windows/Microsoft Update by
going to zone security
-turning off download/run activeX controls in the Internet zone
-Go to the trusted zone and mark it as medium security, with prompted activeX enabled. [Why does trusted zone exist, is there some web site you really trust to unstall unsigned activeX?]
-turn off "require https" for trusted sites, and add *.microsoft.com
Re:Useless functionality.. (Score:2)
However, more interesting is that both of these features/configurations can pretty easily be put into XP via windows update, yet MS has just about ZERO motivation to. They are probably clapping their hands wildly with all the holes being mentioned as it will be a motivating factor for p
Re:Useless functionality.. (Score:2)
Just because it doesn't run in a regular IE window, doesn't mean it isn't a web application that's running in IE. Here, take a look at these:
.jpg [informanews.net]
http://www.zdnet.com.au/shared/images/tandb/avant_ 546x437.jpg [zdnet.com.au]
http://www.informanews.net/imagenews/avant-browser
http://www.softpedia.com/screenshots/Avant-Browser _2.png [softpedia.com]
Do any of those look like Internet Explorer? No? T
Re:Useless functionality.. (Score:2)
If you've checked and researched into this, fine, but surely you can understand my initial skepticism.
Re:Useless functionality.. (Score:3, Insightful)
Re:Useless functionality.. (Score:2)
Furthermore, it would be totally unrealistic to ship IE with no ActiveX support, just like you would never want Firefox with no Plugin or Extention support -- too much useful stuff plugs into the browser
However, MS could do is completely remove the Package Download & Install feature. You could still go to Windows Update (etc), but you would need to install the WU software f
Re:Useless functionality.. (Score:2)
With Windows XP you'd have the "autoupdate" and "bits" services running all the time, and you'd have automatic updates set to download and install updates automatically. No need to browse to http://windowsupdate.microsoft.com/ [microsoft.com] - just click "yes to reboot now" when prompted.
This is what MS intended, and for someone with no idea what updates are (never mind what a particular update is for), it probably makes sense - same as it makes sens
Re:Useless functionality.. (Score:2)
Lose a million dollars, and you wish you had done things differently.
Security is directly proportional to the stuff you are securing. I don't put a chain and padlock on my wallet, because it is rare that there is $50 in it, and my drivers license and work IDs are more valuable than that to me.
When the Brinks truck comes by work to pick up and deliver the cash to the bank, they have a big strong truck and a guy or two w
Re:Useless functionality.. (one more thing) (Score:2)
My house has glass doors and windows (not Microsoft).
If someone really wanted to steal my stolen music, they could easily take my whole computer and stereo while I'm at work. More risky if caught, because I'd fuck their world up. But its certainly easier than breaking into my Mac via the network. And more profitable because they either get a nice computer, or can sell it for at least $1k.
Re:Useless functionality.. (Score:2)
So who do we approach building a GPC OS. With MS it is putting all the functionality at the OS level so that users can have guaranteed access, and then work to secure the system. On *nix, it is have a large group of utilities, install
Re:Useless functionality.. (Score:2)
yeah, they've got about 95% of the OS market and, what, 80% of the desktop W/P, spreadsheet and presentation software markets. Record profits every year without fail. Bill Gates has so much money he's pitch-forking it at deserving causes as fast as he can go, and still gets ric
Re: (Score:2)
Re:Useless functionality.. (Score:2)
Electronic Arts is particularly bad at that. They produce software that not only requires Admin rights to RUN, but interferes with Antivirus software. Back when I used to run Norton, The Sims would crash on loading. The official answer from EA's Tech Support? Disable Norton and try again. Funnily enough, it works. Now, a company like EA which produces games, has a responsibility to provide
Connecting to a network is a vulnerability now? (Score:5, Interesting)
Re:Connecting to a network is a vulnerability now? (Score:2)
Re:Connecting to a network is a vulnerability now? (Score:2)
Re:Connecting to a network is a vulnerability now? (Score:2)
Re:Connecting to a network is a vulnerability now? (Score:3, Informative)
It's a foot in the door. (Score:3, Informative)
Yes. Windows trusts the network. Think Active Directory. If you can trick a Windows machine into thinking you are on its network, it will happily let you be its partner (or maybe even its server) on that network. Though you probably can't trick it into being an AD client right off, you can find out all kinds of things about it, such as any shares it has open.
