Over-eager hotspots could be leaving thousands of smartphone users vulnerable to attack on free wi-fi services provided by AT&T and Xfinity, according to a joint report by NPR and Ars Technica.

The report found that the two services allowed smartphones to reconnect to public Wi-Fi hotspots automatically, which could leave users vulnerable to fake hotspots with the right name, able to redirect users to bogus websites to harvest usernames and passwords.

Ars Technica’s IT editor Sean Gallagher writes that the services open both Android and iPhone to a serious security threat, saying, “There's a much bigger threat to your security than somebody randomly fishing for you to connect to them — the networks you've already connected to and trusted, like AT&T and Xfinity.

The NPR report, part of their Project Eavesdrop podcast, describes how easily smartphones automatically reconnect to hotspots called “attwifi” by default - ie users have to instruct the phones not to connect to such hotspots, or disable Wi-Fi altogether to be sure that they will not connect to a bogus hotspot.

Ars Technica’s more detailed report describes how such “fake hotspots” can be created with apps and tools on devices as small as Android phones, and deployed to disrupt internet users connection to a real hotspot then pick up the connection afterwards.

“These free Wi-Fi connections are popular, for good reason - they help reduce the amount of broadband cellular data you consume, and they often provide better network speeds than what you can manage over a 4G connection,” Gallagher writes.

“But they also offer a really easy way for someone to surreptitiously tap into your Internet traffic and capture your account information for less-than-friendly purposes.”

Earlier this year, the head of Europe’s Europol Cyber Crime division warned that free hotspots were increasingly used to steal private information from consumers in Europe, as reported by We Live Security here. Troels Oerting said, “We have seen an increase in the misuse of Wi-Fi in order to steal information, identity or passwords and money from the users who use public or insecure wi-fi connections.”

Up to 10% of workers admit to using public hotspots with work machines, according to a recent survey by phone insurer ProtectYourBubble.

ESET Distinguished Researcher Aryeh Goretsky writes that any free Wi-Fi service carries risks in a We Live Security how-to here, “Just because it is free does not necessarily mean you should take advantage of it. It is possible that someone might be monitoring and capturing network traffic going through the “free” Wi-Fi connection, for reasons ranging from questionable to illegal, such as injecting targeted advertising into web pages to the outright malevolent, such as stealing credentials for email, financial institutions and so forth.”

“If you must use the free Wi-Fi service, do not access log in to any sites for which you need a password, such as your email, bank or online shops. It is more secure to tether your tablet or laptop to your smartphone and make use of its data connection, or use a portable hotspot. While such connections may not be free, they do have the advantage of being far less likely to be intercepted.”