Free Wi-fi, is it free?

So for my latest blog I decided too see if free Wi-Fi is indeed free or whether it comes with a hidden cost. Now I don’t use public Wi-Fi not because it is inherently vulnerable, as I can use a VPN to negate some of the risk, however for those who don’t use a VPN then there is the classic machine in a middle attack.

I don’t use it’s because of the personal identifiable information you are having to provide in most cases to sign up. For those who are old hands at privacy, they will be using burner emails etc but this is not mainstream behaviour.

This is a random selection of providers with no real methodology as to which ones I tried.

McDonald’s was my first port of call.

McDonald’s Wi-Fi is supplied by O2, a mobile number gets you through the first part where you receive a code which you then probably think is that, but no, you then need to enter an email address, name, date of birth and postcode.

What we are seeing is the potential for you to be tracked. If you have your Wi-Fi turned on all the time you could automatically reconnect to the Wi-Fi networks you have signed up to. Using your mobile MAC address the Wi-Fi provider can uniquely identify you. Not only that they can link you as a person to your device and you are no longer anonymous.

I did a little experiment with a second hand mobile I bought. It had been factory reset and had a new profile on it. When I tried to connect to the Wi-Fi in McDonald’s it provided me with the name of the previous owner. What I believe happened was that the Wi-Fi had recognised the device details that it had obtained when the previous owner had signed up, such as the MAC address. This was linked to a real life person and as such I got the welcome message of, ‘Hello Barry we haven’t seen you in a while, see what is new.’ (I did change the name). This demonstrates another danger that if you sell your mobile and you have been using free Wi-Fi then some of your personal information may be compromised.

For those of you who conduct OSINT and who chose to use public Wi-Fi to create sock accounts because social media companies such as Facebook have in affect banned VPNs for creating accounts; then you too need to be aware of not only the potential OPSEC risks but also what may happen if you sell a device. The above will apply to laptops and tablets etc too. Reusing a device may compromise your OPSEC and for those in LE for instance, you need to give careful consideration how a device is disposed of after it is no longer needed.

O2 supply Wi-fi to the following in the UK albeit I believe Bunnings is no longer with us.

You can use this link https://www.o2wifi.co.uk/hotspot to search a location for O2’s Wi-Fi.

‘And if you’re an O2 customer your handset will automatically connect to 7,000 of those hotspots on O2 Wi-Fi extra – you don’t even need to register. Once connected at one of these hotspots your phone will automatically connect to all of our 16,000 hotspots nationwide.’

My next stop was Asda who are supplied by BT. Now Asda is slightly different in that you do not have to provide any details not even a mobile number however interestingly I was not able to use my VPN so a little bit of swings and roundabouts here with what you are giving up to use the Wi-Fi.

You can search for BT Wi-Fi at this link https://www.btwifi.com/find/

I am sure that not only are you providing personal identifiable information to sign up to some Wi-Fi services, it isn’t really free as your privacy is the cost, as the old saying goes, ‘If You’re Not Paying For It, You Become The Product.’ Asda and BT for example will see your internet data such as your browsing details, especially as my VPN appeared to have been banned.

Combine the above with low level Bluetooth beacons and all of a sudden you are the product that can be tracked. Make no mistake there are companies out there that offer this service to retail companies.

You should never leave your Wi-Fi, Hotspot and Bluetooth turned on unnecessarily as this will compromise your privacy and in certain cases allow you to be tracked to significant locations. You should also be thinking of your OPSEC too. Wigle will have people’s hotspots recorded and thus a potential way to track you.

You can find Sky Wi-Fi hotspots. As you can see from the map even if your location services are switched off you could still be tracked by your use of Wi-Fi. You will also see that as with O2 you will be reconnected automatically.

There are several websites that will allow you to search for public Wi-Fi: –
https://www.wifimap.io/
https://instabridge.com/free-wifi/
https://wifispc.com/