Possible Solution (Score:2, Informative)
Re:It's a foot in the door. (Score:2)
No it doesn't (Score:2)
As for the AD thing, it's clear you are confused. Windows do
Re:It's a foot in the door. (Score:2)
Correct me if I'm wrong, but "anonymous connections" have been disabled in recent versions of Windows
Re:Connecting to a network is a vulnerability now? (Score:2)
Ad-hoc networks vs link-local (Score:4, Insightful)
What we have here is that, in addition to doing this, Windows is also offering to set up an ad-hoc (i.e. computer-to-computer) network on the link-local subnet with the same SSID as that of the last network the laptop connected to. I wonder what the rationale for doing this could have been. It seems to me that a machine should not offer to set up an ad-hoc network unless specifically directed to do so by the user. When such a network is set up then it is appropriate to use link-local addressing to auto-configure the interface.
large violins (Score:3, Funny)
Good to see that technology journalists are so enthusiastic about orchestra instruments.
Err...vulnerability? (Score:5, Insightful)
connected to a network.
This is such a complete non-issue, it's like a freaking joke. Read the article - all a hacker might gain some this vulnerability is the ability to connect to your computer, as if it was still on a wireless network, after you've moved outside the range of an access point. Big deal. But the author and "discoverer" both talk about it like this is a remote root exploit or something. At one point, the author includes this little gem: "As Loveless pointed out, this "feature" of Windows actually behaves somewhat like a virus." Virus, my ass.
What's with all the foaming-at-the-mouth hype about these minor little things lately? It's counterproductive - going beserk over every slight issue that might, in some fantastic combination of circumstances be a security problem, takes away attention from flaws that actually matter.
Not reall that funny (Score:3, Interesting)
I really don't see how MS helping to author a usefull RFC is funny, or even relevant. What's funny is that someone at MS somehow thought it would be a good idea to open up a system to the entire world, since its clearly a thinking flaw as opposed to the usual QA flaw.
Speaking of thinking flaws, how about this one: If a laptop running XP has a wired and wireless connections going, XP asks the user if they want to share their connection. User clicks 'yes'. XP bridges wired and wireless for them. XP also broadcasts on both sides that it will be a gateway for other systems running XP (via netbios-over-ip, IIRC). Those systems get on board, and make that computer their default gateway.
Then the computer 'sharing' its connection, and all its 'victims' are suddenly very slow. There never seemed to be a straightforward way to prevent the other XP computers from making the dual-connected XP system their default gateway. If you manually change the default gateway on the victim systems, they just switch back to the dual-connected XP box. I don't know if XP still does this, but talk about stupid.
Seriously, who the hell thinks this kind of thing up? Do they have brain stem storming sessions or something?
HELP! NIC works as intenden1?!!?!?!!? (Score:5, Funny)
i have heard of an even worse vulnerabelity! if you hack yuor micthorwave oven to have teh door open it will JAM MY 80211 packets!!?!!?!!?!?!?!!?!
Also risk of cooking!
tell steve gibson of GRC he will save us
And an attacker on my ad-hoc... (Score:2)
Packets are packets. This article should have been titled, "DANGER: WiFi at Hotels and Starbucks are safe, ad-hocs are not."
Is this really that big of a flaw? (Score:2)
If you're running windows firewall, I think you'll be all right. Unless you have other security problems already, this won't hurt you at all.
Not news (Score:2)
Solution for Windows (Score:3, Informative)
Start->Control Panel->Network Connections->Double Click on your Wireless Connection->Properties->Wireless Networks->Advanced->Choose "Access point (infrastructure) networks only. Click the Close button then Click OK all the way back. Done.
