Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Wireless Networking Hardware

AT&T Accidentally Provides Free Wi-Fi To All 249

SecureThroughObscure writes tells us about a hack broken by MacOSRumors: you can get free Wi-Fi at Starbucks, Barnes & Noble, and other AT&T hotspots if you know how to set your browser's user agent string (trivial on Safari), and know a valid iPhone phone number. ZDNet blogger Nate McFeters gives some more details and links. This can't last.
This discussion has been archived. No new comments can be posted.

AT&T Accidentally Provides Free Wi-Fi To All

Comments Filter:
  • by LostCluster ( 625375 ) * on Friday May 02, 2008 @09:22AM (#23274236)
    This actually had some chance of working before it was revealed on /. Afterall, you don't usually publish your iPhone number to strangers, and if they ever caught the same user agent showing upo at two hotspots it'd be trivial to shut them both down. Not the best security idea... but it got the system up until they had to come up with better.
    • I have no idea how many strangers know my phone number, but all my friends have it and I suspect most of them know I have an iPhone.

      And I'm sure AT&T sees thousands of the same user agent running through their hotspots at any given time.
    • Security by stupidity, indeed. Because this doesn't even qualify as security through obscurity. What the hell is wrong with people to use PUBLICLY known information to do access control? It's not the worst security idea, it is absolutely no security at all. Your phone number has to be known to people, otherwise it's useless. So why use it as access control? Yes, it allows for quick bootstrapping, but that's about it.

      I expect that ATT will lobby in short order for a law that will make it illegal to spoof use
  • It might last... (Score:5, Informative)

    by sith ( 15384 ) on Friday May 02, 2008 @09:26AM (#23274288)
    Even if every /.'er did this, it still would be a drop in a bucket compared to the number of folks who happily pay the fee.

    For example, many pay wifi points can be circumvented just by connecting to a VPN over UDP (since they're only filtering TCP requests). I doubt they're going broke due to that issue though..
    • by aliquis ( 678370 )
      Exactly, I can't see why it couldn't last? What's so bad with offering free network connection at some locations? And as soon as one read that people "logged in" by typing in their phone number this was very obvious. I doubt they will care. And it's not like every person on the planet will know about it or care either (as you point out.)
    • Even if every /.'er did this, it still would be a drop in a bucket compared to the number of folks who happily pay the fee. For example, many pay wifi points can be circumvented just by connecting to a VPN over UDP (since they're only filtering TCP requests). I doubt they're going broke due to that issue though..

      Here's how in Firefox.

      Download and install the "User Agent Switcher", then add new user agent with:

      Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1C28 Safari/419.3

      Go to StarBucks and hit up the wi-fi, you get the standard login screen that the iPhone uses, put in a valid phone number and well free wi-fi I guess. It's also interesting to visit websites to see what kind of iPhone page they have this way (cnn.com for example)

      • Re: (Score:3, Informative)

        by rocketPack ( 1255456 )
        Alternatively (for those who don't want to download an extra program):
        • - Go to about:config in Firefox
        • - Right click/command click in the list and chose New > String
        • - For the preference name use "general.useragent.override"
        • - Use any value you wish, such as "Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3"
        • - You can verify your change by going to "about:" in Firefox and reading the information from the page!

        Can't help you wi

  • by whisper_jeff ( 680366 ) on Friday May 02, 2008 @09:27AM (#23274302)
    A surefire way to ensure that this hack lasts as long as possible is to keep it super-secret and not let AT&T know they screwed up.

    But I'm sure posting the story to slashdot is fine. Nobody reads this site, after all...
    • If AT&T techies actually read slashdot then they would be smart enough to setup the system with more than just a browser user agent tag and a phone number.

      how many systems have been setup that way and then suddenly laughed at?

      The other option is why bother? Most people who visit starbucks don't know what a user agent string is, or have enough money that they don't care.
      • If AT&T techies actually read slashdot then they would be smart enough to setup the system with more than just a browser user agent tag and a phone number.

        How would you set it up then? Assuming the predefined goal is "Allow iphone users free service with no hassle", what would you do if not sniff user agents?

        The only way I could think of to do this more 'securely' would be a full network scan to see how their tcp stack behaves, possibly looking at tcp sequence numbers and timestamps to find any quirks.

