That’s all separate systems too. Location services use a combo of GPS, tower triangulation and (at least Android does because Google keeps track) known wifi nets. So if you are standing outside Starbucks_Anywhereville and across the road from Pub_In_Anywhereville it’s easy to locate the device. If there’s nobody broadcasting their SSID, the device might be able to see a few towers and guesstimate that way, and obviously GPS is there too. I don’t know what mix of the latter two has a greater influence, but location services are uncannily good at figuring out where you are these days.
You are not connecting to/thru any “official” router. You are connecting to a Bad Guy’s router. They are getting the raw traffic from your device. WPA2, etc. doesn’t mean squat when the Bad Guy is one of the parties of the communication!
They will present to you what looks like an official login screen. You enter your credentials. They then let you in as if you had officially logged in. (Or they can route your login to the official page for even more fun.)
I don’t think people realise how easy it is to do really bad things if you have your phone (or laptop, or whatever) in what amounts to most people’s phone’s default WiFi access mode.
TL;DR
Phones will continuously poll around them for WiFi stations they have connected to in the past. If you once, years ago used the Apple Shop’s WiFi, your phone will still be asking if it is nearby. All a bad actor has to do is say “Yes, I am” and your phone will connect to it. If you ever trusted a free WiFi in the past, anyone can spoof the same SSID again and get you to connect. And it is easy, they don’t have to guess the SSID, your phone tells them.
Again, your phone will only connect to a previously known AP if the phone and AP successfully pass through the WPA2 four-way handshake. That can’t happen unless the bad guy’s AP knows the password that you were using when your phone last connected to that AP. You’re not going to see any “login page” until you’ve passed through WPA2 authentication and are connected to the wifi network.
The page that Francis Vaughn linked to says
So this page is talking about spoofing a previously known wifi AP that had no WPA2 security. Yes, if you go around connecting to open APs then you are vulnerable to this kind of attack. If you only connect to APs that implement WPA2 with a reasonable password like your home AP, you’re not. WPA2 was designed to prevent this kind of thing.
–Mark
While the main danger is from new, previously unconnected WiFi hotspots, previously ones can be a hazard as well.
Routers and such are a prime target now. Turns out, that there are astonishing holes in these that easily give attackers root access to the device. So they can sniff traffic, fake being another provider’s free WiFi site as well as attack the machines behind the router. They also are used to send spam.
The holes that have been discovered and reported on Slashdot are unbelievable and then some. Open telnet ports with a trivial root password, if that.
And manufacturers are slow to provide firmware updates, if at all.