Conflicting opnions on what is vulnerable (Score:2)
If you have a computer and it's power is *ON*, it's vulnerable to something.
Next week I will show that even a computer in which it's power is *OFF* is vulnerable to the 8lb sledge hack.
Built in XP Wireless (Score:2)
It does not give a detailed level of signal strength, it is limited to 1-5 bars.
It will drop the connection far more often than manufacturer's utilities. In other words, don't bother playing online games on it.
The window isn't resizable. When did Microsoft think this was a good idea?*
Security passcodes have to be entered twice. That's terrible when the passcode is 10+ characters, and you can't see what you've typed in either.
It won't re-enable at times for no appearant rea
Re:Class Action Lawsuite (Score:2, Funny)
Re:Class Action Lawsuite (Score:4, Informative)
Re:Class Action Lawsuite (Score:3, Insightful)
Disclaimers of warranty are not necessarily legally binding. A decision in court would involve questions of how fair it is for MS to disclaim liability for this.
Re:Class Action Lawsuite (Score:2)
Two EULA clauses not being enforced.
Sony = teh fscked
Re:Class Action Lawsuite (Score:3, Interesting)
Unfortunately it's not even about fair. With regards to security, Windows is provided "AS IS". Show me one place where Microsoft even makes the slightest guarantee about security. The product was never engineered to be secure and barring a complete rewrite it never will be. They're not dumb, they know it's not very secure, and they don't adverti
Re:Class Action Lawsuite (Score:3, Insightful)
user@machine:~> gcc --version
gcc (GCC) 4.0.2 20050901 (prerelease) (SUSE Linux)
Copyright (C) 2005 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Re:Class Action Lawsuite (Score:2, Informative)
By reading this you agree to stand on your head, cluck like a chicken and send me a Godzillion dollars.
EULAs are like newspapers. Just because you read something in one doesn't make it so. You cannot be legally bound to that which is not legally binding, no matter how many times you click "I Agree." EULAs are wet dreams, not contracts.
How do you find out if you are legally bound?
Well, you file a lawsuit to put the matter before a judge, that's how.
KFG
Re:Class Action Lawsuite (Score:2, Informative)
For example the Microsoft EULA that ships with every Microsoft product is infact in violation of several laws in several EU countries but because no one has taken it to the court, it hasn't been deemed invalid.
Naturally such a decision (to rule that EULA is invalid and people are entitled to compensation) would have long lasting and massive reprocussions.
Re:Class Action Lawsuite (Score:2, Insightful)
Re:Class Action Lawsuite (Score:2)
Be careful if you do that. (Score:3, Informative)
How is that a flaw? That's a _feature_ in many cases. Especially if you really want to share files and you don't have a WAP.
From the article: "First of all, if you are running any kind of network firewall -- including the firewall that comes built in to Windows XP -- you won't have to worry about some stranger connecting to your lapto
Re:Be careful if you do that. (Score:2)
Re:Class Action Lawsuite (Score:3, Interesting)
1. No admin access with a user account. If the person is required in their job to need that level of access, create them an account that they can run the necessary app with.
Re:Class Action Lawsuite (Score:2, Informative)
Re:Class Action Lawsuite (Score:3, Insightful)
Re:Hmmm (Score:2, Informative)
Re:Hmmm (Score:2)
Windows will keep broadcasting its last SSID, looking for the network of that name. When it finds the network it's looking for, it will jump on the network automatically, without asking you.
If it doesn't find that network, it will not give itself a 169.254 (APIPA) address, at least not on the surface. The interface will show up as "Media link disconnected"
And users (Score:2)
All it takes is one laptop to suddenly go out of range of the AP and it becomes an adhoc network *with the same name as the conference network*. Then laptops that are in range and dont have "connect to ad-hoc networks" disabled, also start binding to that node, as suddenly there is a choice between the real and ad-hoc network, both with same fucking name.
This isnt a security risk, any more than running unencrypted protocols over a WLAN in the firs