        T

        • by Firehed ( 942385 )
          I would set it up just like this, except perhaps some sort of reasonable limit on connection time or frequency to the system ("legit" use should never have more than one connection per phone number, for example).

          Will some people abuse it? Yes, though I wouldn't consider it abuse. It's really a long-term value add. People see that iPhone users get free Wifi at these places from their iPhone, and a few know how to get it on their laptop too. That's a tremendous additional value to using AT&T over comp
      • If AT&T techies actually read slashdot then they would be smart enough to setup the system with more than just a browser user agent tag and a phone number.

        Waitaminute; are you actually saying that reading Slashdot is a benchmark for intelligence in the IT field?

    • by aliquis ( 678370 )
      Hey, we read the headlines, eventually the summary and then head on to comment and read comments. It's just TFA we skip ;)
    • A surefire way to ensure that this hack lasts as long as possible is to keep it super-secret and not let AT&T know they screwed up.
      Actually, it was Wayport's screw up, as they're the company that AT&T contracts to provide their wifi hotspot system.
    • But I'm sure posting the story to slashdot is fine. Nobody reads this site, after all...

      Well it *is* just mostly geeks -- a minority.

      I rather think the actual problem is when that random blog links to this site, catching the attention of some large general media site, etc... Soon enough it's a story reaching the general population.

      Still, manipulating user agent strings is "advanced" work to novices. So in the end, for the shit to truly hit the fan, we'd first need a simple UI with only a textbox for the iPhone number and an OK button (handling the rest itself), distributed on a web site popul

  • Accidentally providing free wi-fi to everyone... IF they use this hack to work around... That's not providing ANYTHING. It's not having proper security in place.
  • Maybe it's just me, but am I the only one who's sitting here thinking that using this hack is tantamount to stealing service? Hacks for stealing cable service have existed for decades now, and were very much illegal. And why shouldn't they be? Not everything has to be hacker proof. Sometimes it's just about putting a lock on the door and saying, "This doesn't belong to you."

    To use a typical Slashdot analogy, the lock on my front door is pretty flimsy and could probably be picked or forced without much effort. Is that an invitation to walk into my house and use my computer?

    This also differs from open WiFi points in that open WiFi points have no security. It's difficult for a passerby to tell the difference between an intentionally shared access point and an access point that has accidentally been misconfigured.

    Which reminds me, WiFi security is not all that hard to crack. Does that give people a free license to crack their neighbor's WiFi and begin using it without permission?
    • by dissy ( 172727 )

      Maybe it's just me, but am I the only one who's sitting here thinking that using this hack is tantamount to stealing service?

      No it is not just you. Unfortunately it is still incorrect despite the fact others see it that way too.

      Since everyone is different and has different morals, sure, it can easily be morally wrong.
      But legally and technically, it isn't wrong at all.

      Clearly their service allows iPhones to access for free, and stupidly it asks the users computer if it is an iPhone or not, so lying and saying 'yes' shouldn't be enough for access, but apparently is.

      They are just asking the users computer if it is an iPhone, and i

      • by AK Marc ( 707885 )
        But legally and technically, it isn't wrong at all. Clearly their service allows iPhones to access for free, and stupidly it asks the users computer if it is an iPhone or not, so lying and saying 'yes' shouldn't be enough for access, but apparently is.

        I think that lying in order to obtain a fee service for free is illegal in all locations in the US. It's theft of services, fraud, or such.

        Also, you separate moral wrong and legal wrong, but you have "technically" in there with legal. I would argue that
    • by Nimey ( 114278 )
      No worries. AT&T is making up what it loses from this by sharing all its customers' information with the NSA.

    • Sometimes it's just about putting a lock on the door and saying, "This doesn't belong to you."

      Everything in security isn't a lock. There's no personal property being protected here, so stop with the "enter my house" analogy.

      This is more like give away a free small bag of popcorn to anyone with a name badge that says "I own an iPhone" on it. In other words, this is more like lying than it is theft. Lying isn't usually illegal, unless you're defrauding someone.
    • Yes. From the AT&T iPhone service agreement [att.com]:

      cannot be used for any applications that tether [...] to laptops, PCs, or other equipment for any purpose
  • 1 - Put your coffee money in a Starbucks Card.

    2 - Take your laptop to Starbucks for a coffee.

    3 - Profit!

    • by Megane ( 129182 )
      4 - Drink bad coffee!
      • by ivan256 ( 17499 )
        I find it difficult to believe that you find all of Starbucks coffee to be "bad". They have dozens of types. Some of them suck, and some of them are really good. Which ones don't you like? Did you even realize that there was more than one type?
  • Frankly, Starbucks should provide WiFi free. It's a great tool for them. Many small shops are doing it and I'd go to one of them before Starbuck's, obviously.

    • by qoncept ( 599709 )
      Starbucks should also start charging 1/3 of what they do for their coffee. I don't think either is hurting them much, though.

      Also, in my opinion, Starbucks should just go to hell. Aside from the fact that I think coffee is disgusting, my generalization of a Starbucks customer is a person I'd love to punch in the face. I can't decide if I dislike the yuppie small coffee shop goers more or less.
      • The yuppies ARE the ones that go to Starbucks. Where I live, there are so many small independent coffee shops, no self-respecting person would ever go to Starbucks for coffee.

        Also, I think you have some anger management issues. I would tell you to lay off the coffee a little, but...
        (I am only jesting here. I generally want to punch yuppies too.)
        • "The more complicated the Starbucks order, the bigger the asshole. If you walk into a Starbucks and order a "decaf grande half-soy, half-low fat, iced vanilla, double-shot, gingerbread cappuccino, extra dry, light ice, with one sweet-n'-Low, and one NutraSweet," ooh, you're a huge asshole." - George Carlin
        • What is a Yuppie anyway? Someone who has a job and/or business that earns good money after spending a lot of time studing and/or working hard to become successful? Wow, what an awful person!

          Oh right, this is Slashdot, where IT folks all work for free for the betterment of society.

          • From urbandictionary.com -

            "a very arrogant well put together young urban professional who you more than likely will find wearing gucci and prada with a large bank account which they love to brag about. You can find them drinking Starbucks, living in a one bedroom apartment in a city where they will pay 1000-2000 a month for and spending another 3000 a month on their credit cards. They brag about their designer clothes and love to flaunt them , as well as their wealth. They look down upon anyone who isn't
            • Wow, good think you're not relying on generalizations ... Shame that is the definition of yuppie, as it looks more like the definition of an asshole :)
              • "Shame that is the definition of yuppie, as it looks more like the definition of an asshole "

                Now you are getting it!
          • by JerkBoB ( 7130 )
            I think I probably hated yuppies too...

            Before I became one. And then I hated DINKs, before I became one. And then I was irritated by those annoying people who bring kids to restaurants, before I became one (hey, YOU try getting a reliable babysitter at the last minute!).

            At the moment, I'm irritated by those old farts with no kids who want to cut back on taxes because THEY don't have kids in school.

            Anyone else detecting a pattern? :)
          • Re: (Score:2, Funny)

            "Someone who has a job and/or business that earns good money after spending a lot of time studing and/or working hard to become successful?"

            I'd like to think that the letter you left out of the above sentence is a 'd' instead of a 'y'.

            It's the romantic in me.

            JJ
        • Where I live, there are so many small independent coffee shops, no self-respecting person would ever go to Starbucks for coffee.

          Me too, and yet I go to Starbucks. You know why?

          Those small, independent coffee shops are all full of pricks. The baristas are pretentious, the menus are full of Italian gibberish, and the coffee isn't much better than Starbucks' at all. I don't like super-pretentious Italian coffeeshops, I never feel comfortable in them, like I'm not as good as everyone else there because I don't
          • I never said a self-respecting person would go into one of the indie coffee shops either, just that they wouldn't go to Starbucks. Self-respecting people brew their own damn java.
      • Starbucks should also start charging 1/3 of what they do for their coffee. I don't think either is hurting them much, though.

        I [msn.com] beg [tmcnet.com] to [google.com] differ [guardian.co.uk].

    • by drhamad ( 868567 )
      Maybe they should, but that's their choice, not yours. It's their business decision.

      In general, companies are afraid of wifi (and legitimately so, I believe) because it causes people to sit around, NOT consuming things. Sure I might go buy a drink at sbux and sit and read a book for 30 mins or something, but with wireless I'll sit there with that drink for 4 hours. I'm not going to buy more.
    • True story. Where I live, WiFi is ubiquitous. It's more shocking to me when a shop doesn't have it. And in the downtown area, there's pretty wide-area coverage. Apparently the city's doing some kind of experiment in conjunction with Cisco.

      All this means that I'm spoiled. I suspect a lot of other /.'ers are spoiled, too. And if I've come to expect free WiFi, I most certainly won't go to a shop where they don't have it. On the other hand - and probably more importantly - if I haven't come to expect such a
    • That's because the small shops are trying to catch up with Starbucks, and are willing to fill up their tables with people who aren't buying anything to do it.

      Having gone to some indie cafes, bought a coffee, looked for a table to sit at, and found nothing but tables full of people sitting at their laptops, not drinking or eating anything, the wisdom of "free wifi for all!" started to seem a little dubious.
      • by jav1231 ( 539129 )
        True. But these shops can also say, "hey, buy another cup or you have to go." I think by and large most people are willing to buy a cup of coffee to sit and have wifi (otoh, could they not just pay for the wifi?). Some shops would like to have the people there as a draw.

        • Corollary: a coffeeshop that looks pleasantly busy is more likely to draw business than an empty coffeeshop. Most people have a neurotic need to be around people all the time, or so it seems. Also, a coffeeshop full of laptop users is not a coffeeshop full of people who will bother other customers. So all you have to do is figure out what the sweet spot in population is, and kick out people who don't buy anything, down to that number. If you have half a clue you'll kick out your regulars last and everything
  • Are you kidding me?! I'm not quite creative enough to know exactly what to do with it, but a phone number is like part of a person's identity. Using that as a form of identity in this instance can't be good.
    • by Dog-Cow ( 21281 )
      That's a silly view of a phone number. Have you never looked at say, a NY City phonebook? That's a whole lot of "identity" available to the public right there.
  • Maybe its different (okay, it IS different) ... but it is very very very rare to see a café up here in canada that doesn't have free wifi. They limit the bandwidth per connection, and (attempt to) block non http / https requests, but I *never* pay for wifi when I'm at a café ...

    It makes you wonder, what the world is coming to... or at least, what is going on in the USA.
    • Maybe its different (okay, it IS different) ... but it is very very very rare to see a café up here in canada that doesn't have free wifi. They limit the bandwidth per connection, and (attempt to) block non http / https requests, but I *never* pay for wifi when I'm at a café ...

      Yeah, you commies. Free this, free that. Gonna kill the economy. How is any multi billion dollar company supposed to make a living? Next thing you'll tell me is that you don't have to pay for things like med

      • yup. free health care. free EEEs too.. Just for opening an account... [rbcroyalbank.com]

        I'd have to say that Yup.. canada rocks. We now have the iPhone legally too... but it is way too common for people to just cross the border and buy (and unlock) an iPhone. Seriously. The iPhone has been here so long, it isn't even cool to own one anymore...
  • what's next (Score:5, Funny)

    by gEvil (beta) ( 945888 ) on Friday May 02, 2008 @09:36AM (#23274430)
    Next you're gonna be telling us how to get free wifi from all those "Linksys" hotspots, aren't you?
    • by imamac ( 1083405 )
      I always look for those "belkin54g" hotspots. They're everywhere!
    • Re: (Score:3, Funny)

      by SCHecklerX ( 229973 )
      Hey! That's the name of mine at home! Well..the one on the DMZ that redirects all http traffic through a proxy that does interesting things with images, anyway.
  • Here in Minneapolis we have two other chains competing with Starbucks, Dunn Bros. and Caribou, both starting out locally. Both of the competitors offer free Wifi. Caribou's is limited to an hour, but you can circumvent that pretty easily. I don't frequent Dunn Bros. often enough to know what kind of limit they might have.

    Many other indie coffee shops, restaurants and other places offer free wifi.

    I'm always amazed when I see people sitting in Starbucks using laptops (maybe they're not online) when they co
    • Yup, there's Panera Bread and a thousand independent coffee shops with free wifi in the Twin Cities and metro areas. Heck, there are even bars with free wifi. Buffalo Wild Wings has free wifi! I've used it with my iPod touch (usually checking team scores and stats), but I don't think I'd get a lot work done while eating 12 mango habaneros. And I imagine the keys would get coated in wing sauce.

      I mostly hit Caribou and anywhere but Starbucks. It used to be because Starbucks had bad coffee, but now it's bec

    • I've never seen a Starbucks that charges for wifi, and I've tried in about 20 across 6 states, east, west, and middle of the country.
    • Tmobile also has a plan where you get all the tmobile hotspots for some flat fee... starbucks is included in the list (or at least it used to be last I looked at the options, I didn't buy the plan).
  • Comment removed based on user account deletion
    • I have confirmed it works and surfing right now and . . . hold a sec there's some guys in dark suits wanting to talk-#%$)(*J*&^!@

      [CARRIER LOST]
  • Why couldn't they have just used MAC address (a simple range) filtering? I would guess that there are a few ranges of addresses in use by the iPhones. Even if there was some overlap with other devices, I would think that possibly in addition to a user-agent check would be a lot more secure/efficient.
    • by Deagol ( 323173 )
      MAC addresses can be trivially spoofed. There's even a database of MAC ranges for manufactured devices, so you can pick and choose which device to masquerade as on the network.
    • Easily circumvented; on os x...

      sudo ifconfig en0 lladdr 00:1B:63:00:00:00

      Or using one of the other iphone prefixes:

      00:1B:63
      00:1D:4F
      00:1E:C2
    • by jrumney ( 197329 )
      If someone is going to go to the trouble of spoofing an iPhone with a valid phone number, then they'll just spoof the MAC address as well. It'll be even easier to guess a valid one than for the phone numbers, as each batch of iPhones manufactured will tend to use a corresponding batch of WiFi chips, probably with a consecutive block of MAC addresses. Phone number allocation is more random, since its done at time of purchase, and people can port numbers from older devices or other networks.
  • The real wtf... (Score:4, Interesting)

    by Grelli ( 98061 ) on Friday May 02, 2008 @10:12AM (#23275032) Homepage
    The real wtf is that the iPhone's number is in the user agent string. How long till that is used to justify an "existing business relationship"?
    • I don't see any indication that the phone number is in the user agent string, it looks like the phone number needs to be entered to "log in". Looking for iphone HTTP_USER_AGENT strings elsewhere I don't see any examples with an embedded phone number.
  • Every coffee shop I go to has free wifi. So does McDonalds, truck stops, and a variety of odd places. I can't imagine paying for wifi hot-spot access at Starbucks.
  • Once the API arrives, I can imagine that all they have to do is write an 'enabler' app that does a magic handshake over the cellular interface to pass the phone's WiFi Ethernet interface address to the local hotspot. That would obviate the need to fill out their silly web form and everything.

    Of course, if they're silly enough to write the app so that it enables the connection without performing a validation step (assuming that being able to run the app means it's running on an iPhone), then someone will rat
  • by natoochtoniket ( 763630 ) on Friday May 02, 2008 @12:05PM (#23276652)

    I have a friend who owns a small restaurant, selling smoothies and sandwiches. He has internet access from the back office, and uses it to communicate with vendors.

    He doubled his breakfast and lunch business over the last few months by putting up a wireless router and giving away wifi access. The sign says "with any purchase" but there is no easy way to implement that, so he just leaves it unsecured. Most people buy something anyway.

    It costs him almost nothing, and helps to sell food by making the location more welcoming to his customers. It won't take very long for other small food and beverage businesses to catch on.

    It's kind of like "air conditioned" businesses used to be. Fifty years ago, air conditioning was unusual. But customers liked it, so the businesses that had it got the customers. Now, every business has it. The only real difference is that wifi is a lot cheaper to provide.

  • Outrageous! (Score:3, Funny)

    by hacksoncode ( 239847 ) on Friday May 02, 2008 @01:26PM (#23277756)
    Apple should demand that iPhone users not give their phone number to other people because they might abuse this!

    Errrr...

You are in a maze of little twisting passages, all different.

Working...